A Guide to Protecting Children’s Privacy Online

By: Angela Bozzuti Product Manager, Lexis Practice Advisor.

THE CHILDREN’S ONLINE PRIVACY PROTECTION ACT AND Rule (COPPA) is a federal law that places parents and legal guardians in control over the collection, use, and disclosure of their children’s personal information (PI). COPPA applies to:

• Operators of a commercial website or online service (including apps) directed to children under the age of 13 that collects, uses, or discloses PI from children –or–
• Operators of a general audience website or online service who know they collect, use, or disclose personal information from children under 13

Under COPPA, the Federal Trade Commission (FTC) is tasked with issuing regulations for the implementation of the law, which can be found at 16 C.F.R. § 312.1 et seq. The FTC, and to a lesser degree, other federal and state agencies, enforce COPPA compliance. Violating COPPA can lead to significant financial and administrative liability. Violators can incur civil penalties of up to $16,000 per violation; be ordered to delete all information collected in violation of COPPA; and become subject to record-keeping, reporting, and/or monitoring requirements by the FTC for years. Civil penalties against a COPPA violator have been as high as $3,000,000. See U.S. v. Playdom, Inc., SACV110-00724 (C.D. Ca. 2011).

In addition to the financial burdens potentially imposed by COPPA enforcement actions, reputational harm for a COPPA violation might be the most costly consequence. The online privacy of children is a hot-button issue, and the public is very sensitive to the improper use or disclosure of a child’s information. The financial penalties and reputational harm of a COPPA violation make it incumbent upon website operators to pay close attention to their online data collection activities.

This article discusses how to determine whether COPPA applies to your client, and if so, how to collect, use, and disclose the PI of children in compliance with the requirements of COPPA and the FTC.

Determine Whether COPPA Applies

COPPA targets a specific subset of online service operators who either seek to collect the PI of children under 13 or have actual knowledge that such collection is occurring (even if not intended). To determine whether COPPA applies, evaluate your client’s activities in the context of the following questions:

• Does your client collect PI, as that term is defined by COPPA?
• Is your client an operator under COPPA?
• Is the website or app directed to children under 13, or does the operator know it is collecting PI from children under 13?

If the answer to all three questions is affirmative, then COPPA applies and your client must meet the various requirements that will be discussed in this article.

This section provides additional insight into the FTC’s determination of whether COPPA is applicable to a particular online service or app.

Does Your Client Collect Personal Information?

COPPA applies only to the collection of children’s PI, so review of the applicable information collection practices is necessary to determine whether your client is subject to COPPA’s requirements.

COPPA defines PI as information that is collected online and identifies an individual, including:

• First and last name
• Physical address that includes street and town or city name
• E-mail address
• Online identifier that permits an individual to be contacted directly (e.g., an IM name, video or audio chat username, or other form of screen name)
• Telephone number
• Social security number
• Image, video, or audio containing an individual’s image or voice
• Information sufficient to identify the home or other physical address of an individual (as determined by the Federal Trade Commission (FTC))
• A cookie number, IP address, unique device number, or other persistent identifier that can be used to track and recognize an individual over time and across different websites or apps
• Hobbies, interests, information collected through the use of cookies, and any other information collected from a child that is either about that child or the parents/guardians of that child that, when combined with any of the above, can be used to identify the child

The FTC provides this list as a guide in rule 16 C.F.R. § 312.2 and includes the most common types of PI. However, these are only meant to be examples. The list is not exhaustive.

If your client collects PI, consider whether it actually needs to do so. If PI isn’t necessary for your client’s online service or app to function as intended, then ending the practice of PI collection might save a lot of time and trouble and significantly reduce the risk of liability.

If your client does not collect any PI, then COPPA does not apply. Regardless of whether PI is collected, it is a best practice to disclose clearly and conspicuously in a privacy policy the types of information collected, how that information is used, and how it is disclosed. Guidance on drafting a clear and FTC-compliant generalprivacy policy is set forth in Drafting Privacy Policies. Also consider adding language to a general privacy policy that expressly states the online service does not (and does not wish to) collect children’s PI. For a sample clause, see COPPA Disclosure – COPPA Not Applicable

Is Your Client an Operator under COPPA?

