Disney Faces $10 Million Fine Over Alleged Child Data Collection Violations

The magic kingdom faces a stark reality check as Disney has agreed to pay a substantial $10 million fine, stemming from allegations by the Federal Trade Commission (FTC) and New York State that the entertainment giant illegally collected personal information from children through its popular mobile applications.

This significant settlement underscores the ongoing battle for online child privacy in an increasingly digital world.

At the heart of the matter were accusations that Disney, through its subsidiary Admar, knowingly violated the Children's Online Privacy Protection Act (COPPA). This crucial federal law is designed to give parents control over what information is collected from their children online.

Investigators found that Disney's apps, most notably the once-popular "Club Penguin Island," gathered persistent identifiers—essentially digital fingerprints that track user activity—from kids without first obtaining verifiable parental consent. This data was then allegedly shared with third-party advertisers, raising serious concerns about the commercial exploitation of young users.

The complaint detailed how, from 2017 to 2022, Disney's Admar unit facilitated the collection of such identifiers, not only through "Club Penguin Island" but also via other Disney-owned and Disney-branded apps.

These identifiers allowed advertisers to track children across different apps and websites, creating profiles for targeted advertising—a practice strictly prohibited without explicit parental permission under COPPA.

Further compounding the issue, the New York Attorney General’s office revealed that Admar also unlawfully retained children’s email addresses and, in the case of "Club Penguin Island," even chat message data.

This retention of personal information, combined with the lack of proper consent mechanisms, painted a picture of widespread non-compliance with child privacy regulations.

The $10 million penalty is not just a monetary slap on the wrist. As part of the settlement, Disney is also subject to stringent injunctive relief.

This means the company must take concrete steps to prevent future violations. Key requirements include deleting any previously collected data from children, implementing robust new privacy safeguards, and undergoing regular, independent audits to ensure compliance. This marks a critical step towards holding major corporations accountable for protecting their youngest users.

Interestingly, this isn't Disney's first run-in with the FTC over child privacy.

In 2011, the company settled with the FTC over similar COPPA violations involving its Playdom social gaming subsidiary. The latest settlement sends a powerful message to all developers of child-directed online services: strict adherence to privacy laws is paramount. The shutdown of "Club Penguin Island" in 2017, citing declining engagement, now carries an additional layer of context in light of these privacy infractions.

Regulators emphasized that this action serves as a crucial reminder for online service providers to prioritize children's safety and privacy above all else.

Parents have a fundamental right to control their children's digital footprint, and companies must respect that right by establishing clear, transparent, and compliant data collection practices. The message is clear: the digital playground needs guardians, and the FTC and state attorneys general are ready to step in when those responsibilities are neglected.