Recently, the Federal Trade Commission (“FTC”) has started investigating tech companies whom they suspect are violating the Children’s Online Privacy Protection Act (“COPPA”). COPPA, a federal law, imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age. In other words, when children log onto gaming sites and download apps, the information they give is, by law, supposed to remain safe with the companies they’re interacting with.
The catalyst behind the FTC’s aggressive new actions follows a change they made to COPPA last year, which gave online advertisers, gaming outfits, and others a period to comply with the rapidly changing online mobile advertising space requirements. Specifically, the agency perfected three issues: the use of share buttons, when an ad network has “actual knowledge” that it has collected personal information from a child user, and what to do with information collected from child-directed sites without parental consent. Additionally, the revisions to COPPA broadened the act, extending the definition of children’s personal information to include “persistent identifiers such as cookies that track a child’s activity online, as well as geolocation information, photos, videos, and audio recordings.”
According to the FTC, “COPPA mandates that website operators or online providers directed at kids 13 and under obtain verifiable consent from the parents or guardians before disseminating the information. The law says that without the verification, companies are on the hook for any information obtained from children be distributed or sold for marketing or other purposes. The law was formed in the early days of the Internet, and much has changed since then.”
Now that the aforementioned grace period to comply with the revisions is over, the FTC is in pursuit of companies that are still not in compliance. Those companies that are found in violation of COPPA statutes will be aggressively fined $16,000 for every app download or login where COPPA is violated.
While the mobile advertising space is a complicated place, the recent crackdown on companies in suspicion of noncompliance with COPPA is the FTC’s announcement that the feds can, and will, keep up with the changing nature of technology, and will continue to afford children greater protection from online predators while doing so.
COPPA, codified at 15 U.S.C. §§ 6501–6506 and implemented through the FTC’s COPPA Rule at 16 C.F.R. Part 312, imposes five primary obligations on covered operators:
COPPA applies to two categories of operators: (1) operators of websites or online services directed to children under 13, and (2) operators of general audience websites or services who have actual knowledge that they are collecting personal information from children under 13.
Determining whether a website or service is “directed to children” requires analyzing the subject matter, visual content, use of animated characters or child-oriented activities, music or other audio content, age of models, celebrities, or other spokespersons, advertising, and whether the site uses child-oriented features such as games or contests. A site need not be exclusively for children — if it has substantial appeal to children under 13, it is likely covered.
Third-party services that operate on child-directed platforms — such as advertising networks, analytics providers, and social sharing plug-ins — are also covered by COPPA when they collect personal information from visitors to those child-directed sites. This is one of the areas addressed in the 2013 amendments: the FTC clarified that an operator of a child-directed site cannot shield itself from COPPA liability by using third-party services that collect data without obtaining parental consent.
Civil penalties for COPPA violations can reach $51,744 per violation (adjusted periodically for inflation), with each individual instance of unauthorized data collection treated as a separate violation. In practice, COPPA enforcement actions against major platforms have resulted in some of the largest civil penalties in FTC history.
The FTC also regularly pursues injunctive relief requiring violators to implement comprehensive compliance programs, submit to independent audits, and report violations to the Commission for extended periods. Reputational damage from a public FTC enforcement action can be significant, particularly for consumer-facing companies.
Companies that operate websites or apps with any likelihood of attracting child users should take the following steps:
Revision Legal’s Internet attorneys advise companies on COPPA compliance, privacy policy drafting, and responding to FTC inquiries. If you have questions about whether your website or app is subject to COPPA, or if you have received a communication from the FTC, contact us at 855-473-8474 or through our website.
Facebook agreed to pay $550 million to settle a class action lawsuit under Illinois’ Biometric Information Privacy Act. Here’s what the case means for biometric data law.
Read more about Facebook’s $550M Illinois Biometric Settlement
Seizing an infringer’s domain name is one of the most effective ways to stop IP theft online. Here’s how courts order domain transfers and what rights holders need to show.
Read more about Seizing an Infringer’s Domain to Stop Infringement
Recent court decisions on what counts as an ‘autodialer’ under the TCPA suggest restrictions may be loosening. Here’s what businesses using automated texts need to know.
Read more about TCPA Autodialer Decisions: Are Restrictions Easing?