Guide to COPPA

If your website or mobile app gathers personal information, it may have to comply with the Children's Online Privacy Protection Act, or COPPA.

This guide will look at the goals of COPPA and provide an overview of the law. Then it will discuss whether COPPA applies to your website or smartphone application.

If it does, you can read on to find what you need to do to comply with COPPA, including how to create a Privacy Policy and how to obtain parental consent.

Finally, this guide will outline the costs of non-compliance.

Overview of COPPA

COPPA was created in 2000 to regulate how websites and online assets could gather information from children.

The goal of COPPA is to prevent online marketers from targeting children with deceptive campaigns that extract personal information from children. However, COPPA tries to succeed on this front without overly regulating the internet or suppressing online innovation or business.

COPPA is a federal law that is found at 15 U.S.C. §§ 6501 - 6505 and is enforced by the Federal Trade Commission (FTC). The FTC has issued numerous regulations about COPPA, which can be found at 16 C.F.R. § 312.

The Global Reach of COPPA

Because the internet does not abide by national boundaries, COPPA reaches beyond the physical borders of the United States.

Websites and online services that are based in other countries can still be subject to the requirements of COPPA if they knowingly collect personal information from or about children in the United States, or are directed at children in the U.S.

Some Non-Profits Exempted From COPPA

COPPA expressly exempts certain non-profit companies from its requirements.

If your company is a non-profit that is exempted from coverage under Section 5 of the Federal Trade Commission Act regulating unfair business practices, then COPPA will not apply to your company's online service.

Who Does COPPA Apply To?

COPPA applies to all websites and online services, including mobile apps, that either:

• Exist for a commercial purpose and are directed towards children under 13 years old, or
• Have actual knowledge that they are collecting personal information from children under 13 on their site or online service, or
• Provide a service for other websites by collecting information from that other website's users, and that other website is either directed towards children or there is actual knowledge that some of that other website's users are under 13

The terms personal information and actual knowledge are expansive enough that website owners can fall under the purview of COPPA without actively collecting information. Even passive data collection like tracking cookies can run afoul of COPPA.

When is a Site Directed Towards Children?

Online assets that are directed towards children have to comply with COPPA even if they do not have actual knowledge that someone under 13 is providing personal information.

The FTC looks to numerous factors to determine whether a site is directed at children, including:

• What is on the site
• What the site looks like
• Whether the activities on the service or site use animated characters or other child-oriented visuals or incentives
• Whether the site uses music that is designed to appeal to children under 13
• Speech patterns and other language geared towards children
• On-site advertising that is directed towards children
• The site's actual user base and audience composition

For an example, consider how the Endless Alphabet app would appeal to children based on its use of an animated character in a dancing position:

Now consider how the Trello organization app wouldn't have the same appeal to children due to its basic design:

You can see how a child would be far more interested in checking out the Endless Alphabet app rather than the Trello app, and how the FTC would consider the Endless Alphabet app to be directed towards children for COPPA purposes.

Similarly, the Sesame Street website uses animated characters and bright colors, which would definitely appeal to children.

Compare that to the Porsche Design website that has toned down colors, images of adults and nothing that would really be enticing to a child.

Again, it's easy to see how the Sesame street website could be considered to be directed towards children, while the Porsche Design website clearly is not.

What is Personal Information Under COPPA?

COPPA regulates websites that obtain personal information from U.S. children under the age of 13. What constitutes "personal information" is far-reaching and not just limited to things like Social Security numbers and bank account information.

As defined in 16 C.F.R. § 312.2, personal information includes:

• First and last name
• A physical or home address
• Online contact information like an email address or username for an instant messaging platform
• Telephone number
• Social Security number
• An online identification for the user, like a cookie that tracks a user's history or the user's IP address
• Any file that contains a child's voice or picture
• A child's geographic location

Many of these types of information - like a user's location or IP address - can be collected by default on some websites or devices.

What is Actual Knowledge Under COPPA?

Where a website, online service, or mobile app is not directed at children under 13, COPPA is not triggered until the owner of the service or site has actual knowledge that someone under 13 is providing personal information.

You can get actual knowledge if you ask for, and receive, information from a user on your site or app that indicates the user is under 13. This can be in the form of the user's actual age, as well as a response about their grade level in school.

Actual knowledge gets tricky if your online resource or service deals with other websites. If you provide a service like a plug-in, application, or advertising for other websites that are directed towards children, this may give you the requisite actual knowledge that triggers your need to comply with COPPA.

How to Comply With COPPA's Requirements

In order to comply with COPPA, there are several steps you will have to take.

Prominently Post A Privacy Policy

One of the most important aspects of complying with COPPA is to prominently post a Privacy Policy on your website or app.

This Privacy Policy has to detail how your site collects and handles personal information from children under the age of 13. It also has to describe the information collection policies of third-party services on your site.

Your Privacy Policy has to be displayed prominently. Unlike Privacy Policies found on other websites, a link to the Policy in the footer at the very bottom of your homepage, like this one, will not satisfy COPPA:

Instead, the link to the Privacy Policy has to be distinguishable from other links on the page.

