Hershey’s and Mrs. Fields Slapped for COPPA Violations

Use of the Hershey’s and Mrs. Fields Original Cookies websites by children has turned into a bitter experience for both companies.

Each company recently entered into a consent decree with the Federal Trade Commission (FTC) for alleged violations of the Children’s Online Privacy Protection Act (COPPA) because they were collecting personal information from children without first obtaining proper parental consent. Neither company admitted any wrongdoing in the consent decrees. Hershey will pay $85,000 in civil penalties and Mrs. Fields will pay $100,000.

“These settlements offer food for thought for anyone who operates a web site that caters to kids,” said Howard Beales, director of the FTC’s Bureau of Consumer Protection. “If your web site collects personal information from children, comply with the law or face the consequences.”

COPPA prohibits websites from collecting information on children under the age of 13 years without obtaining verifiable consent from a parent or guardian. When information is collected, there also must be a mechanism for parents to verify and/or delete the information as well.

In the case of Hershey, it maintains several websites, including www.hersheys.com, www.paydaybar.com, and www.reesefastbreak.com, on which it has collected information from children under 13 including the child’s first and last names, street address, e-mail address, gender, age, and, in some instances, telephone number. As part of a sweepstakes to win a candy bar on the “”Kidztown”” portion of the Hersheys.com website, the company disclosed the personal information it collected by posting the first and last names and home states of the winners on the Internet.

The FTC said that while Hershey did have a parental consent form on the websites, the “method of obtaining parental consent was not reasonably calculated to ensure that the person providing consent was the child’s parent. Moreover, even if no information was submitted in the parental consent form, and a child filled in the registration form indicating that he/she was under the age of 13, the entry form was accepted” by Hershey.

Under the consent decree, Hershey agreed to pay $85,000 in civil penalties, to delete any information collected in violation of COPPA and to institute certain record keeping procedures.

Mrs. Fields Cookies’ violations were on three of its websites: www.mrsfields.com, www.pretzeltime.com, and www.pretzelmaker.com. Each website offered birthday clubs directed at children 12 and under. By joining the club, the children would get a coupon for a free cookie or pretzel and a birthday greeting. In order to register, the children were required to provide personal information including their first and last names, street address, e-mail address and date of birth and, at www.mrsfields.com, their telephone number.

Mrs. Fields did not have any parental consent form on the websites. They also did not provide any means for parents to review or delete the information from their children.

Under the consent decree, Mrs. Fields paid $100,000 in civil penalties, agreed to delete all personal information collected from every child since April 21, 2000 and agreed to provide a report to the FTC on how the company plans to comply with COPPA in the future.

United States of America v. Mrs. Fields Famous Brands, Inc., Mrs. Fields’ Holding Company, Inc. and Mrs. Fields’ Original Cookies, Inc., U.S. District Court, Utah, Central Division. United States of America v. Hershey Foods Corp., U.S. District Court, Middle District of Pennsylvania.