On October 21, 1998, President Bill Clinton signed into law the Child Online Privacy Protection Act (COPPA). If you manage a website, then that law affects you.
In this article, we’ll go over the basics of COPPA and give you some pointers about ensuring that your website is in compliance.
Failure to take the law seriously could result in some hefty fines.
COPPA: The Basics
As the name implies, COPPA is about protecting children while they’re soaring through cyberspace.
Specifically, the law applies to collecting information from kids under the age of 13 who live in a U.S. jurisdiction. In a nutshell: you can’t collect data from kids without permission from a parent or legal guardian.
The Federal Trade Commission (FTC) is empowered to issue regulations concerning COPPA and to enforce the law.
If you’ve ever wondered why Facebook doesn’t allow users under the age of 13, it’s partially because of COPPA. Facebook doesn’t want to be bothered with getting parental consent for the data it collects.
Recent Revisions
COPPA went into effect on April 21, 2000. But there have been some regulatory revisions since then.
In 2011, the FTC revised the definition of “collect” as it relates to collecting info from children online. That change required webmasters to keep data gathered from young minors for only the amount of time necessary to accomplish the purpose that the data was collected for. The new regulation also mandates that third parties who gain access to a child’s information have proper procedures in place to protect it.
Also, keep in mind that personal information doesn’t just include a child’s name, phone number, and address. It also includes geolocation information, photos, videos, and sound recordings of the child’s voice.
Yes, Companies Pay the Price for Non-Compliance
You might be thinking to yourself at this point: “That’s probably one of those laws that Congress passed just to do some grandstanding and pretend that they care about children. It’s not that important.”
Think again. Companies have paid a steep price for non-compliance.
In 2001, Girl’s Life and two other companies paid a combined $100,000 in fines for COPPA violations. In 2003, Mrs. Fields Cookies paid $100,000 in fines and Hershey paid $85,000 in fines for non-compliance with the law.
So yes, it’s in your very best interest to ensure that your site isn’t violating COPPA.
A Privacy Policy
Have you ever wondered why so many sites have a privacy policy? At least part of the reason is because of COPPA.
The law mandates that webmasters must include a privacy policy on their sites. That policy should explain to children under 13 when and how they should seek parental consent to divulge personal information.
So, if you don’t have a privacy policy on your website, and you know for a fact that it’s frequented by young kids, then you’re likely in violation of the law.
Fortunately, you can add one to your site in fairly short order.
Further Obligations for Collectors of Data
In 2012, the FTC issued additional guidelines regarding sites that collected data.
Those guidelines apply to you if you fall into one of two categories:
- You run a “child-directed” website that’s geared toward kids under 13 and collect personal info
- You knowingly collect personal info from kids under 13 (even though your site isn’t directed to that age group)
In either case, there are a number of rules that apply to your site. You must:
- Include a privacy policy that describes how you collect data from people under 13
- “Make reasonable efforts” to provide notice to parents about how you collect, use, and disclose the personal information you collect from young kids
- Obtain verifiable consent from a parent or legal guardian prior to collecting, using, and/or disclosing personal information from children under 13
- Offer a way that parents can review the personal information collected from their child and allow them to refuse its use or maintenance
- Ensure, as much as possible, that you’ll keep the data collected from kids secure and also that you’ll only release the data to third parties who can commit to keeping it secure as well
- Keep the data collected from children only as long as is necessary to fulfill the purpose it was collected for and proactively take steps to prevent unauthorized use of the data
- Never use data collection as an incentive to a child to participate in additional online activity (e.g., “You can’t play Level 3 unless you give us your phone number!”)
How Do You “Know” If Kids Are Visiting Your Site?
According to the FTC, you “know” that kids are visiting your site if you ask for and receive information from a website visitor regarding that person’s age. For example, if you ask for a person’s date of birth on your site, then you clearly know the age of that visitor.
However, if you run a site that doesn’t collect any kind of age-related data, you might still run a “child-directed” site according to COPPA.
Why? Because in 2013, the FTC made it clear that COPPA covers sites that use outside services (such as advertising networks) that collect personal information from visitors.
In other words, you’re responsible for the data that third parties collect on your site, as far as the law is concerned.
Bottom Line
At a minimum, get a privacy policy on your site if you don’t already have one.
Beyond that, contact an attorney familiar with COPPA to ensure that your site is in compliance. Otherwise, you could find yourself on the business end of some legal action.