Mattel, Viacom, Hasbro Accused Of Tracking Kids’ Online Behavior

When your child uses a kid-targeted website for Barbie, Dora the Explorer, Neopets, Nerf, or Nickelodeon, federal law limits what information can be collected. But an investigation by the New York state attorney general found that some of the biggest names in toys and kids’ entertainment were violating that law by collecting information from their young users without authorization, and by allowing third parties to track users’ behavior across the internet.

The Children’s Online Privacy Protection Act (and the resulting COPPA Rule from the Federal Trade Commission) require that websites targeted to children under the age of 13 obtain parental authorization before collecting personal information about their young users.

The rule also states that the operator of a kid-targeted site should only share this collected data with “service providers and third parties who are capable of maintaining the confidentiality, security and integrity of such information, and who provide assurances that they will maintain the information in such a manner.”

However, according to NY Attorney General Eric Schneiderman, kid-focused websites operated by Viacom (Nickelodeon, Nick Jr.), Mattel (Barbie, Hot Wheels, American Girl); JumpStart (NeoPets), and Hasbro (My Little Pony, Littlest Pony Shop, Nerf) played fast and loose with COPPA, collecting information on kid users without parental authorization and sharing this data with third parties that tracked the youngsters as they continued to browse the web.

“Many of the sites that are home to our most popular toys and TV shows are littered with technology that could track virtually every move the child makes,” said Schneiderman at a Tuesday morning press conference.

For example, the AG’s office says that a number of third-party ads on the Nickelodeon and Nick Jr. sites used tracking technology to provide targeted advertising to kids.

Likewise, Mattel used a tracking tech from a third party data broker on sites for products like Barbie, Hot Wheels, Fisher-Price, Monster High, Ever After High, and Thomas & Friends. While the tracking system had legitimate, allowed uses like measuring site traffic, Schneiderman says it was also used for the prohibited purpose of tracking, profiling, and providing targeted advertising.

The folks at Neopets installed a Facebook plugin on their site, but failed to notify Facebook that the site was for children. Thus, the plugin did what it does on non-COPPA sites: tracked information for serving behavioral advertising.

A lot of the company’s errors appear to be based on either ignorance or confusion about the rules. Viacom did not think it was doing anything wrong by serving up non-COPPA compliant ads and tracking on the homepages for some of its sites because it considered them to be more parent-targeted than aimed at kids. However, as Schneiderman’s office pointed out, COPPA requires that website operators treat mixed audience pages as child-directed.

During the press conference, the AG said that “in some cases, the companies were not even aware that this tracking tech was even there,” but ignorance is no excuse under COPPA.

As the FTC makes clear in this FAQ about the COPPA Rule, website operators “are responsible for the collection of personal information from your users, no matter who is doing the collection.”

So it’s a good idea for operators of these sites to proactively make sure their third-party providers are COPPA compliant before they too end up the subject of a press conference.

Schneiderman says that when his office confronted each of the companies with the results of Operation Child Tracker, they all responded immediately and began working to change their practices.

To settle these allegations with the state, the companies have agreed to pay a total of more than $800,000 in penalties and make reforms in their data collection practices.

Viacom faces the biggest penalty ($500,000), followed by Mattel ($250,000), and then JumpStart ($85,000). Hasbro will not pay anything, but has agreed to the same policy changes as the others.

Those changes include conducting regular scans to make sure that third parties are not tracking users’ behavior on these for-kids sites; disclosing to parents which sites have been deemed safe from tracking; and vetting third-party providers for COPPA compliance.

“Federal law demands that children are off-limits to the prying eyes of advertisers,” said Schneiderman about the settlements. “Operation Child Tracker revealed that some of our nation’s biggest companies failed to protect kids’ privacy and shield them from illegal online tracking.”