Before the Internet came into full swing, parents were mostly concerned with what channels their kids were watching on T.V., what books they were reading and what the ratings were on the games they were playing. Now, thanks to the Internet, parents have an entire world wide web to be concerned with. To aide in this task, COPPA laws were introduced to protect the Internet’s younger users from sexual predators and unethical marketers online.
What is COPPA Law?
COPPA stands for the Children’s Online Privacy Protection Act. It was passed by U.S. Congress in 1998 to protect the privacy of children under the age of 13. COPPA requires parental consent before children can make online purchases as well as before ISPs can collect children’s personal information. In 2013, COPPA was revised so that it also applies to app developers and ad network entrepreneurs instead of just website operators.
Who does COPPA apply to?
COPPA Law applies to operators of commercial websites, online services, and mobile apps directed to children under 13 that collect, use or disclose personal information from children. Obvious examples of those who must comply with COPPA are educational websites like pbs.com and nickjr.com, but what some may not be aware of is that COPPA also applies to general websites.
Below is a full list of the type of platforms that COPPA applies to:
- Commercial websites or apps directed at children under 13 that collects personal information. This now includes YouTube videos too. So if you are marketing videos or other online content to children on social media, you should review the COPPA requirements carefully.
- Commercial websites or apps directed at children under 13 that allows third parties to collect personal data.
- Commercial websites directed to a general audience that has actual knowledge that children under 13 are using the platform.
- An ad-network or plugin that has actual knowledge of collecting personal information from users of websites “directed to children under 13”, including the following information:
- Mobile apps
- Internet-enabled gaming platforms
- Ad networks
- Geo-location services
- VoIP services
What does the FTC mean by websites “directed to children under 13”?
The FTC doesn’t get very specific with their vague “directed to children” provision, but they did outline what factors are considered when examining a COPPA-related case:
- Subject matter
- Visual and audio content
- Use of animated character
- Use of child-oriented activities and incentives
- Age of models
- Presence of child celebrities or celebrities/public figures who appeal to kids
- Ad services directed towards children
- “And other reliable evidence about the age of the actual intended audience”
How does a website, app or service comply with COPPA?
If you’re are a website, app, or online service provider that is used by children under 13, you must do the following:
- Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children;
- Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents);
- Provide parents access to their child's personal information to review and/or have the information deleted;
- Give parents the opportunity to prevent further use or online collection of a child's personal information;
- Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; and
- Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use.
What is considered personal information?
- First and last name;
- A home or other physical address including street name and name of a city or town;
- Online contact information;
- A screen or username that functions as online contact information;
- A telephone number;
- A social security number;
- A persistent identifier that can be used to recognize a user over time and across different websites or online services;
- A photograph, video, or audio file, where such file contains a child’s image or voice;
- Geolocation information sufficient to identify street name and name of a city or town; or
- Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above.
What is considered “collection” under COPPA rules?
Another vague factor within COPPA law is the concept of “collection”. Under the law, the following acts constitutes as collection:
- “Requesting, prompting or encouraging” information submission — even if optional;
- Public information (forum or open chat) unless all personal and identifying fragments are completely stripped before the message goes public; and
- “Passively track a child online.”
Remember: If you have a third party that collects personal information through a plugin on your website, you’re responsible for complying with COPPA, even if you don’t personally collect the information.
What is verifiable parental consent?
COPPA laws require that websites give parents/guardians “direct notice” before collecting personal data from kids, and it must be a straightforward communication. This can be done by:
- Consent form that is faxed back, mailed back or electronically scanned back
- The use of an account card (debit, credit card) that provides notification of each separate transaction to the account holder (i.e. the parent)
- Require the parent to have a video conference or toll-free phone call with a “trained personnel”
- Provide a knowledge-based challenge question that would be hard for someone other than a parent to answer
What does COPPA say about privacy policies?
What happens to websites who violate COPPA?
Although COPPA has very specific requirements that certain websites must meet, it is important that these websites do not violate the act. If the FTC were to find that a website or app was not in compliance with COPPA, there will be major consequences. COPPA violations are treated as an unfair and deceptive trade practice and are subject to hefty civil fines. Don’t believe us? Just ask YouTube and TikTok...
COPPA Case Law
COPPA Law vs. YouTube:
In September 2019, Google (who owns YouTube) paid the FTC $170 million in fines because they found that the platform was in violation of COPPA by selling ads targeted to children. Now, YouTube requires that all creators inform the platform if their content is made for kids. They also are now using machine learning that will help identify videos that target audiences under 13. The type of content they will be looking for includes videos that show children, children’s characters, animated characters, and popular children’s songs.
COPPA Law and TikTok
YouTube wasn’t the only platform found to be in violation of COPPA in 2019. TikTok, a social media app popular among younger audiences, received a $5.7 million COPPA law fine. The FTC found that TikTok was collecting personal data from children under the age of 13 without parent consent or appropriate levels of security for the data.