Partner
As of September 2014, the Federal Trade Commission (FTC) has increased its activity in enforcing the Children’s Online Privacy Protection Act (COPPA). Between fines in the hundreds of thousands of dollars, a settlement with one of its third-party certification companies, and public reprimands coupled with demands for compliance, the FTC is making it clear that COPPA will be vigorously enforced. And the FTC is not alone: Google Play recently removed an application from its store because of a COPPA violation.
Because of the recent enforcement initiative, website and application operators who collect information from children should be familiar with COPPA and how to comply with the law.
COPPA, effective as of April 2000, requires more robust privacy policies of websites and applications directed at minors (those under 13 years of age). The act specifies what such privacy policies must detail, when and how to seek parental consent, and what the website or application operator must do to protect minors’ privacy and safety. The FTC has encouraged self-regulation of COPPA by granting “safe-harbor” classifications to companies that enforce the act and discipline violators before any FTC involvement.
Under the act, an operator is defined as “any person who operates a website located on the Internet or an online service and who collects or maintains personal information from or about the users of or visitors to such website or online service, or on whose behalf such information is collected or maintained, where such website or online service is operated for commercial purposes, including any person offering products or services for sale through that website or online service, involving commerce.”
To fall under the act, the website must be “directed at children,” which includes entire websites or portions of websites that “target” children.
A COPPA-compliant website or app must post a clear and comprehensive privacy policy on its homepage and on every page where personal information is collected from children. The policy must describe: what information is collected from children; how that information is used; how the operator discloses the information, including third parties to whom the information may be disclosed; a description of parental rights; and contact information for the operator.
The privacy policy must be clearly written and easy for parents to understand — not buried in legal jargon or hidden in fine print. The FTC has found COPPA violations based on vague or incomplete privacy policies even where the operator’s actual data practices were not egregiously harmful.
Before collecting, using, or disclosing personal information from a child under 13, a covered operator must obtain verifiable parental consent. The FTC’s COPPA Rule provides several approved methods for obtaining verifiable parental consent, including: a signed consent form delivered by mail or fax; a credit card transaction that provides notification to the cardholder; a call to a toll-free number staffed by trained personnel; video conferencing; use of a government-issued identification verified against a database; or — in the case of operators who will only use personal information internally — an email accompanied by additional steps to provide reasonable assurance that the person providing consent is the parent.
The verifiable parental consent requirement is one of the most technically and operationally challenging aspects of COPPA compliance. Many operators have stumbled in this area, relying on parental consent mechanisms that the FTC has found insufficient — such as simple checkboxes asserting parental consent or email-only consent for uses that go beyond internal operations.
COPPA requires operators to collect only the information reasonably necessary for the child to participate in the relevant activity. Operators must also retain personal information from children only as long as reasonably necessary to fulfill the purpose for which it was collected and must delete that information using reasonable measures when it is no longer needed.
Parents have the right to review the personal information collected from their children, to revoke their consent and require the deletion of their children’s personal information, and to refuse to allow further collection or use of their children’s information while still permitting the child to participate in an activity (where personal information is not a required element). Operators must provide clear and simple procedures for parents to exercise these rights.
The FTC’s 2013 amendments to the COPPA Rule significantly expanded the definition of “personal information” covered by the statute. The amended rule covers: persistent identifiers (such as cookies, IP addresses, and mobile device identifiers) that can be used to recognize a user over time and across different websites; photos, videos, and audio files containing a child’s image or voice; geolocation information sufficient to identify street name and name of city or town; and screen or user names that function as online contact information.
The expanded definition has significant implications for mobile app developers, advertising networks, and analytics providers, all of whom may be collecting “personal information” in the form of persistent identifiers from child-directed apps without realizing they are subject to COPPA’s requirements. The FTC has targeted third-party advertising and analytics SDKs embedded in child-directed apps in several enforcement actions, holding the app developer responsible for the data collection practices of the third-party SDKs embedded in their apps.
The FTC has brought numerous COPPA enforcement actions resulting in substantial civil penalties. Notable recent cases include a $170 million settlement with Google and YouTube over YouTube’s COPPA violations — at the time the largest COPPA penalty in FTC history — and a $275 million penalty against Epic Games (creator of Fortnite) in 2022 for COPPA violations and dark patterns used to charge children for in-game purchases. The scale of these penalties reflects the FTC’s view that large platforms that knowingly expose children to privacy risks deserve correspondingly large penalties.
Revision Legal’s internet attorneys advise website and app operators on COPPA compliance, privacy policy drafting, parental consent implementation, and FTC enforcement defense. Whether you are launching a new product that may reach children or assessing the COPPA compliance of an existing platform, we can help you navigate these requirements. Contact us today for a consultation.
Many platforms that are not exclusively directed at children nonetheless attract child users. Social media platforms, gaming apps, streaming services, and general-audience websites may have significant child user populations even if the platform was not designed for children. These “mixed-audience” platforms face particular COPPA compliance challenges because they cannot apply a blanket policy that treats all users as adults — but they also cannot obtain verifiable parental consent from every user in advance.
The FTC has addressed this in its guidance by providing a mixed-audience compliance path: a general-audience platform can apply a neutral age screen at registration and collect parental consent only from users who self-identify as under 13. The key is that the age screen must be genuinely neutral — it cannot encourage users to provide a false age, must not pre-populate an age that would indicate the user is 13 or older, and must treat users who indicate they are under 13 consistently with COPPA requirements.
Platforms that knowingly allow children under 13 to create accounts without parental consent — or that accept implausible ages from users who are clearly children based on their behavior and content — cannot hide behind a nominal age gate. The FTC’s case against Epic Games explicitly found that Fortnite’s nominal age screen did not protect it from COPPA liability given overwhelming evidence that the platform was used by large numbers of children under 13 who lied about their age to access the game. Contact Revision Legal to ensure your platform’s age screening and parental consent mechanisms are genuinely COPPA-compliant.
Facebook agreed to pay $550 million to settle a class action lawsuit under Illinois’ Biometric Information Privacy Act. Here’s what the case means for biometric data law.
Read more about Facebook’s $550M Illinois Biometric Settlement
Seizing an infringer’s domain name is one of the most effective ways to stop IP theft online. Here’s how courts order domain transfers and what rights holders need to show.
Read more about Seizing an Infringer’s Domain to Stop Infringement
Recent court decisions on what counts as an ‘autodialer’ under the TCPA suggest restrictions may be loosening. Here’s what businesses using automated texts need to know.
Read more about TCPA Autodialer Decisions: Are Restrictions Easing?