Disney Websites May Run Afoul of Children’s Privacy Laws

Privacy group raises new concerns

Disney, the world's most iconic kids brand, is under scrutiny by the Federal Trade Commission for flunking the ABCs of children's online privacy laws.

The Mouse House first came under review following a complaint filed last December by the Center for Digital Democracy that alleged Marvelkids.com failed to obtain parental consent from children under 13 prior to tracking and collecting personal information about them.

Although Disney made some changes in its privacy policy two days later, the CDD said today in an amended complaint that the changes were "insufficient."

"Disney has cavalierly disregarded some of the basic principles," said Jeff Chester, executive director of the CDD. "The biggest kids entertainment company is thumbing its nose at kids' privacy. We expect action."

Because Disney substituted its companywide policy on Marvelkids.com, the CDD suggested the FTC broaden its inquiry to include all of Disney's kids-directed sites.

"The problem with using a companywide privacy policy for kids' sites is it may not be compliant and that's what we're seeing here," said CDD attorney Eric Null of the Institute for Public Representation.

CDD identified three places where it says Disney did not stick to the letter of the law for children's online privacy.

First, the Marvelkids.com site does not have a direct link on the homepage to the online policy as spelled out in the FTC's guidance. "Parents must click on three separate links to find the children's policy," wrote Null. The same experience happens with DisneyJunior.com.

Second, the CDD alleges that Disney's notification about what information third parties are collecting fails to meet the clear and prominent standard and is inaccessible because it is buried in fine print in the "persistent identifiers" section of the policy, making it "not easy to locate."

Finally, the CDD also accuses Disney of allowing third parties to collect personal information for purposes other than the internal operations of the website. Forty-three different companies are listed on the website as collecting persistent identifiers.

Disney dismissed the allegations. "In an all too familiar and disappointing pattern, CDD once again seeks to garner headlines at the expense of the facts. Disney's privacy policies and practices respect and protect kids and parents and our Websites are specifically designed to easily and effectively arm parents with the information they need to keep their kids safe online," the company said in a statement. "In short, there is simply no truth to any of the claims made by the CDD."

The FTC updated rules for the Children's Online Privacy Protection Act (Coppa) last summer, establishing stricter codes for obtaining parents permission for tracking and collecting children's personal information. The agency has yet to bring any enforcement action since the update.