In the United States, collecting data directly from children under 13 years of age is tightly regulated by a federal statute, which is aggressively monitored and enforced. Under the Children’s Online Privacy Protection Act (COPPA), even seemingly straightforward online data collection and storage practices such as logging an IP address or storing an email address are subject to strict requirements, such as providing notice and obtaining advanced parental consent prior to collection or storage.
Under COPPA, obtaining proper consent can be technically or administratively burdensome, expectations shift with technological advancement, regulatory exceptions are vague and penalties are calculated on a per-violation basis. COPPA is enforced by the Federal Trade Commission (FTC) and state attorneys general, both of which are very active in this area. Although the FTC maintains a website with answers to frequently asked questions, the law is complicated, and companies should consult with an attorney.
Remember if you are doing business in Europe, the General Data Protection Regulation (GDPR) explicitly states that children’s personal data merits “specific protection”— and many European jurisdictions define children as anyone under 16 years of age. The rules include robust requirements for consent, mandatory child-friendly privacy policies, and strong rights. European regulators are also consulting on how apps and websites use children’s data, and the processing of children’s data is a stated GDPR enforcement priority.
COPPA has an expansive and non-intuitive definition of “personal information,” meaning that many standard data elements, whether collected actively or passively, can trigger COPPA. COPPA also has a broad reach across platforms, covering commercial websites, mobile apps and connected devices (e.g., a speaker that is part of the Internet of Things). Keep in mind that:
- COPPA’s definition of “personal information” includes virtually anything that can be tied to a unique individual (device IDs, IP addresses, government identification numbers, geolocation, photographs, persistent identifiers, etc.).
- The idea that only services designed for kids need to be compliant with COPPA is a common misconception. In reality, while services that are designed for kids have the most onerous requirements, COPPA imposes duties that apply to any online business that knowingly collects such information, where children are the incidental, not primary, audience.
- COPPA also applies to third-party services that a company may use, such as ad networks and plug-ins. The operator of an online business is responsible for what is collected and shared on its service, even if a third party is doing the collecting and sharing on the online business’ behalf.
The current FTC and many state attorneys general aggressively monitor apps and websites and internet-connected products for COPPA compliance. COPPA allows for fines and penalties of up to $16,000 per violation, and even negotiated case resolutions are accompanied by detailed court or administrative orders allowing the FTC staff to supervise compliance with corrective action requirements for up to 20 years. The minimum legal expense of responding to an FTC civil investigative demand will typically exceed $500,000, and the investigations usually drag on for many months or even more than a year. These outcomes are to be avoided at all costs.
As with all data privacy laws, the best way to avoid risk is to not collect or use data collected from or about individuals, except as necessary to deliver the product or service. While a company may depend on knowing who its customers are, where they are and what they like about the service, a company can avoid some risk by not over-collecting data. For example, website analytics tools can tell a company where its customers are in the world, so perhaps access to location services data is unnecessary. COPPA’s “internal operations” exception may allow a company to collect all of the information it needs without obtaining consent, but the exception requires a fact-specific legal analysis. While correctly applying the “internal operations” exception requires COPPA-skill and experience, in general, it is very useful, where data use cases can be minimized to the following:
- Maintaining or analyzing the functioning of the site
- Performing network communications
- Protecting the security or integrity of the user or the site
- Legal or regulatory compliance
- Fulfilling a child’s request under the one-time contact or multiple contact exceptions
COPPA also allows companies to authenticate users of a website and personalize content, including serving contextual ads and frequency capping. As with the internal operations exception, it is important to tailor any data collections to achieve these narrow purposes.
In general, you must get a parent’s verifiable consent before collecting personal information from their child. The FTC guidance states that you must comply with COPPA if any of the following is true:
- Your website or online service is directed to children under 13 and you collect personal information from them.
- Your website or online service is directed to children under 13 and you let others collect personal information from them.
- Your website or online service is directed to a general audience, but you have actual knowledge that you collect personal information from children under 13.
- Your company runs an ad network or plug-in, for example, and you have actual knowledge that you collect personal information from users of a website or service directed to children under 13.
A company not targeting children directly, that does not want children to use its service (so that COPPA will not apply) should:
- Ensure that the online service is not inadvertently or indirectly targeting kids. For example, regulators look for the presence of bright colors, child celebrities and cartoon characters or mascots as potential magnets for kids. Even if a company’s intent is to serve only teens or adults, the FTC may deem the service to be targeting children, even where they are not the primary audience.
- Consider employing a neutral “age gate” to prevent children from using a service. For users who say they are under age 13, don’t collect any personal information until you have obtained verifiable parental consent. You should consult counsel or an expert COPPA consultant in designing the age gate, as many enforcement matters have followed poorly designed age gates.
COPPA requires general audience sites to do two things. First, the site must take steps to prevent the collection of personal information from children. Second, if the site has “actual knowledge” that it collected data from children, it must delete the information in question.
Preventing data collection from children in the first place may be a challenge, but developing policies, training personnel and using age-gating procedures are a good start. If a service incidentally obtains the personal information of children, its heightened duties kick in when the service develops (or, acting reasonably, should have developed) knowledge that this event has occurred. While knowledge can come from any number of sources, in past enforcement actions regulators have considered a service to have knowledge of such data collection if:
- A child discloses their age to create an account or announces their age (or grade in school, or other similarly revealing information) in a moderated forum or other “free-text” feature on the service’s site
- A parent contacts the service regarding the child’s account
- An ad network or plug-in on the site collects personal information
While there is no duty under COPPA for a service to seek out children on its site, regulators expect heightened care and the conscientious deletion of children’s information.
Don’t worry – there’s help!
Applying COPPA’s strict technical requirements to current online services, particularly those running advanced analytics and ad targeting, is not straightforward. Once a company has sorted out how it wishes to collect or use data collected from children, it must properly notify the parents, and secure their verified consent.
There are resources that can assist companies with COPPA. The FTC has approved seven organizations to act as COPPA “safe harbors.” These voluntary, self-regulatory organizations can certify a business as being COPPA-compliant and help a business develop compliant parental-consent practices. While a company can choose not to rely on these safe-harbor organizations, they do present a ready-made option for getting compliance right.
Experienced COPPA counsel should also be part of a company’s team, to help understand what data a company collects and shares, and to draft disclosures, design consent interfaces and avoid regulatory enforcement.