An online-privacy advocacy group has asked the Federal Trade Commission to investigate MarvelKids.com and the Hello Kitty Carnival mobile app, which it insists fail to protect children's personal information as required by federal law.
In twin complaints filed Wednesday, the Center for Digital Democracy claims neither Marvel nor Sanrio Digital "provides adequate notice or obtains verifiable parental consent prior to collecting, using, or disclosing personal information about its child users," as mandated by the 14-year-old Children’s Online Privacy Protection Act. The complaints are the first to be filed since the FTC implemented stricter rules in July.
Launched in January 2008, MarvelKids is a hub "designed to entertain and educate children" using the company's kid-friendly comics, animated series and games. Visitors can watch episodes and clips from shows like Ultimate Spider-Man and Wolverine and the X-Men, read issues of titles like Marvel Adventures Spider-Man and assorted Power Pack team-ups, and play upward of 20 online games.
Marvel last updated its privacy policy in April 2012, before the new restrictions went into effect, yet the CDD notes the website displays the industry's self-regulation safe-harbor seal. According to the group, MarvelKids also collects personal information from visitors, including IP addresses and pages visited before and after, and shares that data with ad-serving companies like Google DoubleClick -- all without parental consent.
Marvel's parent company Disney said in a statement to AdWeek that, "Contrary to any suggestion in the press release and complaint filed by the Center for Digital Democracy, we are fully mindful of our obligations under COPPA and have robust processes in place to meet them. CDD never brought their concerns to us and instead issued an inflammatory and inaccurate release."
Hello Kitty Carnival is a free game that encourages players earn virtual coins by operating a carnival; additional coins can be purchased to buy more rides and to decorate the carnival. The CDD states that Sanrio and third parties are able to collect at least three types of information from children: identifiers unique to the mobile device, its physical location, and photos containing images of children. Without obtaining parental permission, all of that violates COPPA rules.
“These two complaints reveal a pattern of disturbing practices that threaten children's privacy and undermine the ability of parents to control how information is collected and used,” CDD Executive Director Jeff Chester said in a statement. “The new COPPA rules approved one year ago were designed to protect children from contemporary data collection practices that track consumers 24/7 — on mobile phones and ‘apps,’ on social media, and when playing online games. But what we discovered is that the same powerful and pervasive data gathering digital complex is at work on leading kids sites."