• The Washington Post


Iron Man, Captain America and Spider-Man greet visitors to Disney’s MarvelKids.com website, but parents may be surprised to learn that these superheroes may also open the door to tools that track their children’s activities across the Web, according to federal complaints to be filed Wednesday.

The filings with the Federal Trade Commission accuse Disney’s Marvel subsidiary, as well as the Japanese firm Sanrio, of flouting new privacy rules for children by collecting personal information from users without verifying that they are older than 13.

Marvel declined comment on the complaint. Sanrio, known for its Hello Kitty character, did not immediately respond to a request for comment.

Under the privacy rules, which went into effect in July, parents must sign off before sites can track a child’s Internet activities or collect personal information such as photos, videos and location data. The Center for Digital Democracy, the privacy and consumer rights organization that filed the complaints, said the potential violations show that major companies are flouting the new regulations, which updated the Children’s Online Privacy Protection Act (COPPA).

“The new COPPA rules approved one year ago were designed to protect children from contemporary data-collection practices that track consumers 24/7 — on mobile phones and apps, on social media and when playing online games,” said Jeffrey Chester, the center’s executive director. “But what we discovered is that the same powerful and pervasive data-gathering digital complex is at work on leading kids’ sites.”

According to the filings, an independent researcher hired by the center found evidence that the Sanrio app and MarvelKids.com were able to collect a users’ location data and were placing persistent identifiers — cookies or similar pieces of code that can track users’ activity across sites — without asking for visitors’ ages.

The researcher, Ian Davey, said he identified several instances in which the app and the site collected personal information and disclosed it to third parties such as advertisers. Sanrio can also access photos on users’ phones and asks Apple users to submit their email addresses in some cases — another practice that requires parental consent under the new rules.

The advertising and Internet tracking practices of these firms, the privacy group said, call into question whether the current process, which allows the industry to set its own guidelines, is strong enough.

Marvel, for example, bears a seal of approval from the Better Business Bureau’s Children’s Advertising Review Unit, indicating that it is in compliance with privacy guidelines.

But the MarvelKids.com privacy policy, which says it was last updated in April 2012, still includes some provisions that break the new rules, said Eric Null, an attorney for the privacy group.

“What they’ve described are COPPA violations,” he said, noting that the policy says users must opt out of having their information shared with third parties. The new regulations say that, for children, this option must be turned off automatically.

These are the first complaints the group has filed under the new rules, but Chester said more are likely.

Marvel and Sanrio could face fines if found to have violated the rules.

The FTC, which traditionally does not comment on such complaints, has said enforcing COPPA is a top priority.

In a time of both misinformation and too much information, quality journalism is more crucial than ever.
By subscribing, you can help us get the story right.