Register to receive a printed copy(For Lexis Practice Advisor® Subscribers Only)
Lexis Practice Advisor®Free Trial
Learn More AboutLexis Practice Advisor®
By: Angela Bozzuti Product Manager, Lexis Practice Advisor.
THE CHILDREN’S ONLINE PRIVACY PROTECTION ACT AND Rule (COPPA) is a federal law that places parents and legal guardians in control over the collection, use, and disclosure of their children’s personal information (PI). COPPA applies to:
Under COPPA, the Federal Trade Commission (FTC) is tasked with issuing regulations for the implementation of the law, which can be found at 16 C.F.R. § 312.1 et seq. The FTC, and to a lesser degree, other federal and state agencies, enforce COPPA compliance. Violating COPPA can lead to significant financial and administrative liability. Violators can incur civil penalties of up to $16,000 per violation; be ordered to delete all information collected in violation of COPPA; and become subject to record-keeping, reporting, and/or monitoring requirements by the FTC for years. Civil penalties against a COPPA violator have been as high as $3,000,000. See U.S. v. Playdom, Inc., SACV110-00724 (C.D. Ca. 2011).
In addition to the financial burdens potentially imposed by COPPA enforcement actions, reputational harm for a COPPA violation might be the most costly consequence. The online privacy of children is a hot-button issue, and the public is very sensitive to the improper use or disclosure of a child’s information. The financial penalties and reputational harm of a COPPA violation make it incumbent upon website operators to pay close attention to their online data collection activities.
This article discusses how to determine whether COPPA applies to your client, and if so, how to collect, use, and disclose the PI of children in compliance with the requirements of COPPA and the FTC.
COPPA targets a specific subset of online service operators who either seek to collect the PI of children under 13 or have actual knowledge that such collection is occurring (even if not intended). To determine whether COPPA applies, evaluate your client’s activities in the context of the following questions:
If the answer to all three questions is affirmative, then COPPA applies and your client must meet the various requirements that will be discussed in this article.
This section provides additional insight into the FTC’s determination of whether COPPA is applicable to a particular online service or app.
Does Your Client Collect Personal Information?
COPPA applies only to the collection of children’s PI, so review of the applicable information collection practices is necessary to determine whether your client is subject to COPPA’s requirements.
COPPA defines PI as information that is collected online and identifies an individual, including:
The FTC provides this list as a guide in rule 16 C.F.R. § 312.2 and includes the most common types of PI. However, these are only meant to be examples. The list is not exhaustive.
If your client collects PI, consider whether it actually needs to do so. If PI isn’t necessary for your client’s online service or app to function as intended, then ending the practice of PI collection might save a lot of time and trouble and significantly reduce the risk of liability.
Is Your Client an Operator under COPPA?
COPPA governs the online collection of PI, and as such pertains only to online “operators.” An operator is any person or entity that:
A person or entity that operates a plug-in or ad network that collects PI on a third party’s website or app is considered an operator under COPPA, placing such operators in the same position as those who operate the website or app. The FTC has pursued enforcement actions against such entities, most recently against the mobile advertising company InMobi.1 See FTC Press Release.
Is the Online Service or App Directed to Children under Age 13?
To determine if COPPA applies, you must look at both the intended and actual age of the relevant audience. COPPA applies to online services or apps where:
COPPA does not apply if the online service or app is not directed to children under 13 and/or if your client has no knowledge that its online service or app actually does collect PI from children under 13.
If the online service or app is targeted to a general audience over age 13, but includes a section of the website or app directed to children under 13, then COPPA applies to that section.
The FTC looks at a number of factors to determine whether an online service or app is directed to children under 13 for purposes of enforcing COPPA. These factors include:
If the answer isn’t clear, or it is possible that any of the above factors might point to a target audience under age 13, consider taking the steps necessary to comply in light of the potential risks and liabilities of incurring a COPPA violation.
A real life example where industry watchdogs are grappling with this question comes from the advent of “smart speaker” devices, such as iPhone’s Siri or Amazon’s Echo. These devices have recently come under scrutiny because they collect voice comments from children without express parental consent, which could be a violation of COPPA. While it is arguable whether these services are directed to children, it might not be a stretch to say these companies have actual knowledge that their devices will capture the voices of children under 13. No official action or complaint has been brought in this regard, but it raises an interesting issue about the scope of COPPA and the interpretation of its requirements.2
COPPA compliance is accomplished at two separate phases of an online service’s or app’s lifecycle: before collecting the PI of children under 13 and after. Without diminishing the importance of compliance after collecting a child’s PI, the crux of COPPA lies in parental notice and consent before any information collection happens. The focus of most FTC enforcement actions is failure to comply with COPPA before collecting PI. Consequently, the more rigorous COPPA requirements must be addressed before your client collects PI.