COPPA governs the online collection of PI, and as such pertains only to online “operators.” An operator is any person or entity that:

• Operates a website or online service (including mobile and other applications, plug-ins, ad networks, location-based services, Internet-enabled gaming platforms, and VOIP services)
• Collects or maintains PI from or about visitors or users of the website or online service, or has PI collected or maintained on the operator’s behalf
• Runs the online service or app for commercial purposes involving interstate or foreign commerce

A person or entity that operates a plug-in or ad network that collects PI on a third party’s website or app is considered an operator under COPPA, placing such operators in the same position as those who operate the website or app. The FTC has pursued enforcement actions against such entities, most recently against the mobile advertising company InMobi.¹ See FTC Press Release.

Is the Online Service or App Directed to Children under Age 13?

To determine if COPPA applies, you must look at both the intended and actual age of the relevant audience. COPPA applies to online services or apps where:

• The target audience is under the age of 13 –or–
• The operator has actual knowledge that it collects the PI of children under 13

COPPA does not apply if the online service or app is not directed to children under 13 and/or if your client has no knowledge that its online service or app actually does collect PI from children under 13.

If the online service or app is targeted to a general audience over age 13, but includes a section of the website or app directed to children under 13, then COPPA applies to that section.

The FTC looks at a number of factors to determine whether an online service or app is directed to children under 13 for purposes of enforcing COPPA. These factors include:

• Subject matter (e.g., storylines that appeal to children, media or goods featured or for sale that have been rated for an audience under 13, use of child-oriented activities)
• Language (e.g., phrases or calls to action directed to children or that would appeal to children)
• The nature of images, videos, audio, and visual content
• Age of the models or celebrities on the online service or app
• Whether any ads on the online service or app are directed to children
• Any information indicating the age of the actual or intended audience
• Use of animated characters or other features traditionally used to target or incentivize children
• Ads for the online service or app placed on third-party services that are directed to children under 13

If the answer isn’t clear, or it is possible that any of the above factors might point to a target audience under age 13, consider taking the steps necessary to comply in light of the potential risks and liabilities of incurring a COPPA violation.

A real life example where industry watchdogs are grappling with this question comes from the advent of “smart speaker” devices, such as iPhone’s Siri or Amazon’s Echo. These devices have recently come under scrutiny because they collect voice comments from children without express parental consent, which could be a violation of COPPA. While it is arguable whether these services are directed to children, it might not be a stretch to say these companies have actual knowledge that their devices will capture the voices of children under 13. No official action or complaint has been brought in this regard, but it raises an interesting issue about the scope of COPPA and the interpretation of its requirements.²

COPPA Compliance: Before Collecting a Child’s PI

COPPA compliance is accomplished at two separate phases of an online service’s or app’s lifecycle: before collecting the PI of children under 13 and after. Without diminishing the importance of compliance after collecting a child’s PI, the crux of COPPA lies in parental notice and consent before any information collection happens. The focus of most FTC enforcement actions is failure to comply with COPPA before collecting PI. Consequently, the more rigorous COPPA requirements must be addressed before your client collects PI.

To comply with COPPA before collecting a child’s PI, your client must:

• Post a clear and conspicuous privacy notice that describes what types of PI the operator collects from children, how the operator uses that PI, and whether the operator discloses any PI to third parties
• Provide direct notice to the parents of children from whom the operator collects PI, outlining how the operator handles the child’s PI and the parent’s rights to control the same
• Obtain the parent’s verifiable consent to the collection, use, and disclosure of his or her child’s PI as described in the privacy notice and direct notice

All three of these steps must be successfully completed before an operator may collect a child’s PI, with the limited exceptions described below in Limited Exceptions to Parental Consent. Once an operator has collected a child’s PI, the operator is obligated to keep the PI secure and treat it in accordance with the measures described later in this article.

