COPPA — 101
How Your Website Might be in Violation of the Children’s Online Protection Act
COPPA, the Children’s Online Privacy Protection Act is a federal regulation that covers the online collection of personal information entered by children under the age of 13. Under the Act, the Federal Trade Commission imposes certain requirements on website operators or online service providers (including mobile apps).
The Act came into force in 2000 in order to address various online marketing techniques of the 1990s that were targeting children and collecting their data. As children under the age of 13 are especially vulnerable and do not fully understand the implications of revealing their personal information online, the Act was designed to protect such children’s privacy.
Kid Data
Personal information is information that can individually identify a person and may include names and last names, addresses, phone numbers, social security numbers, photographs, and sufficiently specific geolocation information, among others. The definition of children's’ personal data is wide and is interpreted in a broad fashion by the Federal Trade Commission, which is responsible for the enforcement of COPPA.
Scope
Not only do websites/apps geared toward or providing services specifically to children fall under the Act’s scope, but also sites or services where there is actual knowledge that personal information is being collected or disclosed from children. For example an entertainment app that is geared for adults users but is used frequently by children. In such a case the FTC looks at the app’s operators actual knowledge.
Actual knowledge occurs when the site or service provider is in any way aware that a child is visiting the site or using the service, whether by monitoring posts and learning that a child has posted on the site or by being contacted by its parents or otherwise having reason to know of the user’s age.
Does COPPA always apply?
COPPA only applies the collection, use, and disclosure of personal information that a child entered into the internet. Thus, information about the child that its parents submitted is not covered by the Act. COPPA also doesn’t apply to the collection of information held in cookies and other non-personal identifiers if such information is just used for internal operations support of the site — if it’s used for other purposes, is combined with the child’s personal information, or can be used to recognize a user over time, it will fall under the scope of COPPA. COPPA will apply regardless of whether the personal information submitted is mandatory or voluntary in order to use the site. It does not, however, deal with situations where a child enters personal information but lies about its age.
How to Collect Children’s Information on Your Site/Online Service in Compliance with COPPA?
Privacy Policy
You might ask, “I have a app and I provide online services, what am I required to do”? First and foremost, you need a clear and detailed privacy policy and place a link to the policy visibly on any page of the site where personal information is collected. Within the privacy policy, you need to include: any information you collect from children, the manner in which the information is used, and whether it is disclosed or shared with third parties. You must also disclose the names and addresses of the website operators that may be contacted by parents. If there are multiple operators collecting information via your site, you can designate one person who will respond to all parents’ inquiries. The privacy policy should also be in plain English.
Parent Opt in
Secondly, you need to provide parents of the child user with a notice and obtain their consent before using personal information of their child. In your notice, you need to do the following: tell parents that you collected their contact information for the purpose of obtaining their consent, describe what information of their child’s you are seeking to collect, in what manner it may be disclosed, and that parental consent is required to do so, include a link to your privacy policy, provide them with a way to give consent, and let them know you will delete their information if you do not receive their consent within a reasonable time. If you won’t be disclosing the child’s personal information and it’s just used for internal purposes, parental consent suffices when a parent just responds to the e-mail with their permission.
Disclosure to Third Parties
If the information will be disclosed to others, however, you will need to provide a more stringent method for consent, such as having them sign a form, or call a toll-free number. After giving consent, parents should also be given an adequate means of reviewing and deleting their child’s information. I don’t collect personal information, do I need to worry about anything? Even though COPPA only applies to websites or services that collect, use, or disclose personal information of children, it is always good to have a transparent privacy policy that shows users in what manner their data will be used and gives them means of reviewing and deleting their data. Another way to avoid COPPA issues is to restrict access to users above the age of 13, and provide for a way for persons to contact you when they discover children under 13 are using the site/service.
What happens if I don’t comply?
You may be liable for civil penalties of up to $16,000 per improper data collection, depending on various factors, such as the egregiousness of the violation, the number of children involved, type of information collected, and whether the operator previously has not complied with the Act. A notable recent example is Tiktok, which was fined $5,700,000 in February 2020 and faces additional fines for non-compliance with the FTC rulings.
COPPA Next Steps
Don’t hesitate to contact us or leave a comment underneath if you have any questions or remarks regarding COPPA compliance.
