Children's Online Privacy Protection Act (COPPA): The Basics
Almost 20 years ago, congress passed a bill to protect young internet-users from companies that collect, maintain, or sell personal data. Drafted and enforced by the Federal Trade Commission (FTC), these laws were incredibly prescient, as internet use in the U.S. has grown over 200% since the turn of the century and children today are beginning to explore the world wide web at increasingly younger ages. So why does this matter for today’s business owners?
When COPPA was first proposed in 1998, it aimed to address a new type of cyber-marketing technique where marketing agencies specifically targeted young internet-users. Somewhat unexpectedly, today’s COPPA regulations cover any type of business that hosts a website, app, or other online-based service that: 1) collects personal information, and 2) might be used by children under the age of 13. In other words, while COPPA was conceived to control aggressive marketing companies, the proliferation of the internet has rendered COPPA applicable to all types of U.S. retailers and a surprisingly large amount of small businesses.
COPPA Compliance: the FTC’s 6-Step Plan
Today’s COPPA regulations are unexpectedly applicable to a wide-range of U.S. businesses. For this reason, the agency has recently released a 6-step compliance plan for any company that may be subject to child privacy-protection regulations:
Step 1: Determine if Your Company is a Website or Online Service that Collects Personal Information from Kids Under 13
The first step is to identify exactly which regulations apply to your business. This may seem obvious, but a sizable amount of consumer lawsuits stem from unawareness or simple misinterpretation of the privacy laws. If your website collects personal data (or allows a 3rd party to collect data) and may be used by children under the age of 13, it must be COPPA compliant.
- Which Information is Being Collected
- How this Information is Collected
- How this Information is being Used
- If it’s being Released/Sold to 3rd Parties
- Names of 3rd Parties Involved
Step 3: Notify Parents Directly Before Collecting Personal Information from Their Kids
Step 4: Get Parents’ Verifiable Consent Before Collecting Personal Information from Their Kids
Obtaining verifiable parental consent is among the most controversial aspects of COPPA, simply because it’s many-times unrealistic. How can your remotely verify that a parent gave consent for their child to use your site? According to the FTC, “COPPA leaves it up to you, but it’s important to choose a method reasonably designed in light of available technology to ensure that the person giving the consent is the child’s parent.” This could include a signed consent form, verifiable photograph, or use of a credit card for verification.
Step 5: Honor Parents’ Ongoing Rights with Respect to Personal Information Collected from Their Kids
Even after parental consent is obtained and the data is collected, operators are required to honor the rights and protections associated with the personal information. For instance, if a parent requests you delete the information, the request must be granted.
Step 6: Implement Reasonable Procedures to Protect the Security of Kids’ Personal Information