In June, the Governor of Maine signed into law a controversial bill that regulates the collection, use, and disclosure of minors’ personal information. Specifically, the Act to Prevent Predatory Marketing Practices against Minors requires a company to obtain parental consent before knowingly collecting personal information or health-related information for marketing purposes from a minor (a child under 18), and it prohibits it from disclosing such information and using it for marketing purposes. The Act thus has an inherent contradiction: it requires a company to obtain parental consent before collecting minors’ information for marketing purposes but, at the same time, bans the use of minors’ information for marketing purposes.
The original purpose of the bill was to regulate the collection, disclosure and use of minors’ health-related information. Just seven days before the bill passed the House, and eight days before it passed the Senate, the Committee on Business, Research, and Economic Development amended it to also cover personal information. Prior to that amendment, there had been no action on the bill since it was introduced and referred to Committee on March 25. It is unclear from currently available information why the last-minute change was made, but when the legislative records become available, they should provide some insight.
Several industry members and representatives have expressed their intent to challenge the Act on grounds that it is overbroad in court or when the state legislature reconvenes in January 2010. In the meantime, the Act takes effect on September 12, 2009, so companies are advised to take steps to come into compliance.
: individually identifiable information, including: (1) a first name, or first initial, and last name; (2) a home or other physical address; (3) a Social Security number; (4) a driver’s license number or state identification card number; and (5) information concerning a minor that is collected in combination with one of the above-referenced identifiers. The definition is worded broadly enough to include any information that identifies an individual, even if the category is not included in the enumerated examples. Such information could include, for example, email address, social networking profile and other data associated with an individual. Moreover, unlike the federal Children’s Online Privacy Protection Act (“COPPA”), coverage is not limited to information collected online.
: any information about an individual or a member of his/her family relating to health, nutrition, drug or medication use, physical or bodily condition, mental health, medical history, medical insurance coverage or claims, or similar data.
: the use of health-related information or personal information to market or advertise products, goods, or services to individuals.
Unlawful Collection, Disclosure, and Use
The Act restricts the collection, disclosure, and use of minor’s personal information and health-related information. Specifically, it:
- Prohibits any person from knowingly collecting or receiving personal information or health-related information for marketing purposes from a minor without first obtaining verifiable parental consent from the minor’s parent or legal guardian. “Verifiable parental consent” is defined in a way similar to the requirements of COPPA: “any reasonable effort, taking into consideration available technology, including a request for authorization for future collection, use and disclosure described in the notice, to ensure that a parent of a minor receives notice of the collection of personal information, use and disclosure practices and authorizes the collection, use and disclosure, as applicable, of personal information and the subsequent use of that information before the information is collected from that minor.” Although this provision applies to any collection or receipt of covered information – whether online or offline – it is narrower than COPPA in one respect: it applies only to the collection of information for marketing purposes.
- Prohibits any person from disclosing a minor’s personal information or health-related information to another person. The Act limits this restriction to certain circumstances (i.e., when the information was collected without verifiable parental consent, when it individually identifies the minor, or when it will be used for marketing purposes), but the practical effect is to ban any disclosure of a minor’s personally identifiable information. The prohibition applies even when a person has received verifiable parental consent to collect and use a minor’s information.
- Prohibits any person from using a minor’s personal information or health-related information for predatory marketing. “Predatory marketing” means marketing to the minor or to “promoting any course of action for the minor relating to a product.” This broad prohibition applies even when the person has received verifiable parental consent. As noted above, the prohibition makes it unclear why a company would seek consent to the collection of minors’ personal information for marketing purposes.
The Act’s coverage and restrictions go well beyond those of COPPA. Specifically:
- As noted above, the Act applies to information collected both on and offline. COPPA regulates only information collected online;
- The Act regulates the collection, use, and disclosure of information about children under 18, while COPPA covers only children under 13;
- The Act prohibits the disclosure of minors’ information to third parties, regardless of parental consent. COPPA permits such disclosure, as long as appropriate parental consent has been obtained;
- The Act prohibits the use of minors’ information for marketing purposes. COPPA permits such use, as long as appropriate parental consent has been obtained; and
- The Act covers health-related information. COPPA does not specifically apply to such information.
Enforcement and Penalties, Including a Private Right of Action
Violations of the Act are considered unfair trade practices under state law. In addition, the Attorney General may seek a civil penalty of no less than $10,000 and no more than $20,000 for the first violation, and no less than $20,000 for a second or subsequent violation. The Attorney General is also authorized to bring action under COPPA, if applicable. Finally, in another departure from COPPA, the Act allows an individual to seek both injunctive relief as well as the greater of actual damages or up to $250 per violation. It remains to be seen how “per violation” will be interpreted. Thus, for example, a “violation” may be construed as one clause of the statute that a company has violated, or based upon each individual’s personal information used in a way contrary to the statute. Kelley Drye will provide future client advisories on the new Maine law as key developments occur.
Kelley Drye & Warren LLP
Kelley Drye & Warren's Information Security and Privacy practice
is a leader in advising clients on privacy and information security issues and has been at the forefront of developments in this growing area of the law. Our attorneys regularly counsel clients regarding all aspects of privacy and data security compliance, including drafting and amending privacy and information security policies, advising clients on interpreting their own policies, crafting data security programs for clients, performing privacy and/or data security audits of existing business practices, drafting agreements with third parties regarding their obligations in connection with handling clients' customer data, and representing clients in connection with federal and state regulator privacy investigations regarding their privacy and data security practices.
For more information about this Client Advisory, please contact: