Is Your Company’s Website, Social Media or Mobile App in Compliance with the New COPPA?
The Children’s Online Privacy Protection Act (COPPA), originally enacted in 1998, regulates how your business collects, discloses and uses online information from children under 13 years old. Recently, the Federal Trade Commission issued new regulations aimed at extending the reach of COPPA and clarifying its requirements. As children are becoming more and more technologically savvy and make up a growing portion of the consumer market, you need to determine whether you are complying with the COPPA, including its new regulations, which are effective as of July 1, 2013.
Is Your Online Service Subject to COPPA?
If you answer affirmatively to any of the following questions, your online service is subject to COPPA:
- Does your online service collect, use, or disclose personal information from children under 13?
- Even if your online service is not directed to children, do you know, or is likely that your online service is collecting, using, or disclosing personal information from children under 13?
Online services include commercial websites, social media sites, mobile apps, plug-ins, internet-enabled gaming platforms, services that allow users to play network-connected games, online advertisements, voice-over-internet protocol services, inter-enabled location-based services, etc.
What is considered personal information?
If your online service requests any of the following information from children, it is collecting personal information:
- First and last name
- A home or other physical address including street name or name of a city or town
- Email address of the child or of the parent
- Telephone number of the child or the parent
- Social security number or other identifying numbers
- A username or user ID that functions as online contact information (added under the new COPPA)
- A photograph, video, audio file, where such file contains a child’s image or voice (added under the new COPPA)
- A persistent identifier that can be used to recognize the child over time and across different websites, social media sites or other online services such as such as cookies, IP addresses and mobile device IDs (added under the new COPPA)
- Geolocation information sufficient to identify street name and name of a town/city (added under the new COPPA)
- Any information concerning a child or the parents of a child that the operator collects online from the child and combines with an identifier above
What are the Penalties?
Civil penalties are up to $16,000 per violation, and the amount can vary depending on several factors such as the number of children involved, the amount and type of personal information collected, the size of the company, etc. In the past, companies have paid up to $1 million to settle their cases.
Apps
If your business has actual knowledge that children under 13 are downloading an app that requires them to provide personal information, it must get verifiable parental consent before the download is complete. Relying on a parent’s online account or app store account is not sufficient. Also, even if your app gives children the option to refrain from providing geolocation information, you still need to get parental consent.
Checklist for COPPA Protection: How Can Your Business Comply with the New COPPA?
- Determine whether your online service falls under COPPA: Even if your online service is not directed to children, it is very likely that you have to comply with COPPA.
- Implement an effective strategy to request parental consent: COPPA requires that you obtain prior parental consent before collecting, using or disclosing personal information of a child under 13. Determine whether your business falls under any exceptions provided under the new COPPA, and if not, implement a strategy to request verifiable parental consent.
- Review your Privacy Policy: The new COPPA requires that your Privacy Policy include specific wording and information, such as the contact information of all operators collecting or maintaining personal information through the site or service. Review and revise your Privacy Policy according to the new COPPA.
- Consider applying for a Safe Harbor Status: Safe Harbor status allows certain businesses and organizations to create a COPPA compliance program that essentially gets "pre-approval" by the FTC. Businesses that are granted Safe Harbor status are not subject to formal FTC investigation and law enforcement and may fall under a different disciplinary procedure.
How Troutman Sanders Can Help
The new COPPA has specific requirements related to the type of information that can be collected from children and the manner in which such information can be collected and used. It also mandates specific requirements for parental consent, verification and notice. Whether you operate an app, plug-in, mixed-audience site or children-directed site, our lawyers can strategize for ways to comply with COPPA.
© TROUTMAN SANDERS LLP. ADVERTISING MATERIAL. These materials are to inform you of developments that may affect your business and are not to be considered legal advice, nor do they create a lawyer-client relationship. Information on previous case results does not guarantee a similar future result.