The ”Act To Prevent Predatory Marketing Practices against Minors“, prohibits companies from collecting personal information–such as name and e-mail address–from minors without receiving verifiable parental consent.  The restrictions are considerably broader than the federal Children’s Online Privacy Protection Act (“COPPA”), applying to information related to everyone under 18 (COPPA is limited to children under 13) and extending to such information collected offline as well as on.  

If enforced, it would have compelled sites with broad appeal to teenagers, like Facebook and MySpace, as well as news, education and other sites requiring registration, to verify the ages of users from Maine and then obtain permission from the parents of minors from the state.  In addition, the Maine Independent Colleges Association, argued that the law would prevent Maine colleges from sending marketing materials to prospective students without first obtaining consent from their parents.

Before the attorney general decided to not to enforce the law, a group of companies including online advocacy coalition NetChoice (whose members include AOL, eBay, IAC, NewsCorp and Yahoo!, among others), challenged it in federal court, alleging that it violated the First Amendment and Commerce Clauses of the US Constitution and is preempted by COPPA.  The suit was dismissed last week on consent of the parties when the AG announced her decision.  However, prior to granting the dismissal, the federal judge to whom the case was assigned indicated that he agreed with the plaintiff’s that the law is likely unconstitutional.

The law was originally focused on protecting the health-related information of those under 18 in an attempt to prevent pharmaceutical companies from using such information to market drugs to minors.  As the proposed bill passed through the Maine legislature, “personal information” was included in the marketing prohibitions. 

While the potential upheaval to many companies that would result from enforcement of the Maine law was real, it does not appear that this law is signaling a trend by the states to dramatically expand the coverage of their privacy laws.  In fact, the law’s author, Maine state senator Elizabeth Schneider, admitted that she intended the law to be limited to health-related information.  Apparently, the broader coverage was added with little notice or debate.

The Maine Senate’s judiciary committee is planning on reviewing the bill in the upcoming legislative session in order to enact amendments to address the concerns that have been raised.  However, while the attorney general’s office will not be enforcing the law until then, the private right of action remains on the books.  It is unclear whether any such suits brought could survive a constitutional challenge on the same grounds as those brought in the dismissed lawsuit.  But the specter of incurring costs to defend any such suits hangs over any company conducting business online since doing so on the internet means doing business in Maine.

COPPA requires website operators to meet specific requirements prior to collecting children’s personal information, including:

• posting a privacy policy with a notice of what information it collects from children and how it uses such information;
• obtaining verifiable parental consent prior to collecting, using or disclosing children’s information; and
• providing parents with the option to consent to the collection and internal use of their children’s information without consenting to disclosure to third parties.

The Act applies to any website that has actual knowledge it collects, uses and disclosed personal information from children. 

The FTC’s complaint alleges, among other things, that Sony BMG’s  over 1,100 music-related websites collect certain personal information upon registration, including e-mail addresses, birthdate, zip code and country.  Some of the sites also collected names, mobile phone numbers and full street addresses.  The sites offered a variety of features and functions including enabling registered users to create profile pages, post comments on message boards and receive e-mail notices. 

The FTC found that, despite the sites’ privacy policy advising children under 13 not to provide personally identifiable information and a representation that those under 13 would be restricted from certain features and functions, Sony BMG accepted registrations from users of all ages, including those indicating they were under 13, and enabled those users to freely use the sites.  The sites also enabled children under 13 to create user profile pages through which the children were able to interact with others, including adults.

The FTC alleged that Sony BMG violated COPPA by not clearly and accurately setting forth its policies for disclosing and using children’s information; failing to provide parents with notice of the information practices prior to collecting information; and failing to take steps to obtain verifiable consent from parents prior to collecting children’s information.

In addition to the fine, Sony BMG agreed to ensure future compliance with the COPPA provisions, as well as to include links to the FTC’s children’s privacy policy information page at www.ftc.gov/privacy/privacyinitiatives/childrens and the page containing social networking tips for parents at www.onguardonline.gov/socialnetorking.html.

The case is a reminder to all website operators of the importance of carefully crafting a comprehensive and thorough privacy policy.