Small businesses beware: If you run a website, an online service or a mobile app that collects information from children under the age of 13, you could be liable for hefty fines if you don’t comply with the Children’s Online Protection Privacy Act (COPPA).
What is COPPA?
Personal information can include things as simple as names and addresses or even more complex identifiers such as geolocation identifiers, pictures or audio files, where such files contain the child’s voice.
COPPA is the main reason why Facebook and many other popular Websites do not allow users under the age of 13.
Even seasoned website operators have found themselves on the wrong side of the law and were held liable by the Federal Trade Commission.
For example, online reviewing site Yelp agreed to pay a civil penalty of $450,000 in 2014, while mobile game developer TinyCo paid a $300,000-fine. A court could fine a violating operator as much as $40,654 per violation, according to the FTC.
It also restricts marketing to children under the age of 13.
According to the FTC website, “The primary goal of COPPA is to place parents in control over what information is collected from their young children online. The Rule was designed to protect children under age 13 while accounting for the dynamic nature of the Internet.
The Rule applies to operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children, and operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13.”
Under new guidelines adopted by the FTC in 2013, the law also applies to third parties of “child directed sites” — such as plug-ins and advertising networks — that collect personal information from visitors.
Under the amended rules “personal information” includes the following:
- First and last name
- A home or other physical address including street name and name of a city or town
- Online contact information
- A screen or user name that functions as online contact information;
- A telephone number
- A Social Security number
- A persistent identifier that can be used to recognize a user over time and across different websites or online services
- A photograph, video, or audio file, where such file contains a child’s image or voice
- Geo-location information sufficient to identify street name and name of a city or town
- Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above
How do you know if you need to comply with this law or what steps you need to take?
The Children’s Privacy Section of the FTC’s Business Center is loaded with information on the subject.
One option would be to consult with a COPPA Safe Harbor Program, which allows industry groups or others to submit for FTC approval self-regulatory guidelines or to consult an attorney.
The FTC has also recommended a “Six-Step Compliance Plan” for any business:
Step 1: Determine if Your Company is a Website or Online Service that Collects Personal Information from Kids Under 13
COPPA doesn’t apply to everyone operating a website or other online service. COPPA applies to operators of websites and online services that collect personal information from kids under 13.
You must comply with COPPA if one of the following is true:
- Your website or online service is directed to children under 13 and you collect personal information from them.
- Your website or online service is directed to children under 13 and you let others collect personal information from them.
- Your website or online service is directed to a general audience, but you have actual knowledge that you collect personal information from children under 13.
- Your company runs an ad network or plug-in, for example, and has actual knowledge that you collect personal information from users of a website or service directed to children under 13.
It must clearly and comprehensively describe how personal information collected online from kids under 13 is handled. The notice must describe not only your practices, but also the practices of any others collecting personal information on your site or service — for example, plug-ins or ad networks.
It must also include a list of all operators collecting personal information, a description of the personal information and how it’s used, and a description of parental rights.
Step 3: Notify Parents Directly Before Collecting Personal Information from Their Kids
The notice should be clear and easy to read. Don’t include any unrelated or confusing information. The notice must tell parents:
- That you collected their online contact information for the purpose of getting their consent
- That you want to collect personal information from their child
- That their consent is required for the collection, use, and disclosure of the information
- The specific personal information you want to collect and how it might be disclosed to others
- How the parent can give their consent
- That if the parent doesn’t consent within a reasonable time, you’ll delete the parent’s online contact information from your records
Step 4: Get Parents’ Verifiable Consent Before Collecting Information from Their Kids
Acceptable methods include having the parent:
- Sign a consent form and send it back to you via fax, mail, or electronic scan
- Use a credit card, debit card, or other online payment system that provides notification of each separate transaction to the account holder
- Call a toll-free number staffed by trained personnel
- Connect to trained personnel via a video conference
- Provide a copy of a form of government issued ID that you check against a database, as long as you delete the identification from your records when you finish the verification process
Step 5: Honor Parents’ Ongoing Rights with Respect to Information Collected from Their Kids
If a parent asks, you must:
- Give them a way to review the personal information collected from their child
- Give them a way to revoke their consent and refuse the further use or collection of personal information from their child
- Delete their child’s personal information.