To comply with COPPA before collecting a child’s PI, your client must:
All three of these steps must be successfully completed before an operator may collect a child’s PI, with the limited exceptions described below in Limited Exceptions to Parental Consent. Once an operator has collected a child’s PI, the operator is obligated to keep the PI secure and treat it in accordance with the measures described later in this article.
Post a Clear and Conspicuous Privacy Notice
COPPA requires a clear, conspicuous, and easy to read (i.e., plain language) privacy notice posted on the online service or app. This allows users to access and to understand the information necessary to make decisions about whether that user or a parent wants to provide the child’s PI.
The privacy notice must clearly describe how the operator handles the PI of children, including:
Because the privacy notice must be conspicuous, a link at the bottom of a website or app is likely insufficient. Use a link or other conspicuous notification pointing to the privacy notice at the top of the homepage, for example, to ensure that parents receive adequate notice.
Provide Direct Notice to Parents
Separate and apart from the privacy notice discussed above, COPPA requires that operators, prior to collecting child PI, provide direct notice to the parents or guardians of a child under 13 who attempts to access or use the online service or app. COPPA compliant direct notice tells parents that their children have requested to use the operator’s online service or app, describes the operator’s collection and use practices regarding the children’s PI, and provides a mechanism for parents to give verifiable consent for their children to use the online service or app.
As opposed to the privacy notice, which sits passively on an online service or app, direct notice is a disclosure sent directly to the parent or guardian. The direct notice obligation is triggered when the child takes some action on the online service or app that does or will result in collection of that child’s PI. COPPA allows the operator to collect the name and online contact information (usually an email address) of the child and the child’s parent or guardian for the purpose of providing direct notice to the parent or guardian, and ultimately obtaining verifiable parental consent. There are a few additional purposes for which an operator might collect online contact information, but these are very limited in scope and come with a number of restrictions, as described in more detail in Limited Exceptions to Parental Consent.
Once an operator receives the online contact information, it must provide direct notice to the child’s parent or guardian. Direct notice must notify the child’s parent of the following:
After an operator provides direct notice, it must then seek the parent’s verifiable consent before collecting a child’s PI.
Obtain the Parent’s Verifiable Consent
COPPA requires an operator to get the consent of a child’s parent or legal guardian before collecting that child’s PI because children under age 13 are considered incapable of understanding the implications of sharing their PI. Thus, operators must notify the child’s parent about what PI will be collected and how it will be used, so the parent can decide on the child’s behalf.
Because of the sensitivity around child PI and the fears of its manipulation and exploitation, parental consent must be affirmative and verifiable. Verifiable consent requires that the operator be reasonably sure the person providing consent is in fact the child’s parent or legal guardian.
Operators have some flexibility as to the method they use to obtain affirmative, verifiable consent from parents. COPPA requires that the method be “reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent.”3 The FTC has provided guidance on what methods meet these criteria, but also considers proposals of new methods.
Common ways to obtain verifiable parental consent, which the FTC has determined satisfy the requirements of COPPA, include:
Except in limited circumstances, including collecting PI for the sole purpose of obtaining parental consent, an operator must obtain consent from a child’s parent or guardian in one of these ways, or as otherwise approved by the FTC, before collecting any additional PI from that child. See Limited Exceptions to Parental Consent, below.
E-mail Plus is considered a relatively simple way to verify a parent’s consent under COPPA, but it can only be used if the operator is not disclosing any PI to third parties. COPPA defines such disclosure as the sharing of a child’s PI with third parties, or otherwise allowing that information to be made public (e.g., on message boards, chat rooms, social media, share with a friend function, or any form of public posting).
If your client does not disclose child PI to third parties, then it may request that the parent or guardian reply to its direct notice via e-mail to provide consent.
When requesting that the parent or guardian reply to the direct notice, an operator must do one of the following to confirm that parent’s consent:
The second confirmation e-mail should:
The FTC recently approved knowledge-based authentication for COPPA compliance. This method of identity verification is sometimes also found when logging into certain financial institution websites and accounts.
Knowledge-based authentication works as follows:
These questions ask for “out-of-wallet” information, meaning information that cannot typically be obtained through the contents of a person’s wallet. Examples include past addresses or phone numbers.
