Children’s Online Privacy Protection Act (COPPA)

The Children’s Online Privacy Protection Act (COPPA) provides parents control over what information websites and online services may collect from their children.  COPPA requires enhanced privacy and safety protections that businesses must implement to remain compliant.

Compliance Plan

COPPA has very specific requirements in terms of privacy policies and parent consent.  Websites and online services that collect information from children under the age of 13 must ensure compliance with the rule or face regulatory investigations, enforcement actions and civil penalties.

Application

COPPA applies to operators of websites and online services that collect personal information from children under 13 years of age.  COPPA must be complied with if:

  • A website or online service is directed to children under 13 and personal information is collected from them;
  • A website or online service is directed to children under 13 and others are permitted to collect personal information from them;
  • A website or online service is directed to a general audience, but actual knowledge is possessed that personal information from children under 13 is collected; or
  • A company runs an ad network or plug-in (for example), and actual knowledge is possessed that personal information from users of a website or service directed to children under 13 is collected

A “website or online service” is defined broadly and includes:

  • Traditional websites
  • Mobile apps that send or receive information online
  • Ad networks
  • Plug-ins
  • Internet-enabled gaming platforms and location based services
  • Voice-over internet protocol services
  • IoT devices and connected toys

The FTC considers a number of things when evaluating whether a website or service is directed to children under 13, including the subject matter, content, advertisements and other reliable evidence.  Additionally, if a third-party collects personal information through a child-directed website or service (e.g., via an ad network or plug-in) the operator is responsible for complying with COPPA.

Privacy Policy

A COPPA compliant privacy policy must set forth in detail how personal information is collected from children under 13 years of age.  It must be clearly, conspicuously and prominently posted in every place that personal information is collected.  First and third-party collection practices must be set forth.

At a minimum, the privacy policy should include:

  • The name and contact information of operators that collect or maintain children’s personal information, including third-parties (e.g., ad networks)
  • A description of the personal information collected and how collected/used
  • If such personal information is disclosed to third-parties, the types of third-party business
  • and how they use the information
  • A description of parental rights
  • A statement that children will not be required to disclose more than necessary
  • A statement that parents can review the information and request that it be removed
  • Confirmation that parents may refuse to permit further collection or use
  • Confirmation that parents may refuse to permit disclosure to third-parties
  • A description of procedures to exercise parental rights

Notification

Parents must be provided with “direct notice” of information practices prior to information collection and material changes to previously agreed to practices.

The notice must include:

  • That online contact information has been collected in order to obtain parental consent
  • Notification of a desire to collect personal information from the child
  • That parental consent is required for collection, use and disclosure
  • The personal information to be collected
  • How the personal information could be disclosed
  • A hyperlink to the privacy policy
  • Instructions regarding how the parent can consent
  • Notification that the failure to consent will result in the removal of the parent’s online contact information

See limited exceptions, below.

Verifiable Parental Consent

Verifiable parental consent is required prior to collecting, using or disclosing personal information from a child.  COPPA has a flexible standard here but the method must be reasonably designed in light of available technology to ensure that the person providing consent is the child’s parent.  Parents must be provided the option of allowing the collection and use of their child’s personal information without agreeing to third-party disclosure.

Consult with an experience digital marketing and privacy lawyer to discuss the various methods that the FTC believes to be reasonable.  Data Protection Leader recently featured Richard B. Newman as legal source on COPPA compliance.

Ongoing Rights

Parents possess ongoing rights.  Website operators and service providers have continuing obligations to ensure that parents are provided with a mechanism to review collected information, revoke consent and request deletion.  The FTC cautions that reasonable steps must be taken to ensure that communications are, indeed, with a child’s parent.  It also cautions about terminating a child’s access to a service if the parent revokes consent and the information at issue is not reasonably necessary for participation.

Reasonable Procedures

Reasonable procedures to protect the confidentiality and security of personal information collected from children must be developed, implemented and maintained.  Only collect what is necessary. Securely dispose of information that is no longer legitimately required.  Be cautious about the third-parties that are provided access to such information.

