DISCLAIMER: We are not lawyers and we advise you to seek your own legal council when dealing in the regulatory environment. This article is for informational purposes only and is not legal advice. Remote Cloud Consulting Inc. cannot be held liable for any decisions made as a result of reading this article.
How many times have you heard the cliché, “Think of the children! Won’t anyone think of the children?” Well, the phrase or similar sentiments may have become overused to the point of a laughable cliché, but that doesn’t make the idea any less important, relevant, or profound.
It’s a formidable enough task to keep children safe from the potential hazards the real world presents, and that includes keeping tabs on their physical whereabouts. Now along comes the Internet, and suddenly there’s a virtual dimension added onto the task. Parents now have to note where their children are online and what sort of interactions they are getting exposed to.
The Internet may have made many aspects of life easier, but this innovation has made the job more challenging in terms of parenting.
Fortunately, we have many resources to help safeguard children’s privacy, and we’re about to explore one such example.
It’s time to learn about COPPA, how it protects children’s privacy, and what it means for businesses, organizations, and individuals that provide goods and services online.
What is COPPA?
Hint: It’s neither a metal, an old-fashioned term for a police officer, nor a lyric from a Barry Manilow song.
COPPA is an acronym that stands for the Children’s Online Privacy Protection Act. Congress enacted it in 1998, became effective in April 2000, and is enforced by the Federal Trade Commission (FTC).
The rule’s primary intent is to help parents control what personal information about their children can be collected by online web services and commercial websites, including Internet of Things (IoT) devices like smart toys and mobile apps. For the purposes of COPPA’s jurisdiction, “children” are identified as under 13 years old.
What Constitutes “Personal Information”?
You won’t find any surprises here.
“Personal information” includes these items:
- First and last names
- A home address or other appropriate physical address that includes a street name and the name of a town or city
- Online contact information (e.g., e-mail address)
- A screen or username that acts like online contact information
- Phone numbers
- A Social Security number
- Any persistent identifier that can potentially be used to recognize someone across various online services or websites over an extended period
- An image, audio, or video file, if the file has a child’s image or voice;
- Enough geolocation information to identify a street name and the name of a town or a city, or
- The operator collects information regarding the child or their parents from the child and is used with one of the identifiers described above.
What Does COPPA Compliance Look Like?
What does COPPA look like in action?
Before we explore what compliance looks like, we should call out who must follow COPPA regulations. The rules apply to operators of commercial websites and online services (including the above-mentioned mobile apps and IoT devices) aimed at children under 13 who collect, use, and/or disclose a child's personal information. It also covers operators of general audience websites or online services who have actual knowledge and understanding that they're collecting, using, or disclosing personal information, including children under 13. Finally, COPPA also covers websites or online services that have actual knowledge that they're assembling personal information directly from users of yet another website or from an online service directed to children.
And, just like American-base companies need to keep European privacy laws such as GDPR in mind, foreign-based online services and websites must comply with COPPA regulations.
And here are the measures that entities under COPPA regulations must abide by:
- Post a clear and comprehensive privacy policy for online activity, describing information practices used to collect personal information from children online.
- Before collecting personal information from children online, the company has to provide direct notice to parents and get verifiable parental consent. However, there are some limited exceptions.
- Give parents the choice of agreeing to the operator’s information collection and internal use of a child’s data but preventing the operator from sharing that information with any third parties (unless this disclosure is essential to the site or service, and in that case, this condition must be made clear to parents). NOTE: This particular measure is huge. Ultimately, the decision of which sites to allow kids to visit and which goods and services they can purchase falls on the parents. If you don’t give them the ability to grant or withhold consent, you’re going to lose their patronage right out of the gate.
- Allow parents to read and interact with their child's personal information so they can review it and/or delete the data if necessary.
- Present parents with the opportunity to prevent further collection and/or use of their children's personal information online.
- Keep the integrity, security, and confidentiality of all information collected from children. This regulation includes taking reasonable steps to release that information only to parties equally capable of maintaining data confidentiality and security.
- Keep personal information collected online from children only for as long as it’s needed to fulfill the goals for what it was collected for in the first place, then delete said information using reasonable measures to prevent any unauthorized access or use.
- Do not condition a child’s participation in an online activity on the child’s ability to give more personal information than is reasonably required to join in the activity in question.
What Are the Penalties for COPPA Violations?
Penalties involve two words in this order: “check” and “book”.
The privacy of minors is a serious matter, and the FTC is treating is with the gravity it deserves, if the penalties are any indication. According to the Federal Trade Commission’s COPPA website, courts can hold violators liable for civil penalties of up to $43,792 for each violation. The amount can vary depending on certain factors like previous rule infractions (if any), how many children were involved, and if the data was shared with third parties. It also includes circumstances like company size, the type and amount of personal data collected, how the data was used, and just how overall bad the infraction was.
The FTC determines the penalties on a case-by-case basis. In some instances, they didn’t assess a civil penalty. In others, the cost ran into the millions.
COPPA’s Downsides and Pushback
Where is the line drawn between protecting children and unconstitutional limitations on free speech?
Few people will argue that children, a vulnerable section of our population, should not enjoy extra measures to safeguard their privacy. After all, the Internet can be a somewhat sketchy place. But when do the good intentions of preserving minors’ privacy collide with free speech?
That’s why COPPA isn’t universally embraced as a perfect solution by all quarters. There are concerns that COPPA can have a chilling effect on content providers and app designers, scare away potential developers of kid-friendly sites, and be outright unconstitutional.
Furthermore, COPPA doesn’t address prevalent issues such as kids lying about their age (sometimes aided and abetted by their parents!) to get onto a website. There is even speculation that if COPPA regulations make it more difficult for children to access kid-friendly sites, they may end up visiting more adult sites that have no such constraints influencing their content and how they do business. Sure, that’s just speculation and not backed up with hard data, but it’s within the realm of possibility.
Whether people agree or not on COPPA’s constitutionality and overall effectiveness, it doesn’t change the fact that, as things stand now, it’s the l
aw. If not followed, it will lead to unpleasant repercussions. So, unless the regulations get somehow adjusted or tweaked in the future, COPPA compliance is mandatory.
So How Can I Ensure My Site is COPPA-Compliant?
There’s experienced help available out there.
At first glance, many of the COPPA measures appear to be common-sense details that any individual, company, or other types of organization can easily handle. However, not every case, situation, or business is the same. There is nuance, ambiguity, and sometimes outright misinformation.
To that end, it’s wise to have a good lawyer who knows the ins and outs of the industry and can help a business achieve complete peace of mind, knowing that everything they’re doing follows all regulations. And yes, that includes rules of other nations.