1. Is your website or online service directed at COPPA Kids and you collect personal information from them?
2. Is your website or online service directed at COPPA Kids and you let others collect personal information from them?
3. Is your website or online service directed to a general audience, but you actually know that you collect personal information from COPPA Kids?
4. Is your company running an ad network or plug-in, or a similar type of service, and you actually know that you collect personal information from users of a website or online service directed at COPPA Kids? (this makes you one of the “others” referred to in Question 2).
If the answer to any of the four questions is yes, your company is subject to COPPA.
Let’s break it down a little further. First, you will notice that I used the phrase “website or online service” several times. COPPA and the FTC define this phrase very broadly. It includes:
- Standard websites, obviously, and this being 2014, you should know what they are
- Mobile apps that send or receive information online, such as network-connected games, social networking apps, or apps that deliver behaviorally-targeted ads
- Internet-enabled game platforms
- Plug-ins
- Advertising networks
- Internet-enabled location-based services
- Voice-over-internet-protocol (VoIP) services
Next, how do you know if your site or service is directed at COPPA Kids? The FTC will look at a variety of factors to decide if a website or online service is directed to COPPA Kids. Factors could include one or more of the following:
- the subject matter or the website or service,
- visual and audio content,
- the use of animated characters,
- the use of child-oriented activities and incentives,
- the age of models,
- the use of child celebrities or celebrities who appeal to kids (that includes you, Justin Bieber, and you too, Katey Perry),
- ads directed to children, and
- other evidence about the age of the actual or intended audience.
What are the kinds of “personal information” that might trigger COPPA? Some items are pretty obvious, while others should get your immediate attention:
- Full name
- Home or other physical address, including street name and city
- Online contact information, such as an email address or other identifier that permits someone to contact a person directly – these include instant messaging (IM) names, VoIP names, and video chat names
- Screen name or user name where it functions as online contact information
- Telephone number
- Social Security number
- A persistent identifier that can be used to recognize a user over time and across different sites, including a cookie number, IP address, processor or device serial number, or a unique device identifier
- A photo, video, or audio file containing a COPPA Kid’s image or voice
- Geolocation information sufficient to identify a street name and city
- Other information about the COPPA Kid or parent that is collected from the child and combined with one of these other identifiers
Finally, what does it mean to “collect?” First, you are collecting personal information if you request, prompt, or encourage the submission of such information, even if it is optional. Second, you are collecting if you let information be made publicly available (for example, an open chat or posting function), unless you take reasonable measures to delete all or virtually all personal information before the postings are public and delete all information from your records. Third, you are collecting information if you passively track a COPPA Kid online.
Those are the basics for determining if your website or online service is subject to COPPA. If you have applied the above factors and determined that COPPA applies, then you will need a privacy policy that complies with COPPA. I will cover that subject in the next installment.
Follow me on Twitter @PaulHSpitz