What is the Children’s Online Privacy Protection Rule (COPPA)?
The Children’s Online Privacy Protection Act (COPPA) is a U.S. federal law designed to imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.
The COPPA Compliance
In December 2012, the Federal Trade Commission issued revisions effective July 1, 2013, which created additional parental notice and consent requirements, amended definitions, and added other obligations for organizations that (1) operate a website or online service that is “directed to children” under 13 and that collects “personal information” from users or (2) knowingly collects personal information from people under 13 through a website or online service. After July 1, 2013, operators must:
- Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children;
- Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents);
- Provide parents access to their child’s personal information to review and/or have the information deleted;
- Give parents the opportunity to prevent further use or online collection of a child’s personal information;
- Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security;
- Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use; and
- Not condition a child’s participation in an online activity on the child providing more information than is reasonably necessary to participate in that activity.
What organizations does the Children’s Online Privacy Protection Act apply?
The Children’s Online Privacy Protection Act applies to organizations that knowingly collect the personal information of children under age 13 online. However, because websites and social platforms are ecosystems, not silos, the law goes into more detail and applies to organizations that:
- Knowingly collect children’s personal information from users of another website or online service directed at children
- Knowingly collect children’s personal information even though the website or online service is directed at a general audience
- Run supplementary services with their website, app, or other service (e.g. ad network) and know that the supplementary services collect personal information from children under 13
Who is covered by COPPA?
The Rule applies to operators of commercial websites and online services (including mobile apps and IoT devices) directed to children under 13 that collect, use, or disclose personal information from children. It also applies to operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. The Rule also applies to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children.
What is define as Website or Online Service under COPPA?
COPPA has been updated over the years to reflect digital advances, and its definition of a “website or online service” includes:
- mobile apps that send or receive information online (like network-connected games, social networking apps, or apps that deliver behaviorally-targeted ads)
- internet-enabled gaming platforms
- advertising networks
- internet-enabled location-based services
- voice-over internet protocol services
- connected toys or other Internet of Things devices
How does the COPPA define personal information?
Personal information within the scope of COPPA is fairly standard compared to other privacy laws, though is a little more detailed regarding online account identifiers and digital media. In Part 312.2 (Definitions) it includes:
- First and last name
- Home or other physical address
- Online contact information
- Screen name or username where it functions the same as online contact information
- Telephone number
- Social Security number
- A “persistent identifier” that can be used to recognize a user over time and across different websites or online services, including, but not limited to, customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier
- A photograph, video, or audio file containing the child’s image or voice
- Geolocation information sufficient to identify street name and name of a city or town
- Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier