Children's Online Privacy Protection Act: What to Know and How to Comply
The Children's Online Privacy Protection Act (COPPA) puts parents in control of the collection of their child's personal information online. It is designed to protect children under the age of 13 through concrete regulations for operators of websites and online services.
Who Does COPPA Apply to?
COPPA applies to operators of websites or online services (including mobile apps) that obtain personal information from children under 13. Your family business must comply with COPPA if any of the following apply to you:
- Your website or online service is directed to children under 13, and you collect personal information from them.
- Your website or online service is directed to children under 13, and you let third parties collect personal information from them.
- Your website or online service is directed to a general audience, but you have actual knowledge that you collect personal information from children under 13.
- Your company runs an ad network or plugin, and you have actual knowledge that you collect personal information from users under 13.
The Federal Trade Commission, which enforces COPPA, looks at various factors to determine if a website or service is directed to children under 13. These factors include, but are not limited to, the subject matter of the site or service, visual and audio content, the use of animated characters, and ads on the site or service that are directed to children.
Personal information includes:
- First and last name;
- Home or other physical address;
- Online contact information;
- Screen or username;
- Telephone number;
- Social Security number;
- Photograph, video, or audio file including the child's image or voice; and
- Other forms of identifiers.
How to Comply With COPPA
If your family business is covered by COPPA, you must take six key steps.
1. Post a Privacy Policy
Your business's privacy policy must comply with COPPA. The privacy policy must explain how the personal information collected from children under 13 will be used and must include a list of operators who collect personal information from children on your website or online service.
You are also required to provide a description of parental rights, such as the right to review their child's personal information or direct you to delete it. This information can be included in your business's existing privacy policy—many businesses choose to make "Children's Information" its own section or paragraph.
2. Inform Parents Before Collecting Personal Information From Their Child
A direct notice of your information practices must be provided to the parents before collecting any information from their child. The notice must inform the parents that you obtained their online contact information to get their consent to collect, use, and disclose the personal information of their child.
Your notice must have a link to your online privacy policy, and it should explain how the parents can give their consent. Lastly, it is essential to let the parents know that you will delete their online contact information from your record if the parents do not consent within a reasonable time.
3. Obtain Consent From Parents
You must obtain verifiable consent from the parents before collecting their child's personal information. Consent can be obtained by any method "reasonably designed" to "ensure that the person giving the consent is the child's parent."
A simple checkbox or button press is not sufficient. Some methods approved by the FTC include signing a consent form returned by fax, mail, or electronic scan, answering a series of knowledge-based questions using a credit card or other online payment system that provides notification of each separate transaction, calling a toll-free number, or connecting to trained personnel through a video conference.
Regardless of the method you choose, parents must be given the option of allowing the collection and use of their child's personal information without consenting to disclose that information to other parties. Limited exceptions exist to COPPA's verifiable parental consent requirement, such as collecting a child's and parent's name to get parental consent and getting their contact information to protect a child's safety.
4. Set Up Procedures to Protect the Collected Information
Your business should have procedures to maintain the confidentiality, security, and integrity of the personal information collected from children. Under COPPA, you are required to reasonably ensure that you do not release personal information to third parties incapable of maintaining security and confidentiality.
It is always important to only collect information that is necessary for the operation of your family business.
5. Only Keep Personal Information If It Is Necessary
Securely dispose of all personal information of children under 13 once you do not need it for any legitimate purpose. You must also provide parents access to their child's personal information to review and/or have it deleted.
Methods for parents to request access and deletion of their child's personal information should be described in your privacy policy.
6. Avoid Requiring a Child to Provide Unnecessary Information to Participate in an Online Activity
Operators covered by COPPA cannot request children to provide more information than is reasonably needed to participate in an activity.
What Are the Penalties for Non-Compliance With COPPA?
Operators who violate COPPA can face civil penalties of up to $46,517 per violation. The FTC has previously issued millions of dollars in fines during its settlement agreement with businesses that did not comply with COPPA.
As the penalties for non-compliance are severe and requirements under the rule complex, it is important to consult qualified legal counsel about the specifics of your website or online service before collecting information from children under 13.