What is COPPA?

In today’s cyber world, security and privacy concerns are paramount. This rings especially true for parents seeking to safeguard their child’s online identity. Lawmakers addressed parents’ concerns by creating the Children’s Online Privacy Protection Act of 1998 (“COPPA”). Enforced by the Federal Trade Commission (FTC), COPPA applies to websites and “online services” (including mobile apps) directed towards children under 13. The Act seeks to protect children’s online privacy by imposing strict requirements on the type of personal information that can be gathered from, and the type of content that is displayed to, children under 13.

How Does COPPA Protect Children?

COPPA works to safeguard children by placing parents in control over what information is collected from their children online. Companies with services directed at young children must not only seek parental consent before collecting a child’s personal information but also explicitly state what data will be collected and how it will be used. It is worth repeating that the Act only applies towards services that cater to children under 13, which is why sites such as Facebook and YouTube do not have to maintain COPPA compliance.

Personal information is broadly defined and includes any information that could be used to identify a child, such as interests, hobbies, and even Internet cookies or other tracking methods.

On July 1, 2013, the FTC amended COPPA by specifically defining “personal information” to include: first and last name, physical address, screen or user name, telephone number, social security number, photographic or audio files containing the child’s image or voice, and geolocation information. Any website or online service that requests or even encourages (optional prompts are sufficient) the submission of personal information must comply with COPPA. Importantly, these requirements also extend to any third party service operating on a qualifying website, such as an ad network or plug-in.

How to Comply with COPPA?

The FTC lists seven requirements of website operators:

• Post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children;
• Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children;
• Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but
  prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents);
• Provide parents access to their child’s personal information to review and/or have the information deleted;
• Give parents the opportunity to prevent further use or online collection of a child’s personal information;
• Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; and
• Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use.

Although these requirements lay out the basic compliance framework for which a website operator must abide by, the actual implementation of such standards may vary. Many companies, such as Disney, maintain separate web pages for general privacy policy terms and children’s privacy policies. Conversely, companies such as Hasbro and Nickelodeon integrate their children’s privacy policies within their general privacy terms. Proper implementation may prove more complex for mobile application developers, who must also comply with app store guidelines.

Regardless of how an operator chooses to comply with the FTC, it is advisable that he or she seek the advice of qualified counsel before displaying a privacy policy online.

What if a Website or App Violates COPPA?

COPPA violations are not taken lightly. In the past, the FTC has imposed hefty fines on offenders, with a notable few listed below:

• Singapore-based mobile advertising company InMobi ordered to pay $950,000 in civil penalties and implement a comprehensive privacy program to settle Federal Trade Commission charges it deceptively tracked the locations of hundreds of millions of consumers – including children – without their knowledge or consent to serve them geo-targeted advertising. (June 22, 2016)
• Two app developers, LAI Systems, LLC and Retro Dreamer, were ordered to pay a combined $360,000 in civil penalties as part of settlements with the FTC over charges they violated COPPA. (December 17, 2015)
• Online review site Yelp, Inc., and mobile app developer TinyCo, Inc., agreed to settle separate FTC charges that they improperly collected children’s information in violation of COPPA. Under the terms of the settlements,Yelp was ordered to pay a $450,000 civil penalty while TinyCo was ordered to pay a $300,00 civil penalty. (September 17, 2014)

With so much at stake, proper compliance with all applicable rules and regulations should be paramount to any entrepreneur – big or small.