Personal Information

COPPA defines personal information to include, without limitation:

  • Name
  • Address
  • Online contact information
  • Screen or user name
  • Telephone number
  • SSN
  • Persistent identifier
  • Photograph
  • Video
  • Audio
  • Geolocation information
  • Information concerning the child / parent combined with an identifier

Safe Harbor

COPPA incorporates a “safe harbor” provision that permits companies and industry groups to seek the FTC’s approval for self-regulatory frameworks that implement “the same or greater protections for children” as those set forth by COPPA. Companies that participate in a self-regulatory framework are largely subject to the enforcement procedures set forth in the safe harbor.

Exceptions

As a general rule, verifiable parental consent is required prior to collecting personal information from a child.  Limited exceptions, that may still require direct notice of activities, include:

FTC Chart: Limited Exceptions to COPPA’s Verifiable Parental Consent Requirement

Reason Information Limits Direct Notice to Parents
To obtain verifiable parental consent Child’s / Parent’s name / online contact information Must delete contact information w/n reasonable period of time if consent not forthcoming
  • Inform parents that online contact information collected so consent can be obtained
  • Inform parents that their consent is required for the collection, use or disclosure of personal information collected from the child, and that without such consent, there will be collection, use or disclosure of personal information from the child
  • Describe additional items of personal information that intend to collect from the child and other ways for the child to disclose personal information if the parent provides consent
  • Hyperlink to privacy policy;
  • Describe how parents may provide verifiable consent for the collection, use or disclosure of personal information collected from the child
  • Inform parents that without consent their online contact information will be deleted from records
To provide notice to a parent about their child’s participation on a website or service that does not collect personal information Parent’s online contact information
  • Inform parents that collected their online contact information in order to let them know about their child’s activities on a site or service that does not collect personal information
  • Inform parent that their online contact information will not be used for any other purpose
  • Inform parents that they are entitled to refused to allow their child’s participation and require that their contact information be deleted
  • Hyperlink to privacy policy
To respond directly to a child’s one-time request Child’s online contact information Cannot use the information to contact the child again and must delete it after  responding Direct notice is not required
To respond directly more than once to a child’s request Child’s / Parent’s online contact information Cannot combine this information with any other information collected from the child
  • Inform parents that collected their online contact information to let them know their child has asked for multiple online communications
  • Inform parents that collected their child’s online contact information to provide the multiple communications they requested
  • Inform parents the online contact information will not be used for any other purpose and will not be disclosed or combined with other information
  • Inform parents that if they do not opt-out, the child’s online contact information may be used for that purpose
  • Hyperlink to privacy policy.
To protect a child’s safety Child’s / Parent’s name / online contact information
  • Inform parents that collected names /  contact information to protect a child’s safety
  • Inform parents the information will not be used or disclosed for any other purpose
  • Inform parents they may refuse to permit the use of the contact information and require it be deleted
  • Hyperlink to privacy policy
To protect the security or integrity of website or service, to minimize liability exposure, to respond to judicial process, or as permitted by law Child’s name / online contact information Direct notice not required
To provide support for internal operations of website or service.

Includes:

  • Maintaining / analyzing functionality
  • Network communications
  • Authentication
  • Serving contextual ads
  • Frequency capping
  • Protecting the security or integrity of users
  • Legal / regulatory compliance
  • Fulfilling a child’s request under an enumerated exception
Persistent identifier Cannot use the information to contact a specific person, including through behavioral advertising, to compile a profile on a specific person or for any other purpose

This exception cannot be used to collect personal information other than a persistent identifier

Direct notice not required
If actual knowledge that a person’s information was collected through a child-directed site, but previous registration indicates the person is 13 or over

Only applies:

  • Collect only a persistent identifier (no other personal information)
  • The person affirmatively interacts with website or service to trigger the collection, and
  • Already conducted an age-screen of the person indicating at least 13  years of age
Persistent identifier Cannot use this exception if information other than a persistent identifier is collected Direct notice not required
Contact an experienced FTC COPPA compliance lawyer to discuss the implementation of preventative privacy measures, or if you are the subject of a regulatory investigation or litigation matter.