The Children’s Online Privacy Protection Act (COPPA) allows parents to control the collection of their children’s personal information online. It is designed to protect children under the age of 13 through specific rules for operators of websites and online services.
Who does COPPA cover?
COPPA applies to operators of websites or online services (including mobile applications) that receive personal information from children under the age of 13. Your family business must comply with COPPA if any of the following apply to you:
- Your website or online service is directed to children under the age of 13 and you collect personal information about them.
- Your website or online service is intended for children under the age of 13 and you allow third parties to collect their personal information.
- Your website or online service is aimed at a general audience, but you actually know that you are collecting personal information from children under the age of 13.
- Your company runs an ad network or plugin and you actually know that you are collecting personal information from users under 13 years of age.
The Federal Trade Commission, which enforces COPPA, looks at various factors to determine whether a website or service is directed at children under the age of 13. These factors include, but are not limited to, the subject matter of the site or service, visual and audio content. , the use of animated characters and advertisements on the Site or Service directed at children.
Personal information includes:
- Name and surname;
- Home or other physical address;
- Contact information on the Internet;
- Screen or username;
- Phone number;
- Social insurance number;
- A photo, video or audio file with a child’s image or voice; and
- Other forms of identifiers.
How to Comply with COPPA
If your family business is subject to COPPA, there are six key steps you must take.
2. Notify parents before receiving personal information from their child
Before collecting any information from their child, parents must be given direct notice of your information practices. The notice must inform parents that you have obtained their contact information online in order to obtain their consent to the collection, use and disclosure of their child’s personal information.
3. Obtain parental consent
You must obtain the parent’s affirmative consent before collecting their child’s personal information. Consent may be obtained by any method “reasonably designed” to “make sure that the consenting person is the parent of the child.”
A simple checkbox or button click is not enough. Some methods approved by the FTC include signing a consent form that is faxed, mailed, or electronically scanned, answering a series of knowledge-based questions using a credit card or other online payment system that provides alerts for each individual transaction, calling a toll-free toll-free number or connect to trained staff via video conference.
Regardless of the method you choose, parents must be able to authorize the collection and use of their child’s personal information without consent to the disclosure of this information to other parties. There are limited exceptions to COPPA’s verified parental consent requirements, such as collecting a child’s and parent’s name to obtain parental consent and obtaining their contact information to protect the child’s safety.
4. Establish procedures for the protection of collected information
Your business must have procedures in place to maintain the confidentiality, security and integrity of personal information received from children. COPPA requires you to make reasonable efforts to ensure that you do not share personal information with third parties who are unable to maintain security and confidentiality.
It is always important to collect only the information that is necessary for the operation of your family business.
5. Keep personal information only when necessary
Securely delete all personal information of children under the age of 13 unless you need it for a legitimate purpose. You must also give parents access to their child’s personal information to review and/or delete it.
6. Avoid asking your child to provide unnecessary information to participate in an online activity
Operators covered by COPPA may not require children to provide more information than is reasonably necessary to participate in the activity.
What are the penalties for not complying with COPPA?
Operators who violate COPPA may face civil penalties of up to $46,517 for violations. The FTC has previously imposed millions of dollars in fines in settlements with companies that failed to comply with COPPA.
Because the penalties for non-compliance are severe and the requirements of the rule are complex, it is important to consult qualified legal counsel regarding the specifics of your website or online service before collecting information from children under 13 years of age.