What is COPPA?
The Children’s Online Privacy Protection Act (COPPA) was enacted by Congress in 1998 and required the Federal Trade Commission (“FTC”) to issue and enforce regulations to protect children’s online privacy. The FTC’s original COPPA Rule became effective on April 21, 2000, but was later amended and the amended COPPA Rule took effect on July 1, 2013.
COPPA aims to protect children under 13 years of age from the dangers of the internet and it requires owners of websites and online services directed towards children under 13 years of age to provide parents and guardians with notice about data collection practices and obtain their verifiable consent before collecting personal information from minors. COPPA also applies to all other websites or online services that knowingly collect, use, or disclose personal information from children under 13, and to websites or online services that knowingly collect personal information directly from users of another website or online service directed to children. COPAA prohibits online services from targeting advertisements to underage users or using personal information for any purpose not related to the service for which it was collected. If you own a business or website, it is important to understand what you need to do to comply with these regulations.
What personal information does COPPA protect?
Under COPPA, “personal information” includes but is not limited to any data that can be used to identify a child online, such as first and last name, home or other physical address, phone number, email address, social security number, screen or user name, a video or audio file containing the child’s image or voice. Additionally, COPPA applies not only to data collected directly from a child but also indirectly through other means like cookies or tracking software. Companies must also be aware of any third-party services they use that might collect data on their sites or apps as the COPPA regulations may apply as well.
What do I need to do to comply with COPPA?
There are several steps businesses need to take in order to comply with the COPPA regulations. If COPPA applies to your business, the FTC states that you must:
- Post a clear and comprehensive online privacy notice describing your information practices for personal information collected online from children under 13;
- Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children. There are several different methods for obtaining such consent, including collecting signed forms or requiring parents/guardians to call an 800 number or through an email address verification system before collecting any personal information;
- Give parents the choice of consenting to your collection and internal use of a child’s information, but prohibiting you from disclosing that information to third parties (unless disclosure is integral to your website or online service, in which case, this must be made clear to parents);
- Provide parents access to their child’s personal information to review and/or have the information deleted;
- Give parents the opportunity to prevent further use or online collection of a child’s personal information;
- Maintain the confidentiality, security, and integrity of the information you collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security;
- Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use; and
- Not condition a child’s participation in an online activity on the child providing more information than is reasonably necessary to participate in that activity.
What are the penalties for businesses that do not comply with COPPA?
If a website or online service fails to comply with COPPA, it can face significant penalties. Businesses that violate COPPA can be liable for civil penalties of up to $50,120 per violation. This can add up quickly if multiple violations have occurred over time or if a business has knowingly collected personal information without a verifiable consent from a parent or guardian. Companies may also face enforcement action from state attorneys general and/or other federal agencies that are responsible for enforcing COPPA compliance for the specific industries they regulate such as the Office of the Comptroller of the Currency and the Department of Transportation. By closely reviewing your data collection processes and making sure you follow all of the guidelines set forth in COPPA, you can ensure your business remains compliant with this important law while protecting both minors’ privacy rights and your bottom line at the same time!
Final Words
It is important for businesses and websites directed towards children under 13 years of age to be aware of their obligations under the COPPA Rule and to take all necessary steps needed in order to comply with it. By closely reviewing your data collection processes and making sure you follow all of the guidelines set forth in COPPA, your business can ensure it is protecting the privacy of your young customers while still providing them with a safe online experience. Taking the time now will save time, money, and hassle down the line if/when it comes time for audits or investigations into compliance violations by government agencies such as the FTC. For additional information on complying with the COPPA Rule, please visit here.
Jenya Beylin is a Senior Attorney at Meyer Law, one of the fastest growing law firms in the United States. Jenya helps companies with domestic and international privacy, data protection and compliance matters. Jenya is a blog contributor at Meyer Law and is a member of the International Association of Privacy Professions (IAPP). Learn more about Meyer Law here and follow us on Instagram @loveyourlawyer