A Beginners Guide to Complying with COPPA

By: Ashli Lyric Jones

As technology is advancing, children have the ability to access most websites, apps, and other technology with the click of a button. This access has given companies the ability to market directly towards children. Companies such as Youtube, TikTok, and Apple have been successful at appealing to children and adults of all ages. But with great success comes great responsibility and restrictions. And this responsibility needs to be taken seriously. Note that Google and Youtube violated COPPA and had to pay $170M.

When it comes to the collection of personal information from children under 13, the Children’s Online Privacy Protection Act (COPPA) puts parents in control. The Federal Trade Commission (FTC) enforces COPPA, which spells out what operators of websites and online services must do to protect children’s privacy and safety online. The following list should serve as a guide for businesses that must comply with the COPPA.

step 1: Determine if coppa applies to your business

Does your website or online service collect personal information from kids under 13? If so, it is likely that COPPA applies to you. To be more specific, you must comply with COPPA if you meet any of the following criteria:

  1. Your website or online service is directed to children under 13 and you collect personal information from them.
  2. Your website or online service is directed to children under 13 and you let others collect personal information from them.
  3. Your website or online service is directed to a general audience, but you have actual knowledge that you collect personal information from children under 13.
  4. Your company runs an ad network or plug-in, for example, and you have actual knowledge that you collect personal information from users of a website or service directed to children under 13.

The term “website” is defined broadly under COPPA. In addition to traditional websites, this Rule applies to:

  • mobile apps that send or receive information online (like network-connected games, social networking apps, or apps that deliver behaviorally-targeted ads)
  • internet-enabled gaming platforms
  • plug-ins
  • advertising networks
  • internet-enabled location-based services
  • voice-over-internet protocol services
  • connected toys or other Internet of Things devices

step 2: post a privacy policy that complies with coppa

Once you have determined that COPPA applies to your business, the next step is to post a privacy policy that is clear and comprehensive. This notice must describe how personal information is being collected online from kids under 13 and how it is being used.  The notice must also describe the practices of any other services collecting personal information on your site — for example, plug-ins or ad networks.

A link to your privacy policy should be included on your homepage and anywhere you collect personal information from children.  Additionally, if you operate a site or service directed to a general audience, but have a separate section for kids, you must post a link to your privacy policy on the homepage of the kids’ part of your site or service.

step 3: notify parents directly about your data collection practices

Under COPPA, you are required to give parents “direct notice” of your information practices before collecting information from their kids. The notice must tell parents:

  • that you collected their online contact information for the purpose of getting their consent;
  • that you want to collect personal information from their child;
  • that their consent is required for the collection, use, and disclosure of the information;
  • the specific personal information you want to collect and how it might be disclosed to others;
  • a link to your online privacy policy;
  • how the parent can give their consent; and
  • that if the parent doesn’t consent within a reasonable time, you’ll delete the parent’s online contact information from your records.

Additionally, if you make a material change to the practices parents previously agreed to, you have to send an updated direct notice.

step 4: obtain parents’ verifiable consent

COPPA gives you the authority to choose a reasonable method to obtain parents’ verifiable parental consent before collecting, using, or disclosing personal information from children. Parents must have the option of allowing the collection and use of their child’s personal information without agreeing to disclose that information to third parties.

If you make any changes to your practice of collection, use, or disclosure of personal information from kids you must send the parent a new notice and get their consent. Parents may revoke their consent at any time.

step 5: protect the security of kids’ personal information

When collecting any data, it is important to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children. If you minimize what information you collect from children, it will be easier to protect kids’ personal information.

conclusion

The FTC looks at a variety of factors to see if a site or service is directed to children under 13 such as the subject matter of the site or service, the use of animated characters or other child-oriented activities and incentives, the use of visual and audio content, the age of models, ads on the site or service that are directed to children, and the presence of child celebrities or celebrities who appeal to kids.

It is important to determine if COPPA applies to your business. If COPPA applies to your business, you must establish and publish a privacy policy. Next, you must notify parents directly about your data collection practices and obtain verifiable parental consent. Lastly, it is important to protect the security of kids’ personal information.

When COPPA was first drafted there was no Youtube, no Facebook, no TikTok, and no iPhone. With the advancements in technology occurring at a rapid pace, it is important to make sure you stay up to date with all of the changes regarding COPPA. You don’t want to be the next business to get fined.


This post was originally authored on March 18, 2020, and can be found here. Ashli Jones, at the time of this post, is a rising third-year law student at Penn State Dickinson Law. She is from Long Island, New York and is a graduate of Spelman College in Atlanta, Georgia. Ashli is pursuing a certificate in Entrepreneurship with an Intellectual Property and Technology concentration. She is interested in intellectual property within the entertainment law field. Ashli is the President of the Sports & Entertainment Law Society, Mentorship Chair for the Women’s Law Caucus, and Social Chair for the Black Law Students Association.

 

Sources:

https://www.ftc.gov/tips-advice/business-center/guidance/childrens-online-privacy-protection-rule-six-step-compliance#step1

https://www.washingtonpost.com/

https://www.ftc.gov/news-events/blogs/business-blog/2019/11/youtube-channel-owners-your-content-directed-children

Photo Source: https://termly.io/resources/articles/coppa/

 

Author: Prof Prince

Professor Samantha Prince is an Associate Professor of Lawyering Skills and Entrepreneurship at Penn State Dickinson Law. She has a Master of Laws in Taxation from Georgetown University Law Center, and was a partner in a regional law firm where she handled transactional matters that ranged from an initial public offering to regular representation of a publicly-traded company. Most of her clients were small to medium sized businesses and entrepreneurs, including start-ups. An expert in entrepreneurship law, she established the Penn State Dickinson Law entrepreneurship program, is an advisor for the Entrepreneurship Law Certificate that is available to students, and is the founder and moderator of the Inside Entrepreneurship Law blog.

One thought on “A Beginners Guide to Complying with COPPA”

  1. Your amazing insightful information entails much to me and especially to my peers. Thanks a ton; from all of us.

Comments are closed.