Sony Music Sued for Breaching US Privacy Laws – Fined $1 Million

It could negatively affect web developers this time.

There’s an interesting report on Wired’s Threat Level which details Sony getting sued by the FTC for $1 million. While a previous lawsuit against the company proved to be hilarious over the hypocrisy of being sued for software piracy, this lawsuit may be of interest to many web developers who have a website that has any form of profiles.

According to court papers, over 1,000 Sony music sites asked whether an end user was under the age of 13 (section 16 on page 6). Those who said they were under the age of 13 would be restricted from participation. In spite of this warning, users below the age of 13 were able to interact with people of all ages. The sticky part was the fact that users were able to create public profiles which included photos of themselves, their age, gender, and city or country they come from (section 17, page 6) As a result, Sony didn’t, as required by law, obtain verifiable consent from a parent or legal guardian before the information was collected and disclosed (section 20 and 21, page 7) publicly.

As a result, the FTC was able to win the court case with the following:

25. In numerous instances, including the acts and practises describes above, Sony Music collected, used, and/or disclosed personal information from children in violation of the Rule, including:

a. Failing to provide sufficient notice on the Sony Music websites of what information the defendant collects online from children, how it uses such information, its disclosure practises, and all other required content, in violation of Section 312.4(b) of the Rule, 16 C.F.R. [section] 312.4(b);

b. Failing to provide direct notice to parents of what information the defendant collects online from children, how it uses such information, its disclosure practises, and all other required content, in violation of Section 312.4(c) of the Rule, 16 C.F.R. [sec] 312.4(c);

c. Failing to obtain verifiable parental consent before any collection, use, and/or disclosure of personal information from children, in violation of Section 312.5 of the Rule, 16 C.F.R. [sec] 312.5(a)(1); and,

d. Failing to provide a reasonable means for parents to review the personal information collected from their children and to refuse to permit its further use or maintenance, in violation of Section 312.6 of the Rule, 16 C.F.R. [sec] 312.6.

The question is, how does a web administrator actually obtain “verifiable consent” in the first place since something like that could easily be faked via e-mail. This ruling may be of particular concern considering that any website that has a forum (whether it be PHPBB or VBulletine, etc) does merely have the ‘over 13 years old’ check box, but users can type in their location, gender, etc. in their profiles. It’s not exactly clear how many websites in the United States are now legally liable.

David Kravets of Threat Level notes the positive side of the ruling: “Businesses often use information they collect from web users for marketing purposes.”

Such a ruling might prove to be a good deterrent for major corporations who want to collect private and personal information for marketing purposes. One might wonder, though, at what cost?