The Children’s Online Privacy Protection Act (COPPA) provides parents control over what information websites and online services may collect from their children. COPPA requires enhanced privacy and safety protections that businesses must implement to remain compliant.
COPPA has very specific requirements in terms of privacy policies and parent consent. Websites and online services that collect information from children under the age of 13 must ensure compliance with the rule or face regulatory investigations, enforcement actions and civil penalties.
COPPA applies to operators of websites and online services that collect personal information from children under 13 years of age. COPPA must be complied with if:
- A website or online service is directed to children under 13 and personal information is collected from them;
- A website or online service is directed to children under 13 and others are permitted to collect personal information from them;
- A website or online service is directed to a general audience, but actual knowledge is possessed that personal information from children under 13 is collected; or
- A company runs an ad network or plug-in (for example), and actual knowledge is possessed that personal information from users of a website or service directed to children under 13 is collected
A “website or online service” is defined broadly and includes:
- Traditional websites
- Mobile apps that send or receive information online
- Ad networks
- Internet-enabled gaming platforms and location based services
- Voice-over internet protocol services
- IoT devices and connected toys
The FTC considers a number of things when evaluating whether a website or service is directed to children under 13, including the subject matter, content, advertisements and other reliable evidence. Additionally, if a third-party collects personal information through a child-directed website or service (e.g., via an ad network or plug-in) the operator is responsible for complying with COPPA.
- The name and contact information of operators that collect or maintain children’s personal information, including third-parties (e.g., ad networks)
- A description of the personal information collected and how collected/used
- If such personal information is disclosed to third-parties, the types of third-party business
- and how they use the information
- A description of parental rights
- A statement that children will not be required to disclose more than necessary
- A statement that parents can review the information and request that it be removed
- Confirmation that parents may refuse to permit further collection or use
- Confirmation that parents may refuse to permit disclosure to third-parties
- A description of procedures to exercise parental rights
Parents must be provided with “direct notice” of information practices prior to information collection and material changes to previously agreed to practices.
The notice must include:
- That online contact information has been collected in order to obtain parental consent
- Notification of a desire to collect personal information from the child
- That parental consent is required for collection, use and disclosure
- The personal information to be collected
- How the personal information could be disclosed
- Instructions regarding how the parent can consent
- Notification that the failure to consent will result in the removal of the parent’s online contact information
See limited exceptions, below.
Verifiable Parental Consent
Verifiable parental consent is required prior to collecting, using or disclosing personal information from a child. COPPA has a flexible standard here but the method must be reasonably designed in light of available technology to ensure that the person providing consent is the child’s parent. Parents must be provided the option of allowing the collection and use of their child’s personal information without agreeing to third-party disclosure.
Consult with an experience digital marketing and privacy lawyer to discuss the various methods that the FTC believes to be reasonable. Data Protection Leader recently featured Richard B. Newman as legal source on COPPA compliance.
Parents possess ongoing rights. Website operators and service providers have continuing obligations to ensure that parents are provided with a mechanism to review collected information, revoke consent and request deletion. The FTC cautions that reasonable steps must be taken to ensure that communications are, indeed, with a child’s parent. It also cautions about terminating a child’s access to a service if the parent revokes consent and the information at issue is not reasonably necessary for participation.
Reasonable procedures to protect the confidentiality and security of personal information collected from children must be developed, implemented and maintained. Only collect what is necessary. Securely dispose of information that is no longer legitimately required. Be cautious about the third-parties that are provided access to such information.
COPPA defines personal information to include, without limitation:
- Online contact information
- Screen or user name
- Telephone number
- Persistent identifier
- Geolocation information
- Information concerning the child / parent combined with an identifier
COPPA incorporates a “safe harbor” provision that permits companies and industry groups to seek the FTC’s approval for self-regulatory frameworks that implement “the same or greater protections for children” as those set forth by COPPA. Companies that participate in a self-regulatory framework are largely subject to the enforcement procedures set forth in the safe harbor.
As a general rule, verifiable parental consent is required prior to collecting personal information from a child. Limited exceptions, that may still require direct notice of activities, include:
FTC Chart: Limited Exceptions to COPPA’s Verifiable Parental Consent Requirement
|Reason||Information||Limits||Direct Notice to Parents|
|To obtain verifiable parental consent||Child’s / Parent’s name / online contact information||Must delete contact information w/n reasonable period of time if consent not forthcoming|
|To provide notice to a parent about their child’s participation on a website or service that does not collect personal information||Parent’s online contact information|
|To respond directly to a child’s one-time request||Child’s online contact information||Cannot use the information to contact the child again and must delete it after responding||Direct notice is not required|
|To respond directly more than once to a child’s request||Child’s / Parent’s online contact information||Cannot combine this information with any other information collected from the child|
|To protect a child’s safety||Child’s / Parent’s name / online contact information|
|To protect the security or integrity of website or service, to minimize liability exposure, to respond to judicial process, or as permitted by law||Child’s name / online contact information||Direct notice not required|
|To provide support for internal operations of website or service.|
|Persistent identifier||Cannot use the information to contact a specific person, including through behavioral advertising, to compile a profile on a specific person or for any other purpose|
This exception cannot be used to collect personal information other than a persistent identifier
|Direct notice not required|
|If actual knowledge that a person’s information was collected through a child-directed site, but previous registration indicates the person is 13 or over|
|Persistent identifier||Cannot use this exception if information other than a persistent identifier is collected||Direct notice not required|