The Children's Online Privacy Protection Act (COPPA) was enacted by the United States Congress in 1998, and took effect in April 2000. The Commission issued an amended Rule on December 19, 2012 which took effect on July 1, 2013. The FTC is
COPPA was designed by lawmakers to introduce parents into the decision-making equation and place them in control over what information is collected online from their children and give parents the final say on which services their children would be allowed to personally interact with and what information they could disclose.
COPPA requires sites, apps, services, connected devices/toys and online games, otherwise known as, “online services”, directed to children under 13 years of age, and online operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age to notify parents and get their verifiable parental consent before they collect, use, or disclose a child’s personal information.
So how do you know if COPPA affects you and your business? Simply put, if you have any children engaging with your content, even if that wasn’t your intended audience, COPPA fines could potentially be a ticking time bomb waiting to explode on your balance sheet.
Fines for failing to comply with the law are up to $50,120 per violation.
Over 6,000 apps are created per day! It’s hard to imagine that the world is not only at our fingertips, but at our children’s as well.
Companies used to not think about security in their design processes. Now, we can’t afford not to. The same is true with privacy – especially regarding children. With more kids online with their own devices, Europe’s General Data Protection Regulation (GDPR) now in force, and a widespread acknowledgement that all consumers, not just our youngest, are in need of better data security and privacy protections, companies cannot turn a blind eye to complying with COPPA.
By simply providing a check a box to have your users say they are 13 or over isn’t the way out. This leads to two things:
The FTC enforces COPPA. In addition, state attorneys general and certain federal agencies such as the Office of the Comptroller of the Currency and the Department of Transportation, are responsible for handling COPPA compliance for the specific industries they regulate.
Operators who violate the Rule can be held liable for civil penalties of up to $50,120 per violation by a court. The amount of civil penalties sought by the FTC or assessed by a court may depend on various factors, such as the severity of the violations, any prior breaches of the Rule by the operator, the number of children affected, the nature and quantity of collected personal information, the utilization of such information, any sharing with third parties, and the company's size. The assessment of the suitable civil penalty is subject to case-specific considerations. In certain cases, the FTC has opted not to pursue any civil penalty, whereas in other instances, the fines have amounted to millions of dollars. It's important to note, paying the fine is just one step. You may need to pay PR and legal fees, in addition to the damage that can be done to your company’s brand. It takes years to build brand trust and just seconds to destroy it.
Besides the obvious cost of the fine, companies need to take into consideration the PR and legal fees, in addition to the damage that can be done to a company’s brand. Whether you are a parent or a business that interacts with kids, violations to children’s online privacy costs everyone.
In addition to fines, companies may be required to:
Click here to see COPPA enforcement cases to date.
COPPA has had a few revisions to keep up with emerging technology, including in July of 2013, which expanded the types of covered personal information to include photos, video, or audio files that contain a child’s image or voice. Just last year the FTC issued an Enforcement Policy Statement that addressed the practice of collecting audio files that contain a child’s voice for immediate conversion into text, in response to inquiries from the marketplace as this practice became more common. The FTC is currently undergoing another review of COPPA. We should have the updated revisions before the year is out.
Most companies ask a child for their parent’s email to obtain verifiable parental consent, but majority of children do not know their mom or dad’s email. Just like teaching children to remember their address and phone number, we need to teach children how to reach their parent’s online.
The U.S. federal government oversees COPPA, but states and certain federal agencies have authority to enforce compliance with respect to entities over which they have jurisdiction.
Want to learn more about COPPA? Read the full Rule from the FTC or learn from our About COPPA resource page.
Join a COPPA Safe Harbor Program to be Compliant to Avoid Violations
With the evolving privacy landscape and increased regulation and scrutiny, services will need to engage neutral third parties, like PRIVO, to assess and certify privacy compliance including through data privacy impact assessments. If your service needs support, please contact PRIVO to find out more about our Kids Privacy Assured Program and our privacy technology, and let our experts support you.