BizTech Law Blog Banner

BizTech Law Blog

Children's Online Privacy Protection Act: Are You Compliant?
Posted by: and

The Children’s Online Privacy Protection Act (“COPPA”) was enacted in 1998 and was created to address concerns with the online collection of children’s personal information. Recently, the Federal Trade Commission (“FTC”) has announced several large fines for companies not in compliance.

Companies that may collect even non-sensitive information about children, such as IP addresses or basic account-related information should assess whether they are compliant with COPPA.  

When does COPPA apply?

COPPA applies to all companies and persons operating websites, online services, gaming platforms, and mobile applications if the company’s activities are directed to children or it knowingly collects personal information about children under the age of 13. In other words, while a company may market to a general audience, information indicating that it collects personal information from children may make it subject to COPPA. “Personal information” is broadly defined under COPPA and includes many standard pieces of data, IP addresses, personal identification numbers, photographs, video, audio, geolocation, and other common elements. COPPA also extends to third party vendors, including advertising, data collection services and data sharing services. “Collecting,” under COPPA, includes requesting or prompting the submission of personal information from a user, passively tracking a user, or allowing collected information to be publicly available.

What is required for COPPA compliance?

Companies within the scope of COPPA must meet several compliance requirements. The most significant requirements relate to providing notice of the company’s data practices, and obtaining proper consent.

Notice

  • Companies must have a privacy policy that is accurate, easily accessible, clear, and conspicuously labeled on its website.
  • Companies must implement procedures to protect and keep secure all collected data.

Consent

  • Companies must obtain proper, verifiable consent from parents before collecting a child’s information.
  • Once a parent has agreed to allow collection of their child’s data, the company must not collect more than what was agreed to.
  • Companies must allow all parents the right to review all information the website collects on their children and request it be deleted.
  • If the company’s privacy policy changes, the company must obtain renewed consent from parents.
  • Companies cannot condition access to service on the prerequisite of providing additional personal information.

Significant Penalties

Penalties under COPPA can be quite hefty – up to $42,530 per violation. This fine is in addition to all legal fees incurred when an organization is investigated and sanctioned for violations of COPPA. Some of the largest fines to date have occurred within the last several months. In December 2018, Oath (owner of Yahoo and AOL) agreed to pay $5M in a settlement with the FTC. This settlement came after the Attorney General’s office found that AOL had allowed billions of auctions for ad space to occur with the knowledge that some were directed at children under the age of 13. These auctions allowed AOL to collect, use, and disclose personal information of children.

Even more recently, the largest penalty to date was announced in February 2019. Video social networking application, Musical.ly agreed to a $5.7 million agreement for its COPPA violations. Musical.ly’s agreement includes monetary civil penalties, a permanent injunction, orders to delete information, and future compliance and reporting requirements. The FTC commissioners simultaneously announced their intent to hold individuals accountable for these violations, especially when purposeful violations are evident. In addition to more strict commissioners, there has been legislation introduced in 2019 which would expand the scope of COPPA to create a new division within the FTC to oversee marketing to children and minors.

Preventative Measures

There are steps your business can take to comply with the law and protect itself from a large fine. A company that does not want children using the service should:

  1. include a statement in its privacy policy that addresses proper use,
  2. ensure that marketing is not directed at children in any way, and
  3. consider adding an “age gate” to your site that does not collect personal information when a user indicates they are under the age of 13.

A company that targets or knowingly collects information from children, however, should carefully consider the statements it makes in its privacy policy, the state of its data security, and how it collects and manages consent.

To discuss your company’s COPPA compliance posture, please contact Taylor Gast, Amanda Dernovshek or a member of Foster Swift's Technology Law practice group.

Authors

Categories

Recent Posts

Jump to Page

Foster Swift Collins & Smith PC Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek