COMMENTARY: Children's Online Privacy Protection Act - Are you compliant?

By Amanda Dernovshek
and Taylor Gast

The Children’s Online Privacy Protection Act (COPPA) was enacted in 1998 and was created to address concerns with the online collection of children’s personal information. Recently, the Federal Trade Commission (FTC) has announced several large fines for companies not in compliance.

Companies that may collect even non-sensitive information about children, such as IP addresses or basic account-related information should assess whether they are compliant with COPPA. 

When does COPPA apply?

COPPA applies to all companies and persons operating websites, online services, gaming platforms, and mobile applications if the company’s activities are directed to children or it knowingly collects personal information about children under the age of 13. In other words, while a company may market to a general audience, information indicating that it collects personal information from children may make it subject to COPPA. “Personal information” is broadly defined under COPPA and includes many standard pieces of data, IP addresses, personal identification numbers, photographs, video, audio, geolocation, and other common elements. COPPA also extends to third party vendors, including advertising, data collection services and data sharing services. “Collecting,” under COPPA, includes requesting or prompting the submission of personal information from a user, passively tracking a user, or allowing collected information to be publicly available.

What is required for COPPA compliance?

Companies within the scope of COPPA must meet several compliance requirements. The most significant requirements relate to providing notice of the company’s data practices, and obtaining proper consent.

Notice

• Companies must have a privacy policy that is accurate, easily accessible, clear, and conspicuously labeled on its website.

• Companies must implement procedures to protect and keep secure all collected data.

Consent

• Companies must obtain proper, verifiable consent from parents before collecting a child’s information.

• Once a parent has agreed to allow collection of their child’s data, the company must not collect more than what was agreed to.

• Companies must allow all parents the right to review all information the website collects on their children and request it be deleted.

• If the company’s privacy policy changes, the company must obtain renewed consent from parents.

• Companies cannot condition access to service on the prerequisite of providing additional personal information.

Significant Penalties

Penalties under COPPA can be quite hefty – up to $42,530 per violation.

This fine is in addition to all legal fees incurred when an organization is investigated and sanctioned for violations of COPPA. Some of the largest fines to date have occurred within the last several months. In December 2018, Oath (owner of Yahoo and AOL) agreed to pay $5M in a settlement with the FTC. This settlement came after the Attorney General’s office found that AOL had allowed billions of auctions for ad space to occur with the knowledge that some were directed at children under the age of 13. These auctions allowed AOL to collect, use, and disclose personal information of children.

Even more recently, the largest penalty to date was announced in February 2019. Video social networking application, Musical.ly agreed to a $5.7 million agreement for its COPPA violations. Musical.ly’s agreement includes monetary civil penalties, a permanent injunction, orders to delete information, and future compliance and reporting requirements. The FTC commissioners simultaneously announced their intent to hold individuals accountable for these violations, especially when purposeful violations are evident. In addition to more strict commissioners, there has been legislation introduced in 2019 which would expand the scope of COPPA to create a new division within the FTC to oversee marketing to children and minors.

Preventative Measures

There are steps your business can take to comply with the law and protect itself from a large fine. A company that does not want children using the service should:

• include a statement in its privacy policy that addresses proper use, ensure that marketing is not directed at children in any way, and

• consider adding an “age gate” to your site that does not collect personal information when a user indicates they are under the age of 13.

A company that targets or knowingly collects information from children, however, should carefully consider the statements it makes in its privacy policy, the state of its data security, and how it collects and manages consent.
————————
Amanda Dernovshek and Taylor Gast are attorneys in the Lansing office of Foster, Swift, Collins, & Smith PC and members of the firm’s Business and Tax Practice Group.
Reprinted with permission from Foster Swift’s BizTech Law blog at https://www.michiganitlaw.com.