Last week we discussed smart toys, and we mentioned “COPPA” in that article. As such, some of you may be asking what is COPPA?” In short, COPPA is a federal law specifically tailored towards children, and stands for “Children’s Online Privacy Protection Act.” This law is meant to protect children from over exposure and prohibit businesses from gathering invasive amounts of analytics on children using their products or services. This remains a legitimate concern, attempting to curtail some of the worst aspects of online life. What exactly does COPPA prohibit? Is there any limitation? Does it provide guidelines for a business to follow and ensure compliance?
The spirit of COPPA can be summarized as follows: It is unlawful for an operator or a website or online service directed to children or with knowledge that it is collecting or maintaining a child’s information, to violate this federal statute by failing to give notice on the website of what information it collects, how it’s used, and how it’s disclosed, failing to obtain parental consent, providing reasonable means for parents to review or cancel the use of the service or website, to not condition participation in a game, offering of a prize or other activity by disclosing more personal information than is necessary, and failing to establish and maintain procedures to protect the confidentiality, security and integrity of the children’s information.
In order to clarify, children are not necessarily “children” as we would normally think of them. Instead, the cutoff age for COPPA is 13 years. Hence, anyone under 13 years is covered by COPPA, while those 13 and older are not. Even though it is confusing for parents, it’s a reason for certain websites (e.g., Facebook) to implement what is known as an “age wall.” This wall would then prohibit those who are under 13 years from entering or using the website. However, this is not to say it’s a perfect solution, as the website, if “child directed” would still be subject to this statute as it would likely have knowledge that it is collecting children’s information. Finally, failure to comply with COPPA may hit the website with a penalty of $40,654 per violation.
What are the requirements?
You, as the entity, must take steps to notify parents and verify parental consent. For some websites or services, this may be done by a parent entering credit card information. While the credit card may not be charged for that interaction, since it is typically only adults or young teens that possess a credit card, it would serve as a proxy for parental permission, and it’s listed as an acceptable way of obtaining parental consent. Alternatively, forms for the parent to electronically sign would also work, though this may not be as effective as a wall to prohibit unwanted minors from using a website.
Most importantly, however, is the entity’s responsibility to “establish and maintain procedures” to protect the confidentiality, security, and integrity of the child’s information. Ultimately, the best way to do this is simply to not collect that information. Alternatively, a review by an attorney for your policy to ensure compliance may be necessary.
At our law firm, we assist clients with legal issues related to internet, technology, privacy, and cybersecurity. Please contact us to set up an initial consultation.