The Federal Trade Commission (FTC) recently ordered Iconix Brand Group, Inc. to pay a $250,000 fine for violating the Children’s Online Privacy Protection Act (COPPA) and the FTC Act.  Iconix Brand Group, Inc., the owner of the Mudd, Candie’s, Bongo and OP clothing lines, required children on many of its brand-specific Web sites to provide personal information, such as full name, e-mail address, ZIP code, and in some cases mailing address, gender, and phone number – as well as date of birth – in order to receive brand updates, enter sweepstakes contests, and participate in interactive brand-awareness campaigns.  Iconix collected and stored the personal information of children without first notifying parents or obtaining their consent as required by COPPA.

COPPA generally requires an operator of a Web site targeted to children that is collecting personal data from children to notify parents and obtain their consent before collecting, using, or disclosing any such information.  This requirement also applies to general audience Web sites that have a separate children’s area.  Operators of these Web sites must also post a privacy policy that is clear, complete, and accurate.  Further, the FTC Act prohibits entities from making deceptive statements or misrepresentations.

The FTC found that Iconix Brand Group, Inc. had violated both the COPPA Rule and the FTC Act.  Iconix Brand Group, Inc. violated the COPPA Rule by (1) failing to provide sufficient notice on its Web sites of what information it collects online from children and how it uses such information; (2) failing to provide direct notice to parents of what information it collects online from children and how it uses such information; and (3) failing to obtain verifiable parental consent before any collection, use and disclosure of personal information from children.  Iconix Brand Group, Inc. also violated the FTC Act by knowingly collecting personal information in violation of its privacy policy from children without obtaining prior verifiable parental consent, and not deleting personal information collected from children when it became aware of it.  In fact, Iconix Brand Group, Inc. represented on its Web sites that it did not collect personal information from children without obtaining prior verifiable parental consent.

The settlement between the FTC and Iconix Brand Group, Inc. required the company to pay a $250,000 civil penalty and to delete all personal information collected and maintained in violation of COPPA. 

This FTC action demonstrates the importance of regulatory compliance with the laws and regulations that govern the collection of personal information from children.  Further, companies should ensure that the data collection practices do not violate their privacy policies. 

For further information and assistance with these issues, please contact:

Anthony V. Lupo
lupo.anthony@arentfox.com
202.857.6353

Matthew R. Mills
mills.matthew@arentfox.com
202.715.8582