If your business collects information from children under the age of thirteen, then it is imperative that you familiarize yourself with the Children’s Online Privacy Protection Act (COPPA). COPPA was enacted to provide parents with control over the information collected from their children online. A Priori privacy lawyer can help you comply with the COPPA requirements and avoid running afoul of the Federal Trade Commision (FTC).
COPPA is a federal law that imposes certain requirements on operators of websites or online services directed at children under 13 years of age, as well as on those operators that have actual knowledge that they collect personal information from children under 13 years of age. Under COPPA, personal information includes any information that would allow someone to identify or contact the child, including the child’s full name, home address, email address, telephone number, photograph or any information such as hobbies, interests and information collected through cookies when they are tied to individually identifiable information.
To comply with COPPA, operators of websites or online services must:
Provide notice to parents and obtain parental consent before collecting information;
Provide parents options to allow collection of data for internal use only and not for the use by third parties;
Allow parental review and/or deletion of the child’s collected personal information;
Give parents the opportunity to prevent further use or online collection of a child's personal information;
Maintain the confidentiality, security and integrity of information they collect from children; and
Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use.
Frequently Asked Questions
What are the penalties for violating COPPA?
Both federal and state agencies have authority to enforce COPPA where they have jurisdiction. Operators who violate COPPA can be held liable for civil penalties up to $16,000 per violation. In determining civil penalties, courts consider the egregiousness of the violation, the operator’s history of violations, the size of the company, the number of children involved, the amount, type and use of information collected and whether the information was shared with with third parties.
How can you obtain verifiable consent from parents to collect, using or disclosing a child’s personal information?
Generally speaking, you must obtain consent from parents to collect, use or disclose a child’s personal information. COPPA does not dictate a singular method of obtaining consent, but enables operators to choose a reasonably method in light of available technology. The FTC provides a list of examples of acceptable methods of obtaining consent that includes signing a consent form, using a credit card, debit card, or other online payment system that provides notification of each separate transaction to the account holder, calling a toll-free number staffed by trained personnel, connecting to trained personnel via a video conference or providing a copy of a form of government issued ID that you check against a database, as long as you delete the identification from your records when you finish the verification process.