Congress enacted the Children’s Online Privacy Protection Act (COPPA) in 1998. Unlike Gramm-Leach-Bliley and HIPAA, COPPA is directed at the Internet, particularly at websites that target children (persons under the age of 13, for purposes of the Act) or know that they collecting personal information from children.
Generally, COPPA prohibits a website operator from collecting personally identifiable information (PII) from children without express, “verifiable” permission from the parent or guardian of the child. Verifiable parental consent requires a website operator to make reasonable efforts to ensure that a parent or guardian receives notice of the operator’s information practices and consents to those practices. After such permission is obtained and PII is actually collected from a child, a website operator still may not disclose or make the PII publicly available via any means at all, including within a website chat room. The prohibited disclosure – or “release” – of information is further defined by COPPA as “sharing, selling, renting, or any other means of providing personal information to any third party.”
PII as it related to children might include a full name, home address, email address, telephone number or any other information that would allow someone to identify or contact the child. Detailed information such as a child’s hobbies, interests and information collected through tracking technologies (e.g., “cookies”) are also regulated when tied to other individually identifiable information.
To comply with COPPA, website operators must always include in a privacy policy notice specific information, such as the name and contact information of all operators collecting or maintaining children’s personal information online; the type of personal information collected from children; how the personal information is used; and whether or not the operator discloses information collected from children to third parties and, if so, the terms of the third party disclosure(s). The parent must also be permitted to review the child’s personal information, ask to have it deleted and refuse to allow any further collection or use of the child’s information.
The Federal Trade Commission (FTC) regulates consumer privacy and data security practices pertaining to minors, and the FTC and states’ attorneys general are the enforcers of COPPA and associated civil penalties for its violation.
To determine whether or not the FTC will see your website as directed at children and therefore subject to COPPA, the FTC will considers factors such as the website’s subject matter, its visual or audio content, the age of people pictured on the site, specific information posted that portrays the age of the actual or intended audience, complexity of language, types of advertising, and the use of animation or other “child-oriented” features.
Update: The FTC revised the Children’s Online Privacy Protection Act Rule, and the changes took effect on July 1, 2013. The revised COPPA rule addresses such as the increased use of mobile devices and social networking by children. A significant change is the modified definition of children’s personal information to include identifiers such as online tracking cookies, geolocation information, photos, videos, and audio recordings.
The following documents released by the FTC include additional information on the current iteration of the COPPA rule:
- “The Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business,
- “Protecting Your Child’s Privacy Online”
*The usual disclaimer: COPPA involves much more detail than this brief overview provides, and this post does not set forth legal advice or opinion to any extent. Please contact an attorney familiar with privacy and data security requirements for an analysis of your specific compliance issues.