Columbus Data Security and Privacy Lawyer: The Children's Online Privacy Protection Act

Introduction The Children’s Online Privacy Protection Act (“COPPA”) aims to protect the privacy of children under the age of 13 years old. Specifically, COPPA was enacted to address the rise of online marketers targeting children and collecting their personal data. The Federal Trade Commission (the “FTC”) is the primary government body that enforces COPPA.

COPPA Requirements

COPPA applies to operators of commercial websites and online services, including mobile apps, that are directed at children under the age of 13 (the “Protected Children”) which collect, use, or disclose the personal information of Protected Children. COPPA also applies to operators of any general websites or online services, including mobile apps, which have actual knowledge that they are collecting, using, or disclosing personal information of Protected Children. Collectively, the operators of both of these classes of websites and online services are referred to herein as the “Operators”. COPPA does not apply to nonprofit entities.

Enforcement agencies apply several factors when determining whether a website or online service is “directed to children”, such that COPPA would apply. These factors include the subject matter of the website, visual content and use of animation, music and audio, advertising on the website that is directed to children, and the presence of child celebrities.

“Personal Data” under COPPA is defined as any personally identifiable information including name, physical address or any other geolocation information, online contact information, screenname or username, telephone number, social security number, and any photograph, video, or audio file containing a Protected Child’s image or voice. Any information concerning the Protected Child that is collected and combined with any Personal Data is also subject to the same protections under COPPA. Personal Data under COPPA only includes information collected from a Protected Child; COPPA does not regulate personal data about a child if it is not collected from the child.

COPPA applies to not only websites but also mobile apps and any service that connects to the internet or a wide-area network. COPPA regulations cover network-connected video games, social media platforms, online advertisements, VoIP services, and any internet-connected mobile apps.

COPPA regulations apply to Personal Data of Protected Children regardless if that data is collected voluntary or as a mandatory condition of using the goods or services. COPPA is read broadly enough to stretch this to include information that Protected Children voluntarily post on social media platforms and through other internet services.

The age requirement under COPPA does not require Operators to verify a user’s age. COPPA’s requirements only apply when Operators have “actual knowledge”; if a user lies about their age, an Operator is not required to verify.

COPPA sets forth the following requirements:

Parental Consent. Operators must obtain verifiable parental consent before collecting or using Personal Data of Protected Children.

Option to Prohibit Disclosure. Operators must give parents the option to prohibit the Operator from disclosing and/or sharing any Personal Data of the parent’s Protected Child but give consent to the Operator to collect and use internally the Personal Data of the Protected Child.

Right to Access and Review. Operators must give parents access to the Personal Data for review.

Privacy policy. Operators must post a clear and comprehensive privacy policy that is prominently displayed (either directly on the homepage or through a link).

The following must be included:

• Name, address, telephone number, and email address of all Operators collecting or maintain personal information through the website/service;
• Description of what information is collected;
• Whether Protected Children can make Personal Data publicly available;
• How the Operator uses collected information; and
• Disclosure practices for collected information.

A privacy policy must also explicitly state that a parent can review and have deleted any of the Protected Child’s Personal Data and prohibit the further collection and use of previously collected data.

Enforcement, Violations, and Fines

Individuals who believe a COPPA violation has occurred may file a complaint online with the FTC at https://www.ftccomplaintassistant.gov. Other state and federal agencies also have the authority to enforce COPPA. Fines for violations of COPPA can reach up to $40,000 per violation.