COPPA might not be valid for your website, read our blog to know more.

According to a UNICEF report, More than 175,000 minors are using the internet for the first time everyday. They’re all tapping into great opportunities, but, at the same time, getting exposed to grave risks.

Worldwide 1 in 3 internet users is a child, and yet – as outlined in The State of the World’s Children 2017: Children in a digital world – too little is done to protect them from the perils of the digital world, to safeguard the trail of information their online activities create, and to increase their access to safe and quality online content.

-UNICEF

Online publishers, content creators, agencies, and any website with kid-friendly content or ads have an obligation under COPAA to avoid collecting personal data from children who are under the age of 13.

This post is meant to provide recommendations for the publisher and marketing community to follow COPPA and learn how they can avoid policy violations.

What is COPPA?

COPPA stands for ‘The Children’s Online Privacy Protection Act of 1998.’ This act is enforced by the Federal Trade Commission (FTC) that stipulates what online service providers, website operators, and marketers should do to protect minor’s privacy and safety on the web.

Though the act is 20 years old, the need for COPPA compliance has increased over the past few years because of heightened cases of online child abuse and privacy violations.

For example, YouTube received a whopping fine of $170 million in September 2019 for COPPA violations.

Like YouTube, Google has also faced pressure from privacy regulators. In March 2020, the search engine was fined $1.7 billion by the European Commission for collecting personal information from minors.

The primary goal of COPPA is to ensure parents have control over the information that websites are collecting from their children. The rule protects children who are under 13, and applies to operators of online services and commercial websites that collect, disclose, or use visitor data to serve targeted advertising.

The term ‘online services’ covers any service available over the web that allows users to connect to a wide-area network. For example, services that allow users to engage in social networking activities, receive online advertisements, play network-connected games, and interact with any online content.

More examples include smart speakers, VOIP services, voice assistants, and Internet-enabled-location-based services.

*COPPA’s scope of applicability is limited to US-based audiences. It applies to websites and online services that collect data from children in the US, irrespective of where they’re operating from.

What is personal information?

According to the federal trade commission’s guidelines, personal information include:

First and last name of website users
Online contact and residential information
User’s social security number
A username that functions as online contact information
A photograph, audio file, or vide where such file contains the child’s images or voice
A telephone number
Any persistent identifier that can be used to identify the user across online or offline services

Section 312.5 of FTC’s COPPA guidelines deals with parental consent. Any website or online service shall obtain parental content before gathering, storing, processing, or disclosing any personal information belonging to a child.

The act recommends all child-directed operators to also verify parental consent through technology-based solutions. FTC recommends following ways for ensuring verifiable consent from parents:

Using hard identifiers such as ID cards (Government issued)
Sending a consent form to parent’s postal address or email address
Sending explicit notifications to parents about any credit or debit card purchase or downloads

If an online service provider or operator is unable to obtain parental consent, the act restricts them from collecting any personal information from children under section 312.7.

2. Identity Resolution: Definition, Types, Benefits, and Privacy Concerns

COPPA Compliance Guidelines for AdTech:

The ad tech industry is obligated to comply with COPPA regulations. Irrespective of the role an advertising technology company plays in ad serving or content creation, they must adhere to kid’s data privacy laws if their online services are child-directed.

Any online service, app, website, or device that is targeted to appeal to children, then it is considered child-directed. Hence, if an ad-tech company obtains data from under-13 users by offering child-directed services, then they must abide by COPPA.

The act also applies to third parties in the digital advertising ecosystem. If the ad tech agencies or third parties have knowledge that they’re collecting personal data from users of another online services or website, they’ll be subjected to COPPA regulations.

2. What Ad Tech Looks Like in the GDPR Aftermath

How can publishers & advertiser ensure COPPA compliance:

The Federal Trade Commission has listed a few steps that publishers or advertisers can take to ensure COPPA compliance. These steps include:

Total Time: 5 minutes

Check if your online service of website is collecting personal information from users below the age of 13:

Publishers or ad tech companies can use different age verification techniques to identify the ages of their users. If their audience base is 13+, they don’t need to worry about COPPA compliance. u003cbr/u003eu003cbr/u003ei. COPPA only applies to websites that:u003cbr/u003eii. Serve content or ads to under 13 users and collect their datau003cbr/u003eiii. Do not have age-restriction filter for a new sign up u003cbr/u003eiv. Have an external plugin that collects information specifically from the children

Ensure your website has a visible privacy policy that abides by COPPA requirements:

If your content or ads cater to kids under the age to 13, your website should have all the information about the personal data that’s being collected from online users. For example:u003cbr/u003eu003cbr/u003ei. Manner of data collection u003cbr/u003eii. Type of personal data that you store u003cbr/u003eiii. Information about third parties or sources that are processes user’s personal data u003cbr/u003eiv. The policy must have a clearly visible section on parent’s rights on their children’s personal data.

Take parental consent before asking for any personal information:

Before gathering personal data from children, operators or publishers must give a clear notice to parents and request for their consent. They should be informed about:u003cbr/u003eu003cbr/u003ei. Why the website is seeking their child’s personal information u003cbr/u003eii. How their consent is linked to the company’s privacy policy u003cbr/u003eiii. What information has been collected and where they’ll be used u003cbr/u003eiv. Whether you’ll be disclosing the information to third party sources u003cbr/u003eu003cbr/u003eThis notice should also mention ways through which parents can give their consent. COPPA also asks online operators to delete user information if parents do not give consent in a reasonable amount of time.

Make sure to verify that parent’s consent that you’ve received:

COPPA also asks the operators to verify parental consent that they’ve taken. The FTC website doesn’t mention any specific method for obtaining verifiable parental consent. But here are few acceptable methods:u003cbr/u003eu003cbr/u003ei. Parents can sign an online consent form and send it back to the operator or company through email or postal service u003cbr/u003eii. A toll free number can be made available for parents to give their consent to trained professionals u003cbr/u003eiii. Parents can provide any government ID u003cbr/u003eiv. Websites can use facial recognition technology to verify consent

Ensure clear communication between parents and the website

FTC suggests the website operators to frequently inform parents about new updates in its privacy policy. This can include:u003cbr/u003eu003cbr/u003ei. New verification methods for parental consent u003cbr/u003eii. Information on rights related to personal data u003cbr/u003eiii. How and where parents can review their information website has collected about their childu003cbr/u003eiv. How parents can revoke the parental consent

Implement reasonable security practices to protect children’s information:

COPPA asks website operators to implement sufficient security measures on their site. It recommends them to not retain data for a longer period of time, and also restricts sharing of information with third-parties that are capable of maintaining confidentiality of such information.

2. CCPA VS GDPR: Overview, Differences, and Similarities

In Closing

COPPA has turned into a strict legislation that comprehensively addresses issues related to children’s privacy. It ensures that online operators follow acceptable privacy and security standards.

Over the last few years, FTC has hit many major operators with hefty fines for violating COPPA requirements. FTC has also passed many guidelines that have changed how companies gather and process personal information of children.

For detailed information on COPPA visit www.ftc.gov.