Updated: Jul 15, 2020
By Daniel Garcia
This past week, I became hopeful that we had seen the worse of COVID-19 and were getting closer to life before the nation shut down and the stay-at-home orders were issued. Yet, cases are beginning to increase again, and it seems we are still playing the long game. The FTC itself has been busy with the increase of deceptive sales, taking advantage of the COVID-19 fear, marketing misleading products that aren't doing what they are advertised to do (prevent or cure the virus). However, there is another set of rules resting in the murky waters ---the Children's Online Privacy Protection Act (COPPA).
What is COPPA?
Simply, COPPA's purpose is to give parents control over their children's personal information (hereinafter, information) by requiring certain commercial websites or online services to obtain parental consent before they can collect such information. Congress passed the act in response to the rise of marketing tactics targeting children and collecting personal information without their parents' consent. The purpose seems more crucial than ever, considering more children can effortlessly access the Internet with the currently available mobile devices on the market. Children have virtually unlimited access to the Internet, and since they grew up with the technology, they tend to have an easier time using it than some adults. For example, my niece (age 6) can use an iPad and iPhone easier than my mom or even some friends (ages 25-30), who grew up as the technology developed, can. COPPA specifically protects my niece's personal information and children under the age of 13 around the nation. The first version of COPPA took effect in 2000 and was revised in 2013 to reflect the changes in technology.
What does it require?
COPPA requires any commercial website or online service that directs their products or service to children younger than 13 or any operator that has actual knowledge that it is collecting personal information from children under 13 must:
- Provide notice on the website or online service the personal information that it is collecting from children, how it uses the information and its disclosure practices for such information;
- Receive verifiable consent (defined below) from the parent before any collection, use or disclosure of the child's information;
- Allow the parent to reasonably review the personal information collected;
- Allow the parent to refuse any future use or maintenance of the information; and
- Maintain reasonable security procedures to protect personal information from the children.
Are all websites and online services affected?
Websites and online services are not limited to the personal information that is collected on computers; it also applies to mobile applications, such as social networking and online games and gaming platforms. However, not every website or online service is required to comply.
There are four types of businesses that are covered by the COPPA:
- Websites or online services that are directed toward children under 13 and collect personal information.
- Websites or online services that are directed toward children under 13 and allow third parties to collect personal information.
- Websites or online services that are directed toward a general audience, but they have actual knowledge that they are collecting personal information of children under 13.
- Companies that run an ad network or plug-in and have personal knowledge that they are collecting personal information of users of a website or service directed to children under 13
Thus, if a website or online service is directed towards a general audience and they do not have actual knowledge that they are collecting personal information from a child under 13, they do not have to comply with COPPA. However, once the business has actual knowledge, they will have to comply.
How do you know if your business is directed towards children under 13? The FTC looks at several factors, including the subject matter of the site, the use of animated characters or other child-oriented activities or incentives, and the presence of child celebrities or celebrities that appeal to kids. Here is an example of a website that has to comply with COPPA, Peppa Pig.
Even if a small business does not fall within COPPA's requirements, understanding the rules can help prepare a small business for future compliance. For example, if they decide to create a website or online service that is directed towards children or if they receive actual knowledge that children under 13 are submitting their information.
How does this affect my small business?
The pandemic has shifted the education field and the amount of time children spend on the internet. As a result, children are more likely to visit your website where you may be collecting personal information and have actual knowledge of such. Also, small businesses are changing their in-person interactions and moving their services online. For example, companies that provide tutoring, lessons, or any benefit to help kids in school when moving online can fall within COPPA. Since many schools are still unsure whether there will be in-class instruction, children who want tutoring will look to online services in addition to generally surfing the web in their free time. Therefore, small businesses must know the requirements of COPPA, whether they are already online or moving their services online regardless of whether it's a mobile app like Angry Birds or universal tutoring lessons online if they collect information from children.
The penalties for not complying with COPPA can be severe and can rise to $42,530 per violation. The FTC has penalized several companies for failing to comply, including Hershey, Yelp, and Youtube. Notably, TikTok, which has increased in popularity during the pandemic, was also penalized last year because its app, Musical.ly, had a large percentage of users that were under 13 and did not comply with COPPA. TikTok paid $5.7 million to settle the violations. Recently, the FTC issued a statement detailing a settlement with HyperBeard's app that features brightly colored animated characters directed towards children and was fined $4 million. While the FTC considers a company's financial position and reduced its fine to $150,000, not every business will be this fortunate, so I have included some steps to take to comply with COPPA.
