COPPA: Protecting Children’s Privacy Online
Do you operate a website or app that is targeted at children? Even if your website or app is targeted at a general audience, do you know that you collect some personal information from children? If you answered either of those questions with a “yes” or even a “maybe,” there is a good chance you are subject to the Children’s Online Privacy Protection Act of 1998 (COPPA). Under COPPA, operators of a website or online service directed to children under the age of 13, or who knowingly collect personal information from children under the age of 13, are generally prohibited from collecting this information without parental consent. While there are exceptions and safe harbors to this general rule, compliance can be quite burdensome for start-ups with limited resources.
The Trouble with Verifiable Parental Consent
The Federal Trade Commission (FTC), charged with regulating COPPA, proclaims, “the primary goal of COPPA is to place parents in control over what information is collected from their young children online.” Hence, compliance with COPPA requires some method of obtaining verifiable parental consent for the operator to use, collect, or disclose a child’s personal information. This is the hurdle that trips up most startups falling under COPPA. As you can see below, the process of obtaining this consent is burdensome and inconsistent with the startup’s efforts to onboard new users with as little friction as possible. One FTC-recommended approach requires operators covered by the rule to perform all of the following:
- Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children;
- Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents);
- Provide parents access to their child’s personal information to review and/or have the information deleted;
- Give parents the opportunity to prevent further use or online collection of a child’s personal information;
- Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; and
- Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use.
As a writer, I will be lucky if you actually read through all seven steps, let alone comprehended what each required for compliance. Now, imagine trying to advise a start-up to implement each of those . . . yeah, right.
Why You Should Comply with COPPA
While there are exceptions to obtaining prior parental consent, they are too narrow for the scope of this post, and unlikely to have much impact on COPPA compliance. So, why should operators care about being subject to COPPA, and how can they reasonably comply? Violators of the rule can be held liable for civil penalties of up to $16,000 per violation, which can add up quickly and debilitate a cash-strapped start-up from moving forward.
Realistic Solutions for Complying with COPPA
1. Don’t Fall Under COPPA by Clearly Avoiding Children User’s – The cheapest and easiest way to comply with COPPA is to simply not fall under the rule in the first place—don’t target children under the age of 13, and ensure that you aren’t collecting personal information from children under the age of 13.
2. “Age-gate” to Avoid Falling Under COPPA – In order to avoid COPPA’s coverage, consider using one of the following free options that utilize an “age gate” function, which requires a user to enter their date of birth in order to certify their age, before entering a website or app:
- If the user is under the age of 13, you can just deny their access to the website or app.
- If the user is under the age of 13, you can also allow the user to only access the online service through a “safe-mode” that does not collect, use, or disclose a child’s personal information. This means prohibiting a child from setting up any type of account or profile, and requires close monitoring of a child’s activities. For example, any text or input of any kind from a child must be monitored to prevent identification of the anonymous user profile.
3. Use a Safe Harbor Program – One plausible route for obtaining verifiable parental consent is through the FTC-approved COPPA safe harbor programs. Examples of these safe harbor programs include iKeepSafe, KidSAFE, and TRUSTe. While there seems to be some uncertainty surrounding these programs, the prospect of having service providers handle companies’ COPPA compliance is appealing and most likely the direction we are heading. These programs can serve as a portal for parents to read the privacy policies of multiple websites and provide consent, all in one easy-to-use location. Of course, this comes at a cost.
Understandably, some operators will fall under the umbrella of COPPA due to their business model. In this case, it is highly recommended that you consult a COPPA compliance attorney before launching the online service. However, if it is possible to exclude children from your online service, consider the aforementioned approaches for bypassing COPPA.