Last year at Christmas, I was surprised at the number of technology-focused toys aimed at children under four. I saw (a) stuffed animals that you can plug into your computer to program with information about your children to make them more personalized, (b) video games aimed at preschoolers to help develop writing and arithmetic skills, and (c) even websites where children could upload information to send to Santa. With the increase of technology aimed at children under the age of 13, website operators need to ensure that they know the basics of COPPA and, if necessary, seek help to comply with it.
COPPA is “Children’s Online Privacy and Protection Act.” Congress passed it in 1998 and required compliance by 2000. It was most recently amended in 2013 to account for changes in technology since its original passage. It is enforced by the Federal Trade Commission, some state agencies (for instance, Texas has brought a suit under it), and some federal agencies other than the FTC. Most importantly, it requires all websites, mobile applications, networked video game services, and interactive online services (to name a few) that are directed towards children under the age of 13 to comply with very specific rules and regulations.
Which Websites Fall under COPPA?
Your website, mobile application, or other technology falls under COPPA if it collects or discloses personal information about children under 13, especially if the site is directed toward children. If any the statements below applies to your ecommerce website, you are probably required to comply with COPPA.
- Your site is targeted to children under 13. For example, you have cartoonish characters on it, games, or other visual information that would appeal to children.
- You have actual knowledge that you are collecting information from children under the age of 13. For example, parents of children contact you that their children are using the site.
- You run a third-party service that works with sites that collect information from children. For example, you run targeted ads on a third-party mobile application directed to children.
If there is any doubt whether your website, mobile application, or other technology falls under COPPA, you should always seek the services of an attorney knowledgeable in the field to make sure that you are complying with the law.
What Is ‘Personal Information’?
A website, mobile application, or other technology can fall under COPPA if it’s directed at children under 13 or if it is targeted at a general audience but nonetheless collects or discloses personally identifying information about children under 13. Personally identifying information — “PII” — includes name, phone number, address, and social security number, among other identifying data.
In the more recent rulings, PII has also come to include a persistent identifier that is used over multiple websites to identify someone (such as a handle or a screen name), geolocation data (something that was rarely captured in 1998), and even audio, photo, or video files (containing the voice or image of a child). Even the use of multiple types of information that can identify a child should be taken cautiously and only with the approval of legal counsel. For example, the initials of a child, and the child’s grade and school name may be enough collectively to become PII, as it could identify a child.
If your website, mobile application, or other technology does not collect PII but your technology connects to a technology that does, you may still be subject to COPPA even though you are not personally collecting the data. Care should always be taken prior to installing third party apps, such as the ability to connect to social media sites like Facebook, or other technology, which can interact with a site that does collect data.
Privacy Policies vs. COPPA
Several months ago, I wrote an article on how to create an ecommerce privacy policy. If your website falls under COPPA, you must have a privacy policy that complies with COPPA (along with your state and federal regulations) and have internal policies in place that your employees follow to receive permission from parents to collect information. According to the FTC, you must:
- Provide clearly written and comprehensive information regarding your company’s practices for what happens to personal information collected online from children;
- Provide direct notice to parents and obtain verifiable parental consent before collecting personal information online from children;
- Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents);
- Provide parents access to their child’s personal information to review and have the information deleted;
- Give parents the opportunity to prevent further use or online collection of a child’s personal information;
- Maintain the confidentiality, security, and integrity of information you collect from children, including taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; and
- Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use.
Other Requirements
As with any law, there are other requirements, some of which may be based on your website or covered technology’s individual circumstances. This article is not meant to be conclusive or address all issues under COPPA. If your website, mobile application, or other technology even hints at reaching children under the age of 13 or collects information from them, speak to an expert prior to being investigated for non-compliance. You cannot be too careful with these matters, especially when they involve the children’s safety.