Steps that a small business can take to comply with COPPA
1. The first step is to determine if your small business is collecting personal information from children under 13.
What is "personal information" exactly? Personal information is broad and can include names, email addresses, telephone numbers, photos of children, and even geographical information that is sufficient to identify a street name and city.
Are you collecting personal information? The first step is to know if you are collecting information from the child versus a parent. If the child is submitting the information, you must comply. Collecting information isn't limited to receiving the information on servers; it includes requesting, prompting, or encouraging the submission of information, even if it is optional. Allowing information to be made publicly available, such as using an open chat or posting function, is also considered collecting information. However, if you take reasonable steps to delete all of the personal information before the posting is made public and delete the information from your records, then you will not be considered to collect information under COPPA.
- A list of all operators collecting personal information,
- A description of the personal information collected and how it is used,
- How it is used, and
- A description of the rights of the parents (see #4).
3. Give notice to parents before collecting personal information of the children.
Before companies can collect information from the children, COPPA requires them to give "direct notice" to parents of how they handle personal information, and also when there is a material change to the handling of said information. The direct notice should be clear and easy to read. The notice must tell parents:
- That they collected the parent's information to get their consent,
- That you want to collect personal information from their child,
- That their consent is required for them to collect, use and disclose the personal information if they choose to consent,
- The information that you intend to collect,
- How the parent may refuse to permit the child's participation and collection of personal information.
Make sure the parents give verifiable consent.
There are several ways that companies can get verified consent, such as requiring the parent to sign a consent form and send it back, connecting the parent to a trained staff member via video conference, or prompting the parent to send a copy of their government-issued ID. If these methods seem complicated or you prefer different methods, the FTC has listed methods that satisfy the verified parental consent and you can find them here.
4. Respect the parents' rights continuously, not just at the initial notice.
Throughout the time that a business is collecting personal information, it should recognize three main rights of the parents. Even if the parents have consented to the collection of their children's personal information, they must:
Allow the parents to, upon request, review the information that they collected from their child,
The ability to refuse further collection of information from their child, and
The ability to delete all of their child's information.
5. Implement adequate security measures to protect the children's personal information.
Lastly, COPPA requires businesses that collect information from children, to maintain reasonable procedures to protect the confidentiality, security, and integrity of the information. Also, companies should only keep the information as long as necessary to serve the purpose of its collection; any time after, the company should delete the information. While a company should maintain proper security measures if the company releases information to service providers or third parties, they should make sure those parties are also able to maintain the same security, confidentiality and integrity of the information and that they provide assurance that they will do so.
Does your small business collect personal information but fall under an exception?
There are some exceptions for companies when they have collected information from children. For example, if the information collected from the child is to respond to the child's one time request (entering a contest), there is no direct notice required to be sent to parents unless the company uses the information to contact the child again or does not delete the information after they respond.
Protect the Security or Integrity of the Site
If the company is collecting information to protect the integrity of the site or service, to take precautions against liability, to respond to judicial process or to provide information to law enforcement, there is no direct notice required, and the company will fall outside the scope of COPPA
COPPA applies to commercial websites or online services, so if a non-profit is not using a website or services for profit, it also will fall outside the scope of COPPA.
It is essential to know that the steps and exceptions here are not exhaustive, and business owners should read all of the COPPA requirements and visit the FTC website for more information. The FTC also published this article answering common questions that go in-depth to the requirements and real-world application.
c. Cooley LLP, and
You can also email the FTC for answers to specific questions at firstname.lastname@example.org.
If you've been following my articles, you know what I'm about to say, honesty is the best policy. Tell parents the truth of what you are collecting, how you are using it, and their rights with the information you obtained from their children. Best of luck!
Are you interested in launching or sustaining a pandemic proof small business? Spot issues, take action, stay safe, and thrive in a post Covid-19 world with Legalucy. Learn more at thelucyreport.com
Your interaction with Legalucy and mypandemicproofbusiness.com does not create an attorney client relationship. We provide information for your reference only. Such information should not and cannot be construed as legal advice. For more information, please contact email@example.com.