The Children’s On-Line Privacy Protection Act, or “COPPA,” is a federal law “which prohibits unfair or deceptive acts or practices in connection with the collection, use, and/or disclosure of personal information from and about children on the Internet,” by placing obligations on website or other online service operators, including mobile apps and IoT devices (“Internet of Things” devices), by empowering parents of children who use such websites, apps, devices, or other online services to control how information concerning their children is collected and used by online operators (the“Act”). A description of the Act is set out in 15 USCS § 6501, et seq., and implementation of the Act is set out in 16 CFR 312.1, et seq.
COPPA applies to any “Operator” of a website or online service that is either (i) “directed to children,” or (ii) collects personal information from a child. 15 USCS § 6502. The Act defines an “Operator,” in pertinent part, as “any person who operates a website located on the Internet or an online service and who collects or maintains personal information from or about the users of or visitors to such website or online service, or on whose behalf such information is collected or maintained, where such website or online service is operated for commercial purposes, including any person offering products or services for sale through that website or online service, involving commerce.” 15 USCS § 6501(2)(A). The Federal Trade Commission (the “FTC”) has also confirmed that operators of mobile apps and IoT devices are also covered by the Act.
A website or other service is (somewhat unhelpfully) deemed by the Act to be a “website or online service directed to children” if such site is either, in whole or in part, a “commercial website or online service that is targeted to children.” 15USCS § 6501(10). “Collecting” information is slightly more well defined as:
(1) Requesting, prompting, or encouraging a child to submit personal information online;
(2) Enabling a child to make personal information publicly available in identifiable form. An operator shall not be considered to have collected personal information under this paragraph if it takes reasonable measures to delete all or virtually all personal information from a child’s postings before they are made public and also to delete such information from its records; or
(3) Passive tracking of a child online. 16CFR § 312.2.
Although numerous types of website or online services may fall under the Act’s purview, social media sites; online gaming sites or apps; sites, blogs, or accounts concerning cartoons, anime, or children’s videos; or websites and accounts that market products and goods aimed at, or use influencers popular with, children are more likely to be implicated.
Among other things, COPPA generally requires that Operators:
(a) provide notice on the Web site or online service of what information it collects from children, how it uses such information, and its disclosure practices for such information (§ 312.4(b));
(b) Obtain verifiable parental consent prior to any collection, use, and/or disclosure of personal information from children (§ 312.5);
(c) Provide a reasonable means for a parent to review the personal information collected from a child and to refuse to permit its further use or maintenance (§ 312.6);
(d) Not condition a child’s participation in a game, the offering of a prize, or another activity on the child disclosing more personal information than is reasonably necessary to participate in such activity (§ 312.7); and
(e) Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children (§312.8).
16 CFR §312.3.
The Act contains additional detailed requirements for how Operators can and must meet each of the above-listed requirements. Failure to comply with the Act may result in significant financial and administrative penalties.
Operators of websites, apps, and other online services can take numerous internal and external steps to help ensure they are compliant with COPPA obligations, including:
1. Conducting periodic audits to (a) examine if and how COPPA applies to them, (b) examine if and how they are currently meeting COPPA requirements, and (c) if and how they should develop and implement plans for ongoing compliance;
2. Drafting and maintaining a COPPA-compliant privacy policy on their website;
3. Issuing and collecting other required disclosures, notifications, and consents; and
4. Drafting, maintaining, and implementing internal policies, procedures, and controls to help ensure COPPA compliance.
All websites, apps, or other online services should clearly address if and how they collect personal information of users, even if COPPA does not apply. Additionally, a website, app, or online service that is not subject to COPPA may want to clearly state that the site is not meant to be accessed or used except by adults over the age of 18, and/or clearly state in a privacy policy that the site or service does not, and does not intend to, collect the personal information of children under a certain age.