In the United States, collecting data directly from children under 13 years of age is tightly regulated by federal statute, which is aggressively monitored and enforced. Under the Children’s Online Privacy Protection Act (COPPA), even seemingly straightforward online data collection and storage practices such as logging IP address or storing an email address are subject to strict requirements, such as providing notice and obtaining advanced parental consent prior to collection or storage.
Under COPPA, obtaining proper consent can be technically or administratively burdensome, expectations shift with technological advancement, regulatory exceptions are vague and penalties are calculated on a per-violation basis with each data record a separate violation. COPPA is enforced by the Federal Trade Commission (FTC) and state attorneys general, both of which are very active in this area. The FTC maintains a website with frequently asked questions (https://www.ftc.gov/tips-advice/business-center/guidance/complying-coppa-frequently-asked-questions) that can be a helpful resource for a company. While the basic tips presented below can help guide the way, the law is complicated, and companies should consult with an attorney.
If a company collects “personally identifiable information” — actively or passively — via a commercial website, mobile app or connected device (g., a speaker that is part of the internet of things), COPPA potentially applies, where:
- COPPA’s expansive definition of “personal information” includes virtually anything that can be tied to a unique individual (device IDs, IP addresses, government identification numbers, geolocation, photographs, persistent identifiers, etc.).
- The idea that only services designed for kids need to be compliant with COPPA is a common misconception. In reality, while services that are designed for kids have the most onerous requirements, COPPA imposes duties that apply to any online business that knowingly collects such information, where children are the incidental, not primary, audience.
- COPPA also applies to third-party services that a company may use, such as ad networks and plug-ins. The operator of an online business is responsible for what is collected and shared on its service, even if a third party is doing the collecting and sharing on the online business’ behalf.
The current FTC and many state attorneys general aggressively monitor apps and websites and internet-connected products for COPPA compliance. COPPA allows for fines and penalties of up to $16,000 per violation, and even negotiated case resolutions are accompanied by detailed court or administrative orders allowing the FTC staff to supervise compliance with corrective action requirements for up to 20 years. The minimum legal expense of responding to an FTC civil investigative demand will typically exceed $500,000, and the investigations usually drag on for many months or even more than a year. These outcomes are to be avoided at all cost.
As with all data privacy laws, the best way to avoid risk is to not collect or use data collected from or about individuals, except as necessary to deliver the product or service. While a company may depend on knowing who its customers are, where they are and what they like about the service, a company can avoid some risk by not over-collecting data. For example, website analytics tools can tell a company where its customers are in the world, so perhaps access to location services data is unnecessary. COPPA’s “internal operations” exception may allow a company to collect all of the information it needs without obtaining consent, but the exception requires a fact-specific legal analysis. While correctly applying the “internal operations” exception requires COPPA-skill and experience, in general, it is very useful, where data use cases can be minimized to the following:
- maintaining or analyzing the functioning of the site,
- performing network communications,
- authenticating users of the site or personalizing content,
- serving contextual ads or frequency capping,
- protecting the security or integrity of the user or the site,
- legal or regulatory compliance, or
- fulfilling a child’s request under the one-time contact or multiple contact exceptions.
In general, you must get a parent’s verifiable consent before collecting personal information from their child. The FTC guidance states that you must comply with COPPA if and of the following is true:
- Your website or online service is directed to children under 13 and you collect personal information from them.
- Your website or online service is directed to children under 13 and you let others collect personal information from them.
- Your website or online service is directed to a general audience, but you have actual knowledge that you collect personal information from children under 13.
- Your company runs an ad network or plug-in, for example, and you have actual knowledge that you collect personal information from users of a website or service directed to children under 13.
A company not targeting children directly, that does not want children to use its service (so that COPPA will not apply) should:
- Ensure that the online service is not inadvertently or indirectly targeting kids. For example, regulators look for the presence of bright colors, child celebrities and cartoon characters or mascots as potential magnets for kids. Even if a company’s intent is to serve only teens or adults, the FTC may deem the service to be targeting children, even where they are not the primary audience.
- Consider employing a neutral “age gate” to prevent children from using a service. For users who say they are under age 13, don’t collect any personal information until you have obtained verifiable parental consent. You should consult counsel or an expert COPPA consultant in designing the age gate, as many enforcement matters have followed poorly designed age gates.
COPPA requires general audience sites to do two things. First, the site must take steps to prevent the collection of personal information from children. Second, if the site has “actual knowledge” that it collected data from children, it must delete the information in question.
Preventing data collection from children in the first place may be a challenge, but developing policies, training personnel and using age-gating procedures are a good start. If a service incidentally obtains the personal information of children, its heightened duties kick in when the service develops (or, acting reasonably, should have developed) knowledge that this event has occurred. While knowledge can come from any number of sources, in past enforcement actions regulators have considered a service to have knowledge of such data collection if:
- A child discloses their age to create an account or announces their age (or grade in school, or other similarly revealing information) in a moderated forum or other “free-text” feature on the service’s site
- A parent contacts the service regarding the child’s account
- An ad network or plug-in on the site collects personal information
While there is no duty under COPPA for a service to seek out children on its site, regulators expect heightened care and the conscientious deletion of children’s information.
Don’t worry – there’s help!
Applying COPPA’s strict technical requirements to current online services, particularly those running advanced analytics and ad targeting, is not straightforward. Once a company has sorted out how it wishes to collect or use data collected from children, it must properly notice the parents, and secure their verified consent.
There are resources that can assist companies with COPPA. The FTC has approved seven organizations to act as COPPA “safe harbors.” These voluntary, self-regulatory organizations can certify a business as being COPPA-compliant and help a business develop compliant parental-consent practices. While a company can choose not to rely on these safe-harbor organizations, they do present a ready-made option for getting compliance right.
Experienced COPPA counsel should also be part of a company’s team, to help understand what data a company collects and shares, and to draft disclosures, design consent interfaces and avoid regulatory enforcement.