COPPA overview

Since 1998, COPPA has helped protect the personal information of children under 13 years old. Enforced by the Federal Trade Commission (FTC), COPPA mandates that websites and online services that collect the personal information of children under the age of 13 must remain in compliance with COPPA’s protective practices or risk civil penalties, including large fines. Luckily for organizations that are grappling with COPPA compliance, the FTC has released a business guidance plan for COPPA compliance. Below are summaries of these tips. Please note that this article in no way substitutes for organizational audits aimed at COPPA compliance. Rather, it is intended to be a brief refresher for those in your organization responsible for maintaining compliance.

Becoming COPPA-compliant

Website or online service?

First, it would be helpful to define what is construed as a website or online service with respect to COPPA. “Website” or “online service” have broad definitions under COPPA. Besides standard websites, the following are also included in this definition:

Mobile apps, such as online games, social networking apps or apps with ads that target users based on their behavior, that send or receive user information for users under age 13 Gaming platforms that are Internet-enabled Advertising networks Plug-ins Location services that are Internet-enabled VOIP services IoT devices, including Internet-connected toys

Determine if your website or online service is covered by COPPA

The first point of compliance to look at is whether your website or online service is covered by COPPA. If your organization’s website falls under one of the categories below, then it is covered by COPPA:

Websites or online services that target users under age 13 and collect personal information Websites or online services that target users under age 13 and let third parties collect information Websites or online services that target a general audience, when you have knowledge of the fact that you are collecting personal information of users under age 13 When you have personal knowledge that a plug-in or ad network from your organization collects user personal information from websites that target users under age 13

Post a COPPA-compliant privacy policy

Let’s say your website or online service is indeed covered by COPPA. In that case, the next step is for your organization to post a clear and comprehensive privacy policy that details how your organization handles personal information collected regarding users under 13. This privacy policy should be posted on the homepage of your organization’s website, and if your website has a section specifically for kids, it should be posted there as well.
For COPPA compliance, your privacy policy needs to include:

A concise list of all third-party operators that are collecting personal information – including plug-ins and advertising networks. Include the operator’s name and contact information Descriptions of the user personal information collected from users under 13 and how it is to be collected and used Description of the rights of the user’s parents. This should include a section stating that you will only require users under 13 to disclose what is reasonably necessary

Notify parents directly about your information practices before collecting the information

You will also have to give parents direct notice of your information-collecting practices. This concise, clearly-stated notice must inform parents that

Contact information collected was for consent purposes You want to collect their child’s personal information That parental consent is required before you can collect, use and disclose the personal information What the information to be collected is and the method of disclosure to others Link to your organization’s privacy policy Ways for the parent to give consent

If parental consent is not received within a reasonable amount of time, the organization will delete the parent’s contact information from the organization’s records

COPPA is flexible with how organizations can receive consent from parents, leaving it up to the organization itself to use available technology and their own creativity to devise a means to transmit parental consent.

Honoring parents’ ongoing rights

Once personal information is collected from their children under 13, the rights of the parents continue. Upon request of a parent, an organization must:

Provide a method for the parents to review their child’s personal information that was collected Provide a method for the parents to revoke consent and to refuse subsequent collection or use of their child’s personal information Provide a way to delete their child’s collected personal information

Implementation of information security procedures

COPPA mandates that organizations implement and maintain reasonable information security procedures to protect the security, confidentiality and integrity of personal information collected from users under 13. Some tips for organizations that are planning on implementing such information-security procedures include:

Minimize the amount of personal information collected Use reasonable steps to ensure that the release of personal information of users under 13 is only with third-parties with the capacity to maintain security, confidentiality and integrity Make sure that personal information is retained for only as long as is reasonably necessary for the reason why it was collected in the first place Implement a secure method of information disposal for personal information once it is no longer legitimately necessary to retain it

Following this roadmap, organizations can ensure COPPA compliance and keep their underage users safe.

Sources

Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business, FTC