Limited Exceptions to Parental Consent
The receipt of verifiable parental consent in certain situations may be overly burdensome. The FTC allows for certain limited exceptions to the parental consent requirement, and even then imposes certain obligations on the operator.
COPPA allows operators to collect a child’s PI without prior verifiable parental consent in the following situations:
Other than the specific pieces of PI noted above under each exception, collection of any other child PI remains prohibited under COPPA without verifiable consent. Exceptions to COPPA’s parental consent requirement are displayed in the adjacent flowchart.
Although most of the COPPA requirements apply before a child’s PI is collected, an operator’s obligations continue as long as the operator holds that PI. Parents and guardians rely on the safety and proper use of a child’s PI when they give the operator consent to collect it, and failure to do so exposes that operator to the same enforcement actions and reputational harm previously discussed in this note.
Once an operator collects a child’s PI, COPPA requires the operator to:
Give Parents Control over Their Child’s PI
An operator must give parents and guardians control over the ongoing collection, use, and disclosure of their child’s PI, as well as its deletion. Specifically, an operator must allow parents:
Keep Child PI Secure
COPPA requires operators to adopt reasonable measures to keep child PI secure and confidential. Look to general data privacy industry standards, including:
Vet Third-Party Service Providers
Operators are responsible for the PI they collect from children on their online service or app, even when that PI is in the possession or control of a third-party service provider. The same is true for third parties that operators allow to collect and use PI on the operator’s online service or app.
Best practice is to design and implement procedures for carefully reviewing and monitoring the data collection and use practices of all service providers, as well as their information security practices. For example:
If you determine that your client must comply with COPPA, consider taking advantage of COPPA’s safe harbor program, established according to 16 C.F.R. § 312.11. Under this program, the FTC accepts the applications of independent third-party industry members or others that propose self-regulatory frameworks regarding COPPA’s information collection, storage, and verifiable consent requirements. Upon the FTC’s review and approval of such frameworks, these independent third-party frameworks are deemed to be COPPA-compliant safe harbor programs.
Operators participating in the FTC-approved safe harbor program, in most cases, are only subject to the review and enforcement procedures described in the program’s guidelines, and not the traditional and more formal FTC investigation and enforcement procedures.
Unrelated operators who follow these FTC-approved selfregulatory frameworks are considered COPPA-compliant.
These FTC-approved safe harbor services include:
Angela Bozzuti is a Product Manager for Lexis Practice Advisor. She joined LexisNexis from Davis & Gilbert, LLP where she handled intellectual property issues and was previously associated with the intellectual property boutique firm of Ostrolenk Faber LLP. Research assistance was provided by Lori A. Bennett, associate at Lowenstein Sandler LLP.
RESEARCH PATH: Intellectual Property & Technology > Privacy & Data Security > Privacy & Data Security Compliance > Practice Notes > Complying with Privacy & Data Security Laws
For a checklist of steps to assure COPPA compliance, see
> CHECKLIST - COMPLYING WITH COPPA
RESEARCH PATH: Intellectual Property & Technology> Privacy & Data Security > Privacy & Data SecurityCompliance > Forms > COPPA Compliance
For a chart detailing exceptions to COPPA, see
> CHART – EXCEPTIONS TO COPPA’S PARENTALCONSENT REQUIREMENT
RESEARCH PATH: Intellectual Property & Technology> Privacy & Data Security > Privacy & Data Security Compliance > Forms > COPPA Compliance
For a sample COPPA consent form, see
> COPPA PARENTAL CONSENT FORM
1. FTC Press Release (Mobile Advertising Network InMobi Settles FTC Charges It Tracked Hundreds of Millions of Consumers’ Locations Without Permission FTC (June 22, 2016) available at https://www.ftc.gov/news-events/press-releases/2016/06/mobile-advertising-network-inmobi-settles-ftc-charges-it-tracked (mobile ad network settled charges that it deceptively tracked consumers’ locations, including children, for geo-targeted advertising purposes without obtaining parental consent; subject to $950,000 civil penalty). 2. See, e.g., The Internet of Things Has a Child Privacy Problem, The Wash. Post (June 6, 2016), available at: https://www.washingtonpost.com/news/the-switch/wp/2016/06/06/the-internet-of-things-has-a-child-privacy-problem/. 3. Children’s Online Privacy Protection Rule, 16 C.F.R. § 312.5(b)(1)