Safeguarding children on the internet should be a priority for all, especially with the steady advent of technology and the issues associated with its integration into virtually every facet of daily life. To address this pressing concern, Congress enacted the Children’s Online Privacy Protection Act (COPPA) in 1998, which grants parents of children aged 13 and under control over what data is collected from their children online. Here’s a rundown of how to remain COPPA-compliant when marketing your products and services to a customer base that may be partially comprised of minors. Read on to learn more!
Understanding COPPA
Since its inception, COPPA has protected the personal information of minors by mandating that websites and online platforms offering services that extract personal data from individuals aged 13 and under must comply with the legislation’s protective clauses or risk civil penalties in the form of significant fines. Fortunately for companies that are grappling with the specifics of COPPA compliance, the Federal Trade Commission (FTC) has issued a comprehensive business guidance plan to assist then in ensuring they avoid regulatory action.
Website or Online Service?
The first question you should be asking yourself is whether you fall under the purview of the COPPA in the first place. This means understanding what the FTC defines a “Website” or “online service” as—both of which are broadly construed in the text of the statute. Besides your standard, run-of-the-mill website, the following are also obligated to follow COPPA guidelines:
- Mobile apps, such as online games, social networking apps or apps with ads that target users based on their behavior, that send or receive user information for users under age 13
- Gaming platforms that are Internet-enabled
- Advertising networks
- Plug-ins
- Location services that are Internet-enabled
- VOIP services
- IoT devices, including Internet-connected toys
If your business falls under one of these categories, then the next step is to determine if your online activities are covered by COPPA. Luckily, the FTC makes it relatively straightforward when it comes to what sites and services are included in the scope of the COPPA protections. If your organization falls under one of the following categories, you must comply with COPPA mandates:
- Websites or online services that target users under age 13 and collect personal information
- Websites or online services that target users under age 13 and let third parties collect information
- Websites or online services that target a general audience, when you have knowledge of the fact that you are collecting personal information of users under age 13
- When you have personal knowledge that a plug-in or ad network from your organization collects user personal information from websites that target users under age 13
Be Proactive
When it comes to staying out of trouble with the FTC, the most important thing you can do is to take affirmative action. Let’s say your organization is indeed covered by COPPA. The first thing you should do is post an explicit and all-inclusive privacy policy on your website that outlines how your entity retains and utilizes personal data collected from minors. This privacy policy should be displayed prominently on your homepage, and if your website has a section specifically dedicated for minor users, it should be reposted on that landing page as well to ensure that you have all of your bases covered from a regulatory perspective. Be sure to include the following in your privacy policy:
- A detailed list with the name and contact information of any third-party entities that have access to the personal information—including plug-ins and advertising agencies
- A thorough explanation of the user personal data extracted from users under age 13 and in what manner it is to be collected and utilized
- An overview of the rights afforded to the user’s parents. This should include language stating that you will only require users under 13 to disclose what is reasonably necessary to access the products or services you are offering
Be Transparent
You will additionally need to provide parents with a direct notice of your information-garnering protocol. This brief, clearly worded notice must inform parents of the following:
- Consent information collected was for consent purposes
- You intend to collect their child’s personal data
- That parental consent is a prerequisite prior to collecting, using and/or disclosing personal data
- The specific data to be collected and in what instances it will be disclosed to others
- A hyperlink to your business’ privacy policy statement
- Methods for the parent to provide their consent to the collection and use of the child’s personal information. Note that COPPA is generally flexible as to how organizations can get parental consent—it is largely left up ot the organization to use any form of technology to devise a reliable method of transmitting parental consent
Be Accountable
After a minor’s personal information is collected, the parent retains certain rights. Upon receiving a valid request from a parent, organizations must:
- Offer a way for the parents to review the personal data of the child that was collected
- Provide a method for parents to revoke their initial consent and to refuse further collection or use of the data
- Delete the minor’s data should the parent wish to do so
COPPA requires that organizations implement and conduct regular maintenance of reasonable information security protocol to safeguard the security, confidentiality and integrity of personal data collected from minors. The following are some tips for entities that are planning on establishing such security measures in order to remain compliant:
- Only collect the minimal amount of data required to provide your product or service
- Implement reasonable procedures to make sure that the sharing of personal information of users under age 13 is limited to vetted third parties with the capacity to maintain an equivalent degree of security and confidentiality
- Only retain personal data for as long as it is reasonably necessary to achieve the delivery of the product or service
- Establish a secure procedure to dispose of personal data after it is no longer legitimately necessary to retain it
Helpful Resources
All of these compliancy steps can seem a bit daunting—especially if you are just getting acquainted with the requirements. Luckily, there are a number of independent organizations that offer self-regulatory certification programs that have been approved by the FTC as part of its Safe Harbor initiative. Essentially, this means that participants who adhere to these guidelines are automatically deemed to be in compliance with the COPPA and are effectively insulated from FTC enforcement actions as long as they comply with program requirements. The following is a list of FTC-approved Safe Harbor organizations in the event you want the added peace-of-mind that all your “i’s” are dotted and “t’s” are crossed when it comes to COPPA regulations:
- Aristotle International Inc.
- Children’s Advertising Review Unit (CARU)
- Entertainment Software Rating Board (ESRB)
- iKeepSafe
- kidSAFE
- Privacy Vaults Online, Inc. (d/b/a PRIVO)
- TRUSTe