Do you collect information from children under the age of 14? If you answered yes, then the next question you need to ask yourself is: “Am I compliant with the Children’s Online Privacy Protection Act?”
Whether you’re unsure if the act applies to you, or don’t know the necessary steps to take in order to comply, our informational guide will take you through every nook and cranny to help you protect your business.
Table of Contents
- What is the Children’s Online Privacy Protection Act?
- Does COPPA apply to my business?
- How can I comply with COPPA?
- COPPA Enforcement: What happens if I don’t comply?
- Additional Resources
1. What is the Children’s Online Privacy Protection Act?
Passed in 1998, the Children’s Online Privacy Protection Act (COPPA) is a law that establishes a strict set of regulations created to protect the privacy of children under the age of 13. The act’s regulations are used to ensure that websites, mobile applications, plugins, and toys with online features that target children 13 and younger follow the proper steps to protect their information.
Before we go any further, there are some terms that a person must know in order to understand how the Federal Trade Commission enforces these regulations. These terms include:
“Operator”: The Federal Trade Commission considers any online entity that owns or controls personal information or pays for the collection or maintenance of this information to be an “operator.”
“Actual Knowledge”: A part of the FTC’s enforcement process is determining if an operator has “actual knowledge,” which simply means that the operator is aware that their business is targeting and collecting information from minors. If the FTC discovers that an operator has “actual knowledge” of these actions, but does not comply with COPPA, the FTC considers this a blatant disregard of the law and a judge will likely bring down steeper penalties.
“Personal Information”: It is also important for operators to understand what is encompassed by the definition of “personal information.” The FTC considers the following to be personal information:
- email addresses
- first and last names
- screen names
- instant message details
- physical addresses
- telephone numbers
- audio files
The definition of personal information also extends to “persistent” or “anonymous” identifiers, which are various details that can be used to identify a person over time, such as IP addresses, a customer number collected from a cookie, or a device serial number.
“Collecting”: According to the act, “Collecting” entails allowing information to be made available to the public, encouraging the submission of personal information, or tracking a child passively online in any manner.
2. Does COPPA apply to my business?
Before discussing how to comply with COPPA, most business owners want to know if the law even applies to them. Most people wrongly assume that the law only applies to websites, but the act can also apply to:
- mobile apps
- gaming platforms
- ad networks
- geolocation services
- VOIP Services
- toys or devices that connect to the internet
If your online business is located outside of the United States, but you still market to American consumers, the FTC could still come after you like they did with China’s app maker, BabyBus.
As you can see, COPPA applies to the vast majority of online services. If your business falls into any of the categories above, the next step you need to take is to assess whether you fall under the FTC’s definition of “targeting children.” The FTC considers a variety of factors in order to decide if a business targets children under the age of 13, including:
- whether the business’s subject matter appeals to that age group
- whether the business offers visual and audio content aimed at young children
- the use of cartoon or animated characters
- the age of models used in advertisements
- the use of child celebrities or celebrities that are favored by children
Basically, if your online business covers any subject matter that could appeal to children 13 and under or your service is used by sites that do, then you’ll need to make sure you are compliant with all regulations.
3. How can I comply with COPPA?
- names, addresses, and phone numbers of the site operators
- type of information collected
- how information is collected from users
- how the site operators use the collected information
- if the operators disclose collected information to third parties and how those parties use the information
- description of how the parent has the option to consent to the collection of their children’s information from the site without agreeing to the disclosure of that info to third parties
- explanation of parental rights, including the rights to avoid disclosure of more information about children under the age of 13 than is necessary, refuse to provide information about a child, and review information that has been submitted to the operator about the child in question.
Step #2. Send a Notice to Parents
Before collecting info from children, COPPA also requires that you send a direct notice to parents requesting their consent first. Site operators must inform parents of the following:
- that their children’s information was collected in order to get parental consent that their contact information will be deleted within a reasonable amount of time if they do not consent
- that you wish to collect information from their child
- the type of information you will collect from their children and how it will be used
- that they must consent before your business can collect, use, and disclose their children’s information
- how they can give their consent
This notice should be sent any time you plan to change how or what information you collect.
Step #3. Get Parental Consent
COPPA allows for some flexibility when it comes to getting consent from parents. Below are the acceptable methods for obtaining consent from parents and authenticating their identity:
- a signed consent form
- at the time of a monetary transaction, require the parent to use a credit or debit card
- over the phone
- video conference
- challenge questions that would be difficult for someone other than the parent to get correct
- collect photo ID
If the information you collect is only for your business’s internal use, then you may use the “email plus” method whereby you email the parent asking for them to respond with their consent and confirm you have received their consent.
The FTC offers a 6-Step Compliance Plan and does a great job of walking you through the entire process.
4. COPPA Enforcement: What happens if I don’t comply?
With the number of sites on the Internet, enforcing COPPA can be a nightmare. That’s why the Federal Trade Commission uses a wide variety of techniques to help them find violations. For instance, the FTC encourages people to submit a complaint for a site that they think is violating the guidelines.
States and other federal agencies also have jurisdiction to enforce the law. For example, in 2016, New York’s Attorney General found that Viacom, Mattel, JumpStart, and Hasbro were all in violation of COPPA because an advertising partner they worked with used cookies to track personal information of their users.
In the past, the maximum penalty per violation was $16,000, but since 2016 the maximum penalty has been increased to $40,654 per violation. This means that if a business collected personal information from only 10 kids, it could be fined up to $4,065,400! Generally, the amount a business is penalized largely depends on how flagrant the violation is and how much the company gained from the personal information.
As you can see in the chart below, companies are rarely penalized for the maximum amount:
Although the companies in the table were only charged an average of $2.28 per violation, the fines listed above should not be brushed off. While $1 million might not be much to a large company like Xanga, it could easily cripple a small-to-medium online business.
Are there any exceptions?
There are several scenarios when you do not need to obtain parental consent before collecting personal information from visitors under the age of 13:
- collect information to seek parental consent
- “one-time contact” (contests, giveaways, questions)
- protect a child’s safety (child irresponsibly sharing their information publicly)
- to protect the security or integrity of your site
- support the internal operations of your site
Do you collect information from EU citizens? Even if you aren’t based in the EU, if you collect personal info from Europeans, then you’ll also need to make sure that your online business is compliant with the new General Data Protection Regulation (GDPR).
5. Additional Resources
If you’re looking for more information on COPPA, then check out the links below:
- Complaint Assistant: The Federal Trade Commission’s Complaint Assistance is an online submissions manager that consumers can use to submit a potential violation.
- Frequently Asked Questions: In 2013, the Federal Trade Commission released a list of frequently asked questions regarding COPPA and its application. This FAQ is designed to help parties comply with the law.
- Text of COPPA: The various regulations included in COPPA can be found in 15 United States Code, Chapter 91. This section includes several elements including definitions, exceptions to the act, the power of states to commence actions, the administration and applicability of the act, and government reviews.