Small businesses beware: If you run a website, an online service or a mobile app that collects information from children under the age of 13, you could be liable for hefty fines if you don’t comply with the Children’s Online Protection Privacy Act (COPPA).
What is COPPA?
Personal information can include things as simple as names and addresses or even more complex identifiers such as geolocation identifiers, pictures or audio files, where such files contain the child’s voice.
COPPA is the main reason why Facebook and many other popular Websites do not allow users under the age of 13.
Even seasoned website operators have found themselves on the wrong side of the law and were held liable by the Federal Trade Commission.
For example, online reviewing site Yelp agreed to pay a civil penalty of $450,000 in 2014, while mobile game developer TinyCo paid a $300,000-fine. A court could fine a violating operator as much as $40,654 per violation, according to the FTC.
Small Business Deals
It also restricts marketing to children under the age of 13.
According to the FTC website, “The primary goal of COPPA is to place parents in control over what information is collected from their young children online. The Rule was designed to protect children under age 13 while accounting for the dynamic nature of the Internet.
The Rule applies to operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children, and operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13.”
Under new guidelines adopted by the FTC in 2013, the law also applies to third parties of “child directed sites” — such as plug-ins and advertising networks — that collect personal information from visitors.
Under the amended rules “personal information” includes the following:
- First and last name
- A home or other physical address including street name and name of a city or town
- Online contact information
- A screen or user name that functions as online contact information;
- A telephone number
- A Social Security number
- A persistent identifier that can be used to recognize a user over time and across different websites or online services
- A photograph, video, or audio file, where such file contains a child’s image or voice
- Geo-location information sufficient to identify street name and name of a city or town
- Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above
How do you know if you need to comply with this law or what steps you need to take?
The Children’s Privacy Section of the FTC’s Business Center is loaded with information on the subject.
One option would be to consult with a COPPA Safe Harbor Program, which allows industry groups or others to submit for FTC approval self-regulatory guidelines or to consult an attorney.
|Overview||COPPA (Children's Online Privacy Protection Act) is a legal framework that prohibits website operators from collecting personal information from children under 13 without explicit parental consent.|
|Scope of Personal Information||Personal information covered by COPPA includes basic details like names and addresses, as well as more complex identifiers such as geolocation data, pictures, or audio files containing a child's voice.|
|Impact on Popular Websites||COPPA is the primary reason why popular websites like Facebook restrict access to users under the age of 13. Violation of COPPA can lead to significant fines and legal consequences, as seen with cases like Yelp's $450,000 penalty and TinyCo's $300,000 fine.|
|Enactment and Key Provisions||Enacted by Congress in 1998, COPPA outlines specific requirements for website operators, including the content of privacy policies, the process of seeking parental consent, and measures to protect children's online privacy and safety.|
|Marketing Restrictions||COPPA imposes restrictions on marketing to children under the age of 13, emphasizing parental control over the collection of their children's online information.|
|Primary Goal of COPPA||According to the FTC, the primary goal of COPPA is to empower parents, giving them control over the information collected from their children online. It acknowledges the dynamic nature of the internet and aims to protect children under age 13.|
|Applicability||COPPA applies to operators of commercial websites, online services (including mobile apps) targeting children under 13, which collect, use, or disclose personal information from children. It also extends to operators with knowledge of collecting data from children under 13.|
|Inclusion of Third Parties||Under revised guidelines adopted in 2013, COPPA covers third parties, such as plug-ins and advertising networks, associated with "child-directed sites" that collect personal information from site visitors.|
|Definition of Personal Information||Personal information" under COPPA includes first and last names, home or physical addresses, online contact details, screen or user names functioning as online contact info, telephone numbers, Social Security numbers, persistent identifiers, photographs, videos, or audio files with a child's image or voice, geo-location data sufficient to identify location details, and information about the child or the child's parents collected online and combined with an identifier mentioned above.|
|Compliance Assistance||Businesses seeking COPPA compliance can refer to the Children’s Privacy Section of the FTC's Business Center, consult with COPPA Safe Harbor Programs, or seek legal advice to navigate this complex regulatory landscape.|
The FTC has also recommended a “Six-Step Compliance Plan” for any business:
Step 1: Determine if Your Company is a Website or Online Service that Collects Personal Information from Kids Under 13
COPPA doesn’t apply to everyone operating a website or other online service. COPPA applies to operators of websites and online services that collect personal information from kids under 13.
You must comply with COPPA if one of the following is true:
- Your website or online service is directed to children under 13 and you collect personal information from them.
- Your website or online service is directed to children under 13 and you let others collect personal information from them.
- Your website or online service is directed to a general audience, but you have actual knowledge that you collect personal information from children under 13.
- Your company runs an ad network or plug-in, for example, and has actual knowledge that you collect personal information from users of a website or service directed to children under 13.
It must clearly and comprehensively describe how personal information collected online from kids under 13 is handled. The notice must describe not only your practices, but also the practices of any others collecting personal information on your site or service — for example, plug-ins or ad networks.
It must also include a list of all operators collecting personal information, a description of the personal information and how it’s used, and a description of parental rights.
