COPPA is sometimes referred to as the cure for the national debt in the United States thanks to the civil penalties the FTC can claim under the law. At $16,000 a violation, total penalties can be enormous when one considers a site violating COPPA will typically have hundreds, if not thousands, of violations. The national debt is apparently becoming a larger concern as the FTC has just dramatically increased the maximum penalty per violation.
Penalty More Than Doubles
Starting August 1, 2016, the maximum civil penalty for violating COPPA will more than double from $16,000 to $40,000 per violation. A violation is defined as each child an operator collects personal information from in violation of COPPA. For example, an app directed at children under 13 with 100 users would face a potential civil penalty of as much as $4,000,000.
The increase in penalties is a result of FTC compliance with The Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015. As with many government agencies, the FTC has not historically adjusted penalties for inflation on an annual basis. The new law requires such an adjustment as well as a “catch-up” calculation for past years where no adjustment occurred. This catch-up adjustment is defined as the percentage by which the U.S. Department of Labor’s Consumer Price Index for all-urban consumers (CPI – U) for the month of October 2015 exceeds the CPI–U for the month of October for the year in which the amount of the penalty was last set or adjusted pursuant to law, excluding prior adjustments.
The COPPA statutory code does not contain a dollar penalty figure. Instead, penalties are determined under Section 5 of the FTC Act. The FTC has not updated the maximum penalty figure for Section 5 since 1975, which is why we see the massive increase from $16,000 to $40,000.
Actual Penalty Determinations
While the $40,000 per violation penalty may be startling, the truth is FTC penalties are rarely so high in real world COPPA prosecutions. Through endless litigation, courts have established a six-step process for determining damages under 15 U.S.C. §45(a)(1):
- The level of harm to the public;
- The benefits gained by the defendant;
- The good or bad faith of the violator [willful versus negligent conduct];
- The defendant’s ability to pay;
- The deterrence value of the penalty for this defendant and other operators; and
- A vindication of the authority of the FTC.
[United States v. Boston Scientific Corp., 253 F. Supp. 2d 85, 98 (D. Mass. 2003.]
When courts take these factors into account, the ultimate penalties associated with violations are usually much lower than the current $16,000 per violation standard much less the new $40,000 figure. This applies in particular when the defendant’s ability to pay is taken into account. InMobi was recently found to have committed potentially millions of COPPA violations. Using the current $16,000 penalty figure, InMobi could have faced a fine in the billions of dollars. Obviously, such a penalty would have been ludicrous. In reflection of this, the ultimate settlement with the FTC consisted of a four million dollar fine with all but $950,000 being suspended.
The penalty bump to $40,000 is just one more reason to comply with COPPA. The FTC has long been criticized for its lack of COPPA enforcement actions, but the enforcement landscape may be changing with the FTC reaching multiple settlements with companies violating COPPA in the last 18 months. At potentially $40,000 a pop, smart business owners and management teams will be moving to both check their COPPA compliance protocol and close any compliance gaps.
Richard A. Chapo, Esq.