How Your Website Might be in Violation of the Children’s Online Protection Act
COPPA, the Children’s Online Privacy Protection Act is a federal regulation that covers the online collection of personal information entered by children under the age of 13. Under the Act, the Federal Trade Commission imposes certain requirements on website operators or online service providers (including mobile apps).
The Act came into force in 2000 in order to address various online marketing techniques of the 1990s that were targeting children and collecting their data. As children under the age of 13 are especially vulnerable and do not fully understand the implications of revealing their personal information online, the Act was designed to protect such children’s privacy.
Personal information is information that can individually identify a person and may include names and last names, addresses, phone numbers, social security numbers, photographs, and sufficiently specific geolocation information, among others. The definition of children's’ personal data is wide and is interpreted in a broad fashion by the Federal Trade Commission, which is responsible for the enforcement of COPPA.
Not only do websites/apps geared toward or providing services specifically to children fall under the Act’s scope, but also sites or services where there is actual knowledge that personal information is being collected or disclosed from children. For example an entertainment app that is geared for adults users but is used frequently by children. In such a case the FTC looks at the app’s operators actual knowledge.
Actual knowledge occurs when the site or service provider is in any way aware that a child is visiting the site or using the service, whether by monitoring posts and learning that a child has posted on the site or by being contacted by its parents or otherwise having reason to know of the user’s age.
Does COPPA always apply?
COPPA only applies the collection, use, and disclosure of personal information that a child entered into the internet. Thus, information about the child that its parents submitted is not covered by the Act. COPPA also doesn’t apply to the collection of information held in cookies and other non-personal identifiers if such information is just used for internal operations support of the site — if it’s used for other purposes, is combined with the child’s personal information, or can be used to recognize a user over time, it will fall under the scope of COPPA. COPPA will apply regardless of whether the personal information submitted is mandatory or voluntary in order to use the site. It does not, however, deal with situations where a child enters personal information but lies about its age.
How to Collect Children’s Information on Your Site/Online Service in Compliance with COPPA?
Parent Opt in
Disclosure to Third Parties
What happens if I don’t comply?
You may be liable for civil penalties of up to $16,000 per improper data collection, depending on various factors, such as the egregiousness of the violation, the number of children involved, type of information collected, and whether the operator previously has not complied with the Act. A notable recent example is Tiktok, which was fined $5,700,000 in February 2020 and faces additional fines for non-compliance with the FTC rulings.
COPPA Next Steps
Don’t hesitate to contact us or leave a comment underneath if you have any questions or remarks regarding COPPA compliance.