Step 3: Notify Parents Directly Before Collecting Personal Information from Their Kids
The notice should be clear and easy to read. Don’t include any unrelated or confusing information. The notice must tell parents:
- That you collected their online contact information for the purpose of getting their consent
- That you want to collect personal information from their child
- That their consent is required for the collection, use, and disclosure of the information
- The specific personal information you want to collect and how it might be disclosed to others
- How the parent can give their consent
- That if the parent doesn’t consent within a reasonable time, you’ll delete the parent’s online contact information from your records
Step 4: Get Parents’ Verifiable Consent Before Collecting Information from Their Kids
Acceptable methods include having the parent:
- Sign a consent form and send it back to you via fax, mail, or electronic scan
- Use a credit card, debit card, or other online payment system that provides notification of each separate transaction to the account holder
- Call a toll-free number staffed by trained personnel
- Connect to trained personnel via a video conference
- Provide a copy of a form of government issued ID that you check against a database, as long as you delete the identification from your records when you finish the verification process
Step 5: Honor Parents’ Ongoing Rights with Respect to Information Collected from Their Kids
If a parent asks, you must:
- Give them a way to review the personal information collected from their child
- Give them a way to revoke their consent and refuse the further use or collection of personal information from their child
- Delete their child’s personal information.
Step 6: Implement Reasonable Procedures to Protect the Security of Kids’ Personal Information
|Step 1: Determine Applicability||Determine if your company operates a website or online service that collects personal information from children under 13. Compliance with COPPA is required in specific scenarios, including sites directly aimed at children under 13 and sites with actual knowledge of collecting data from such children.|
|Step 4: Secure Verifiable Parental Consent||Obtain verifiable consent from parents before collecting personal information from their children. Acceptable methods for obtaining this consent include having parents sign a consent form and return it via fax, mail, or electronic scan, using a credit card, debit card, or another online payment system that provides transaction notifications to the account holder, establishing a toll-free number staffed by trained personnel, connecting parents to trained personnel via video conference, or requesting a copy of a government-issued ID for verification purposes (ensuring subsequent deletion of identification details).|
|Step 5: Honor Ongoing Parental Rights||Recognize and respect parents' ongoing rights regarding the information collected from their children. Provide a means for parents to review the personal data collected from their child, allow them to revoke consent and decline further collection or use of their child's information, and facilitate the deletion of their child's personal data as requested.|
|Step 6: Implement Data Security Measures||Implement and maintain reasonable procedures to safeguard the security of personal information belonging to children. Protect this data from unauthorized access, disclosure, or misuse. Implement security practices to ensure the confidentiality and integrity of the information, taking into consideration the sensitive nature of data collected from children under 13.|
Ensuring COPPA Compliance for Small Businesses
In an increasingly digital age, where the online landscape is evolving rapidly, it is imperative for small businesses to be aware of and adhere to regulations that safeguard user privacy, especially when children are involved. The Children’s Online Privacy Protection Act (COPPA) stands as a crucial pillar in this realm, aiming to protect the personal information of children under the age of 13. Ignoring COPPA compliance can lead to hefty fines and reputational damage. In this comprehensive conclusion, we’ll summarize the key takeaways from our exploration of COPPA and its implications for small businesses.
COPPA: Protecting Children’s Online Privacy
COPPA, enacted by Congress in 1998, is a vital piece of legislation designed to protect the online privacy of children under 13. Its primary goal is to empower parents, putting them in control of the information collected from their young children online. This law is not to be underestimated, as non-compliance can lead to severe financial penalties, with fines per violation potentially reaching substantial amounts. Even well-established companies, such as Yelp and TinyCo, have found themselves on the wrong side of the law, facing significant fines.
The Expansive Reach of COPPA
Understanding the scope of COPPA is essential. It applies to operators of commercial websites, online services, and mobile apps that collect, use, or disclose personal information from children under 13. Moreover, COPPA’s influence extends to third parties, such as plug-ins and advertising networks, that collect personal information from visitors of “child-directed sites.” The definition of “personal information” within COPPA is broad, encompassing various identifiers and data types.
Steps to Achieve COPPA Compliance
Education and Resources
Small businesses must take advantage of available educational resources and guidelines provided by the FTC. The Children’s Privacy Section of the FTC’s Business Center is a valuable source of information, offering insights into COPPA’s requirements and compliance strategies. Additionally, seeking advice from a COPPA Safe Harbor Program or consulting with legal experts can ensure accurate and effective compliance.
In conclusion, small businesses venturing into the digital realm must navigate the complex landscape of COPPA compliance. Protecting the privacy of children under 13 is not only a legal obligation but also an ethical responsibility. Failure to adhere to COPPA can result in substantial fines, legal consequences, and reputational damage. By following the FTC’s guidelines, staying informed, and seeking professional advice when needed, businesses can ensure they are on the right side of the law.
Moreover, COPPA compliance should not be viewed solely as a legal requirement but as a commitment to online safety and trust-building with customers and parents. Small businesses can differentiate themselves by proactively addressing COPPA compliance, assuring parents that their children’s online experiences are secure and privacy-respecting. In an age where data privacy is paramount, COPPA serves as a reminder that the protection of the most vulnerable online users is a shared responsibility among businesses, regulators, and parents.
Child Using Tablet Photo via Shutterstock