FTC CHILDREN’S ONLINE PRIVACY PROTECTION ACT (COPPA)
The Children’s Online Privacy Protection Act (COPPA) provides parents control over what information websites and online services may collect from their children. COPPA requires enhanced privacy and safety protections that businesses must implement to remain compliant.
Compliance Plan
COPPA has very specific requirements in terms of privacy policies and parent consent. Websites and online services that collect information from children under the age of 13 must ensure compliance with the rule or face regulatory investigations, enforcement actions and civil penalties.
Application
COPPA applies to operators of websites and online services that collect personal information from children under 13 years of age. COPPA must be complied with if:
- A website or online service is directed to children under 13 and personal information is collected from them;
- A website or online service is directed to children under 13 and others are permitted to collect personal information from them;
- A website or online service is directed to a general audience, but actual knowledge is possessed that personal information from children under 13 is collected; or
- A company runs an ad network or plug-in (for example), and actual knowledge is possessed that personal information from users of a website or service directed to children under 13 is collected
A “website or online service” is defined broadly and includes:
- Traditional websites
- Mobile apps that send or receive information online
- Ad networks
- Plug-ins
- Internet-enabled gaming platforms and location based services
- Voice-over internet protocol services
- IoT devices and connected toys
The FTC considers a number of things when evaluating whether a website or service is directed to children under 13, including the subject matter, content, advertisements and other reliable evidence. Additionally, if a third-party collects personal information through a child-directed website or service (e.g., via an ad network or plug-in) the operator is responsible for complying with COPPA.
Privacy Policy
A COPPA compliant privacy policy must set forth in detail how personal information is collected from children under 13 years of age. It must be clearly, conspicuously and prominently posted in every place that personal information is collected. First and third-party collection practices must be set forth.
At a minimum, the privacy policy should include:
- The name and contact information of operators that collect or maintain children’s personal information, including third-parties (e.g., ad networks)
- A description of the personal information collected and how collected/used
- If such personal information is disclosed to third-parties, the types of third-party business
- and how they use the information
- A description of parental rights
- A statement that children will not be required to disclose more than necessary
- A statement that parents can review the information and request that it be removed
- Confirmation that parents may refuse to permit further collection or use
- Confirmation that parents may refuse to permit disclosure to third-parties
- A description of procedures to exercise parental rights
Notification
Parents must be provided with “direct notice” of information practices prior to information collection and material changes to previously agreed to practices.
The notice must include:
- That online contact information has been collected in order to obtain parental consent
- Notification of a desire to collect personal information from the child
- That parental consent is required for collection, use and disclosure
- The personal information to be collected
- How the personal information could be disclosed
- A hyperlink to the privacy policy
- Instructions regarding how the parent can consent
- Notification that the failure to consent will result in the removal of the parent’s online contact information
See limited exceptions, below.
Verifiable Parental Consent
Verifiable parental consent is required prior to collecting, using or disclosing personal information from a child. COPPA has a flexible standard here but the method must be reasonably designed in light of available technology to ensure that the person providing consent is the child’s parent. Parents must be provided the option of allowing the collection and use of their child's personal information without agreeing to third-party disclosure.
Consult with an experience digital marketing and privacy lawyer to discuss the various methods that the FTC believes to be reasonable. Data Protection Leader recently featured Richard B. Newman as legal source on COPPA compliance.
Ongoing Rights
Parents possess ongoing rights. Website operators and service providers have continuing obligations to ensure that parents are provided with a mechanism to review collected information, revoke consent and request deletion. The FTC cautions that reasonable steps must be taken to ensure that communications are, indeed, with a child’s parent. It also cautions about terminating a child’s access to a service if the parent revokes consent and the information at issue is not reasonably necessary for participation.
Reasonable Procedures
Reasonable procedures to protect the confidentiality and security of personal information collected from children must be developed, implemented and maintained. Only collect what is necessary. Securely dispose of information that is no longer legitimately required. Be cautious about the third-parties that are provided access to such information.
Personal Information
COPPA defines personal information to include, without limitation:
- Name
- Address
- Online contact information
- Screen or user name
- Telephone number
- SSN
- Persistent identifier
- Photograph
- Video
- Audio
- Geolocation information
- Information concerning the child / parent combined with an identifier
Safe Harbor
COPPA incorporates a “safe harbor” provision that permits companies and industry groups to seek the FTC’s approval for self-regulatory frameworks that implement “the same or greater protections for children” as those set forth by COPPA. An experienced FTC compliance lawyer can assist with minimizing the risk of unwanted regulatory scrutiny.
Companies that participate in a self-regulatory framework are largely subject to the enforcement procedures set forth in the safe harbor.
Exceptions
As a general rule, verifiable parental consent is required prior to collecting personal information from a child. There are limited exceptions that may still require direct notice of activities.
Contact an experienced FTC COPPA compliance lawyer to discuss the implementation of preventative privacy measures, or if you are the subject of a regulatory investigation or litigation matter.