Here's how PBS Kids makes its Privacy Policy link stand out with larger, italic font:

It also has to appear on the site's home page, as well as any other page that collects personal information from children, and has to be near the part of the screen that is requesting personal information.

The Privacy Policy also has to include certain information in order to comply with COPPA. The content of the Privacy Policy on your site or program has to include:

• A list of everyone collecting personal information on your site, including third-party plug-ins or services. This list needs to include contact information, including the name, address, telephone number, and email address, for each entry.
• A description of the types of personal information that does get collected on the site.



• Details about how the personal information gets collected - like whether the information is actively given by the child or is collected passively through the website's cookies.



• A statement that describes how the personal information will be used, once collected.



• Whether the personal information collected on your site or app is provided to third parties. If personal information is disclosed to third parties, your Privacy Policy has to describe the kinds of businesses that receive the information, as well as how they use it.

Furthermore, COPPA regulations require the Privacy Policy to be written clearly and simply so a child could understand it, with no promotional materials within it.

Send a Direct Notice to the Parents

You also have to actively send a direct notice to the parents of a child using your device. This direct notice has to be provided before any personal information is collected from a child.

Most sites accomplish this by posting a direct notice to parents like this one from Language City:

Depending on the type of personal information that is being collected and the purpose for its collection, the direct notice being sent to parents has to include different things.

Common elements that need to be included, though, are:

• An explanation of how you got the parent's online contact information
• The personal information you want to collect from the child
• What would happen to the information you collect
• A request for the parent's consent
• What happens if the parent refused consent or does not reply to the direct notice
• A link to your site's Privacy Policy

The precise details about what must be contained in a particular direct notice can be found at 16 C.F.R. § 312.4(c).

Obtaining Verifiable Parental Consent

Generally, you need to obtain verifiable parental consent before collecting, using, or disclosing any personal information provided by a child under 13.

There are exceptions to this rule, but they are limited and tend to focus on your ability to collect contact information from a child in order to send direct notice to the child's parent.

How you can obtain verifiable parental consent to collect personal information from a child depends on whether you are going to disclose it to third parties.

If you can disclose the personal information, verifiable parental consent requires you to take reasonable steps to ensure the consent actually comes from the child's parent. This can be done by:

• Providing a consent form for the parent to sign and return via mail, fax, or scan
• Requiring the parent to use a credit or debit card to pay for the service
• Requiring the parent provide consent via a telephone call
• Checking a parent's identity against a government database and then deleting the parent's identification form after verifying it

If you're not going to disclose the information, obtaining verifiable parental consent is easier.

You can use the email plus method, which involves:

• Requesting the parent to reply to the direct notice you have sent with an email that contains their consent, along with an optional phone or fax number or a physical address
• After a reasonable time delay, either:
• Sending an email confirming the parent's consent and including all of the information in the direct notice, plus notes on how the parent can revoke consent, or
• If the parent's reply to the direct notice included their address or their phone or fax number, a confirmation notice using that type of communication

Here's an example of what an email would look like with the email plus method. It informs the parent that their child has requested to create an account with the website, and what will happen when the parent gives permission to have the account created. An activation link is included that the parent can click to give consent.

Children will get this notification until the parent clicks the link in the email or manually enters the code in the email:

This ensures that a child can't create an account until the parent gives consent.

Notify Parents of Any Major Changes to Your Privacy Policy

Any time you make a material change to your Privacy Policy, you have to send parents another direct notice to update them of the change.

Material changes are those that alter a core element of the Privacy Policy, such as the types of personal information that can be collected on your site or app.

Websites Directed at Children That Don't Collect Information

It is possible for websites or mobile apps that are directed at children to not collect personal information from them, at all.

If this is the case with your site or app, then COPPA's requirements would not apply to your website.

However, creating such an insulated program online is not easy. If you think that your website has done it, you should make sure that there are no passive programs that collect IP addresses or assign cookies to users to track their movements on the site.

Penalties of Not Complying With COPPA

COPPA requires a lot from website owners and app developers whose services target children. However, not complying with COPPA's requirements can be costly.

A violation of COPPA is treated as an unfair or deceptive trade practice, and is subject to civil fines. The amount of that fine depends on the specifics of your case, up to $41,484 per violation.

In early 2019, the largest FTC COPPA settlement to date occurred when the TikTok app (previously known as Musical.ly) was found to be collecting personal information from children under the age of 13 without parental consent and without appropriate levels of security for the data.

TikTok received thousands of complaints from parents requesting to have their children's information removed. Instead of fully deleting the information from company servers, TikTok simply deleted the user accounts. This was not adequate under COPPA.

Because of these violations, the FTC gave TikTok a civil penalty of $5.7 million.

Summary

Creating an online service that is geared towards children under 13 or that you know will deal with them triggers additional legal requirements under COPPA. You can satisfy them, though, by:

• Recognizing whether COPPA covers your website or mobile app
• Crafting an effective Privacy Policy
• Sending direct notice to the parents of children using your site
• Obtaining a parent's consent to collect information from their children
• Update parents on their rights, including if you change your Privacy Policy