Skip to Content
Kinetic Law Kinetic Law
Start Today: 513-450-9010
Top

Children’s Online Privacy Compliance – Part 1

Serving Businesses Throughout Ohio and California
|

Children’s Online Privacy Compliance – Part 1

Today I start a multi-part series on compliance with the Children’s Online Privacy Protection Act, commonly known as “COPPA.” COPPA is a federal law governing the online privacy rights of children under the age of 13, passed in 1998 and updated in 2013. The Federal Trade Commission is the federal agency with enforcement authority under COPPA. This installment will discuss how to determine if your company has a website or online service that collects personal information from children under the age of 13 (for clarity’s sake, we will call these children “COPPA Kids,” to distinguish them from children ages 13 and up). Future installments will cover the requirements of a COPPA-compliant privacy policy, parental notification requirements, parental consent requirements, and reasonable procedures to protect the security of COPPA Kids’ personal information.

How do you know if your company has a website or online service that collects personal information from COPPA Kids? Start by asking four questions:

1. Is your website or online service directed at COPPA Kids and you collect personal information from them?

2. Is your website or online service directed at COPPA Kids and you let others collect personal information from them?

3. Is your website or online service directed to a general audience, but you actually know that you collect personal information from COPPA Kids?

4. Is your company running an ad network or plug-in, or a similar type of service, and you actually know that you collect personal information from users of a website or online service directed at COPPA Kids? (this makes you one of the “others” referred to in Question 2).

If the answer to any of the four questions is yes, your company is subject to COPPA.

Let’s break it down a little further. First, you will notice that I used the phrase “website or online service” several times. COPPA and the FTC define this phrase very broadly. It includes:

  • Standard websites, obviously, and this being 2014, you should know what they are
  • Mobile apps that send or receive information online, such as network-connected games, social networking apps, or apps that deliver behaviorally-targeted ads
  • Internet-enabled game platforms
  • Plug-ins
  • Advertising networks
  • Internet-enabled location-based services
  • Voice-over-internet-protocol (VoIP) services

Next, how do you know if your site or service is directed at COPPA Kids? The FTC will look at a variety of factors to decide if a website or online service is directed to COPPA Kids. Factors could include one or more of the following:

  • the subject matter or the website or service, 
  • visual and audio content, 
  • the use of animated characters,  
  • the use of child-oriented activities and incentives, 
  • the age of models, 
  • the use of child celebrities or celebrities who appeal to kids (that includes you, Justin Bieber, and you too, Katey Perry), 
  • ads directed to children, and 
  • other evidence about the age of the actual or intended audience.

What are the kinds of “personal information” that might trigger COPPA? Some items are pretty obvious, while others should get your immediate attention:

  1. Full name 
  2. Home or other physical address, including street name and city 
  3. Online contact information, such as an email address or other identifier that permits someone to contact a person directly – these include instant messaging (IM) names, VoIP names, and video chat names
  4. Screen name or user name where it functions as online contact information
  5. Telephone number
  6. Social Security number
  7. A persistent identifier that can be used to recognize a user over time and across different sites, including a cookie number, IP address, processor or device serial number, or a unique device identifier
  8. A photo, video, or audio file containing a COPPA Kid’s image or voice
  9. Geolocation information sufficient to identify a street name and city
  10. Other information about the COPPA Kid or parent that is collected from the child and combined with one of these other identifiers

Finally, what does it mean to “collect?” First, you are collecting personal information if you request, prompt, or encourage the submission of such information, even if it is optional. Second, you are collecting if you let information be made publicly available (for example, an open chat or posting function), unless you take reasonable measures to delete all or virtually all personal information before the postings are public and delete all information from your records. Third, you are collecting information if you passively track a COPPA Kid online.

Those are the basics for determining if your website or online service is subject to COPPA. If you have applied the above factors and determined that COPPA applies, then you will need a privacy policy that complies with COPPA. I will cover that subject in the next installment.

Follow me on Twitter @PaulHSpitz

Categories: 

Effective Advocacy for Entrepreneurs

Let's build Your Business Together

Have questions? Ready to get started? Fill out the form below to schedule a consultation with Paul H. Spitz.

  • Please enter your first name.
  • Please enter your last name.
  • Please enter your phone number.
    This isn't a valid phone number.
  • Please enter your email address.
    This isn't a valid email address.
  • Please make a selection.
  • Please enter a message.
  • By submitting, you agree to be contacted about your request & other information using automated technology. Message frequency varies. Msg & data rates may apply. Text STOP to cancel. Acceptable Use Policy