Monetary penalties are the attention-grabbing headline when the FTC or any regulator brings an enforcement action against a company. They are the looming threat to incentivize and influence compliance. Over the summer, FTC Chairman Joseph J. Simons (“Chairman Simons”) issued a statement in connection with a settlement that Chairman Simons believes “the goal of a civil penalty should be to make compliance more attractive than violation. Said another way, violation should not be more profitable than compliance.”
Over the summer, a mobile app company, HyperBeard, Inc. (“HyperBeard”), agreed to settle FTC allegations that it illegally collected children’s data without parental consent in violation of the Children’s Online Privacy Protection Act Rule (“COPPA Rule”). HyperBeard’s violation stemmed from allowing third party ad networks to collect personal information in the form of personal identifiers to track users of HyperBeard’s child-directed apps without complying with the COPPA Rule’s requirements of parental notice and verifiable parental consent. Aside from the settlement, the case is another important reminder that companies should be aware of what their vendors are doing because a vendor’s actions could cause the company to be noncompliant with privacy laws and subject to fines and penalties.
The price tag for HyperBeard’s non-compliance was a $4 million fine, suspended upon HyperBeard’s payment of a $150,000 fine due to its inability to pay the full amount. The FTC had authority to seek monetary civil penalties of up to $41,484 for each violation of the COPPA Rule. Each collection, use or disclosure of a child’s personal information in which HyperBeard violated the COPPA Rule is considered a separate violation.
However, the Statement of Chairman Simons and Dissenting Statement of Commissioner Noah Joshua Phillips issued in connection with the settlement shed light on the current thinking of the FTC in their goals on enforcement. Commissioner Phillips believed that the fine imposed was too much. Philips’ Dissenting Statement expressed concern that the FTC’s “recent push to heighten financial penalties – even where the law permits only equitable relief – has been relentless, without clear direction other than to maximize the amount in every case…” and “create the appearance of being ‘tough’” at the expense of being inconsistent, unfair and counterproductive. Commissioner Phillips stressed the importance of focusing on harm when determining if a monetary penalty is merited. In the HyperBeard case, Commissioner Phillips did not find a level of harm that merited the monetary penalty levied.
Chairman Simons responded to the dissent by addressing Commissioner Philips’ harm analysis – stating that “[w]hile harm is an important factor to consider… [the FTC’s] first priority is to use [civil monetary penalties] to deter those practices.” Violations of law, without demonstrable money harm, merit civil penalties. Chairman Simons made clear that deterrence by means of financial penalties is the current goal and is likely to continue for privacy violations.
Finally, it is important to keep in mind that the fine itself is not the only cost to consider. As Chairman Simons pointed out in his statement, there is also cost involved in:
- complying with the injunction itself (such as HyperBeard’s compliance reporting obligation for the next 10 years),
- the reputational effect of the FTC settlement (such as the requirement to provide a copy of the Order to all employees having responsibility for privacy practices and providing a copy of the Order to any buyer of the company in a subsequent merger, acquisition or other corporate ownership change), and
- the threat of follow-on actions for non-compliance with the order (such as the FTC discovery of another violation during its monitoring of HyperBeard’s compliance moving forward).
The HyperBeard case and settlement reiterates that (1) enforcing compliance with the COPPA Rule remains a top priority for the FTC, and (2) the FTC is strategically using monetary civil penalties as the primary means to incentivize a company’s compliance.