COPPA might not be valid for your website, read our blog to know more.

According to a UNICEF report, More than 175,000 minors are using the internet for the first time everyday. They’re all tapping into great opportunities, but, at the same time, getting exposed to grave risks. 

Worldwide 1 in 3 internet users is a child, and yet – as outlined in The State of the World’s Children 2017: Children in a digital world – too little is done to protect them from the perils of the digital world, to safeguard the trail of information their online activities create, and to increase their access to safe and quality online content.

-UNICEF

Online publishers, content creators, agencies, and any website with kid-friendly content or ads have an obligation under COPAA to avoid collecting personal data from children who are under the age of 13. 

 

This post is meant to provide recommendations for the publisher and marketing community to follow COPPA and learn how they can avoid policy violations. 

What is COPPA?

COPPA stands for ‘The Children’s Online Privacy Protection Act of 1998.’  This act is enforced by the Federal Trade Commission (FTC) that stipulates what online service providers, website operators, and marketers should do to protect minor’s privacy and safety on the web. 

 

Though the act is 20 years old, the need for COPPA compliance has increased over the past few years because of heightened cases of online child abuse and privacy violations. 

For example, YouTube received a whopping fine of $170 million in September 2019 for COPPA violations.

 

Like YouTube, Google has also faced pressure from privacy regulators. In March 2020, the search engine was fined $1.7 billion by the European Commission for collecting personal information from minors. 

 

The primary goal of COPPA is to ensure parents have control over the information that websites are collecting from their children. The rule protects children who are under 13, and applies to operators of online services and commercial websites that collect, disclose, or use visitor data to serve targeted advertising. 

 

The term ‘online services’ covers any service available over the web that allows users to connect to a wide-area network. For example, services that allow users to engage in social networking activities, receive online advertisements, play network-connected games, and interact with any online content.

 

More examples include smart speakers, VOIP services, voice assistants, and Internet-enabled-location-based services. 

 

*COPPA’s scope of applicability is limited to US-based audiences. It applies to websites and online services that collect data from children in the US, irrespective of where they’re operating from. 

What is personal information?

According to the federal trade commission’s guidelines, personal information include:

Section 312.5 of FTC’s COPPA guidelines deals with parental consent. Any website or online service shall obtain parental content before gathering, storing, processing, or disclosing any personal information belonging to a child.

 

The act recommends all child-directed operators to also verify parental consent through technology-based solutions. FTC recommends following ways for ensuring verifiable consent from parents:

 

 

If an online service provider or operator is unable to obtain parental consent, the act restricts them from collecting any personal information from children under section 312.7. 

 

Read More:

1. Everything to Know about California Privacy Rights Act (CPRA)

2. Identity Resolution: Definition, Types, Benefits, and Privacy Concerns

COPPA Compliance Guidelines for AdTech:

The ad tech industry is obligated to comply with COPPA regulations. Irrespective of the role an advertising technology company plays in ad serving or content creation, they must adhere to kid’s data privacy laws if their online services are child-directed. 

 

Any online service, app, website, or device that is targeted to appeal to children, then it is considered child-directed. Hence, if an ad-tech company obtains data from under-13 users by offering child-directed services, then they must abide by COPPA. 

 

The act also applies to third parties in the digital advertising ecosystem. If the ad tech agencies or third parties have knowledge that they’re collecting personal data from users of another online services or website, they’ll be subjected to COPPA regulations. 

 

Read More:

1. GDPR Consent String: Everything A Publisher Needs to Know

2. What Ad Tech Looks Like in the GDPR Aftermath

How can publishers & advertiser ensure COPPA compliance:

Time needed: 5 minutes.

The Federal Trade Commission has listed a few steps that publishers or advertisers can take to ensure COPPA compliance. These steps include:

  1. Check if your online service of website is collecting personal information from users below the age of 13:

    Publishers or ad tech companies can use different age verification techniques to identify the ages of their users. If their audience base is 13+, they don’t need to worry about COPPA compliance. 

    i. COPPA only applies to websites that:
    ii. Serve content or ads to under 13 users and collect their data
    iii. Do not have age-restriction filter for a new sign up 
    iv. Have an external plugin that collects information specifically from the children 

  2. Ensure your website has a visible privacy policy that abides by COPPA requirements:

    If your content or ads cater to kids under the age to 13, your website should have all the information about the personal data that’s being collected from online users. For example:

    i. Manner of data collection 
    ii. Type of personal data that you store 
    iii. Information about third parties or sources that are processes user’s personal data 
    iv. The policy must have a clearly visible section on parent’s rights on their children’s personal data.

  3. Take parental consent before asking for any personal information:

    Before gathering personal data from children, operators or publishers must give a clear notice to parents and request for their consent. They should be informed about:

    i. Why the website is seeking their child’s personal information 
    ii. How their consent is linked to the company’s privacy policy 
    iii. What information has been collected and where they’ll be used 
    iv. Whether you’ll be disclosing the information to third party sources 

    This notice should also mention ways through which parents can give their consent. COPPA also asks online operators to delete user information if parents do not give consent in a reasonable amount of time.

  4. Make sure to verify that parent’s consent that you’ve received:

    COPPA also asks the operators to verify parental consent that they’ve taken. The FTC website doesn’t mention any specific method for obtaining verifiable parental consent. But here are few acceptable methods:

    i. Parents can sign an online consent form and send it back to the operator or company through email or postal service 
    ii. A toll free number can be made available for parents to give their consent to trained professionals 
    iii. Parents can provide any government ID 
    iv. Websites can use facial recognition technology to verify consent 

  5. Ensure clear communication between parents and the website 

    FTC suggests the website operators to frequently inform parents about new updates in its privacy policy. This can include:

    i. New verification methods for parental consent 
    ii. Information on rights related to personal data 
    iii. How and where parents can review their information website has collected about their child
    iv. How parents can revoke the parental consent 

  6. Implement reasonable security practices to protect children’s information:

    COPPA asks website operators to implement sufficient security measures on their site. It recommends them to not retain data for a longer period of time, and also restricts sharing of information with third-parties that are capable of maintaining confidentiality of such information. 

Read More:

1. Thailand’s PDPA: Definition, Similarities with GDPR, and FAQs

2. CCPA VS GDPR: Overview, Differences, and Similarities

In Closing 

COPPA has turned into a strict legislation that comprehensively addresses issues related to children’s privacy. It ensures that online operators follow acceptable privacy and security standards. 

 

Over the last few years, FTC has hit many major operators with hefty fines for violating COPPA requirements. FTC has also passed many guidelines that have changed how companies gather and process personal information of children.  

 

For detailed information on COPPA visit www.ftc.gov.