Privo and Ypulse have recently alerted us to a new law enacted in Maine USA that bans the use of personal information about minors for marketing purposes. Here I’m quoting both sources.
The law is much more expansive than the Children’s Online Privacy Protection Act (COPPA) – the federal law regulating the online collection and use of personal information from children under 13. The Maine law regulates both the online and offline collection of personal information from users under the age of 18 and strictly prohibits any transfer of or use of personal information about minors for marketing products or services – regardless of from whom it was collected or whether a parent has consented to the collection and use. The law is set to take effect in September.
The law includes three major regulatory elements, which appear to be incongruous. The first regulatory element prohibits anyone from knowingly collecting or receiving either personal or health-related information from a minor for marketing purposes without first obtaining verifiable parental consent. The law’s definition of parental consent includes authorization for future collection, use, and disclosure of the minor’s personal information. However, the second and third regulatory elements prohibit any transfer of minors’ personal information and its use for marketing purposes – regardless of from whom it was collected or whether a parent has consented to the collection and use.
Under the new law:
- The knowing collection or receipt of health-related information or personal information for marketing purposes from a minor without first obtaining verifiable parental consent is prohibited.
- The sale or transfer of health-related information or personal information about a minor is prohibited, regardless of whether or not the information was lawfully obtained.
- The use of health-related information or personal information regarding a minor for the purpose of marketing a product or service to that minor or promoting any course of action for the minor relating to a product is strictly prohibited.
Maine’s law, like COPPA, defines “personal information” as “individually identifiable information.” The Maine law provides the following illustrative list of personal information: (1) an individual’s first name, or first initial, and last name; (2) a home or other physical address; (3) a social security number; (4) a driver’s license number or state identification card number; and (4) information concerning a minor that is collected in combination with an above-described identifier. Unlike COPPA, the Maine law does not specifically include in the list email addresses and phone numbers – both of which COPPA lists as individually identifiable information.
The law also allows for enforcement by the State Attorney General and for a private rights of action – meaning that private parties can sue companies for collecting or using minors’ personal information in violation of the law. Private litigants can sue for injunctive relief and/or damages in the greater amount of either $250 or actual damages, mandatory attorneys’ fees, and costs. Damages for willing or knowing violations can be the greater amount of either $750 or treble damages. A court may also assess civil fines of at least $10,000 and no more than $20,000 for a first violation and at least $20,000 for each subsequent violation.
In other words, companies that currently collect personal information from minors may consider seeking out legal advice about the best way to avoid coming under fire this September.
See the full legal document here.
Update 10th Aug 2009: Thanks to Stephen Kline from Privo for sending through this link to Tips to Deal With Maine’s New Law Regarding Minors’ Personal Information from Liisa Thomas, an attorney at Winston & Strawn, an advertising firm in the U.S. It answers many of the questions being asked following the announcement of the law, although still sadly cannot provide easy solutions! And of course, those pesky under 18’s do keep moving house – what if they have moved to Maine since you last refreshed your email database, and didn’t tell you…?