Post a Clear and Conspicuous Privacy Notice

COPPA requires a clear, conspicuous, and easy to read (i.e., plain language) privacy notice posted on the online service or app. This allows users to access and to understand the information necessary to make decisions about whether that user or a parent wants to provide the child’s PI.

The privacy notice must clearly describe how the operator handles the PI of children, including:

• What information the operator collects
• How the operator uses that information
• Whether the operator discloses the PI to third parties
• The types of third parties to which to the operator discloses PI (if applicable)

The list of third parties to whom an operator discloses child PI will likely change over time as the operator replaces service providers, engages new ones, enters new business partnerships, etc. Consider placing the list of third parties to whom the operator discloses PI on a separate page, and then in the privacy policy, provide a link to that page. Doing so allows the operator to update the list as necessary without having to revise and to update the entire policy, which may trigger an obligation to provide subsequent direct notice to parents as described below in Provide Direct Notice to Parents.

Because the privacy notice must be conspicuous, a link at the bottom of a website or app is likely insufficient. Use a link or other conspicuous notification pointing to the privacy notice at the top of the homepage, for example, to ensure that parents receive adequate notice.

To comply with its COPPA obligations, an operator may choose to either incorporate the COPPA-required disclosures into an existing general privacy notice or create a separate, COPPA-specific notice such as the sample COPPA Privacy Policy. If an operator incorporates COPPA disclosures into a general privacy notice already posted on the website or app, the operator must clearly disclose at the top of the general privacy notice that it contains information regarding COPPA practices.

Provide Direct Notice to Parents

Separate and apart from the privacy notice discussed above, COPPA requires that operators, prior to collecting child PI, provide direct notice to the parents or guardians of a child under 13 who attempts to access or use the online service or app. COPPA compliant direct notice tells parents that their children have requested to use the operator’s online service or app, describes the operator’s collection and use practices regarding the children’s PI, and provides a mechanism for parents to give verifiable consent for their children to use the online service or app.

As opposed to the privacy notice, which sits passively on an online service or app, direct notice is a disclosure sent directly to the parent or guardian. The direct notice obligation is triggered when the child takes some action on the online service or app that does or will result in collection of that child’s PI. COPPA allows the operator to collect the name and online contact information (usually an email address) of the child and the child’s parent or guardian for the purpose of providing direct notice to the parent or guardian, and ultimately obtaining verifiable parental consent. There are a few additional purposes for which an operator might collect online contact information, but these are very limited in scope and come with a number of restrictions, as described in more detail in Limited Exceptions to Parental Consent.

Once an operator receives the online contact information, it must provide direct notice to the child’s parent or guardian. Direct notice must notify the child’s parent of the following:

• The child provided the parent’s contact information so that the operator can obtain the parent’s consent before collecting any further PI from the child
• The parent’s consent is required before the operator collects, uses, or discloses the child’s information
• The types of PI the operator intends to collect from the child, and how it intends to use and to disclose it, if the parent consents
• Detailed instructions about how the parent may provide verifiable parental consent
• That the operator will delete the parent’s information from its records if the parent does not respond and consent within a reasonable time
• Where the operator’s privacy policy can be found (via hyperlink)

After an operator provides direct notice, it must then seek the parent’s verifiable consent before collecting a child’s PI.

Obtain the Parent’s Verifiable Consent

COPPA requires an operator to get the consent of a child’s parent or legal guardian before collecting that child’s PI because children under age 13 are considered incapable of understanding the implications of sharing their PI. Thus, operators must notify the child’s parent about what PI will be collected and how it will be used, so the parent can decide on the child’s behalf.

Because of the sensitivity around child PI and the fears of its manipulation and exploitation, parental consent must be affirmative and verifiable. Verifiable consent requires that the operator be reasonably sure the person providing consent is in fact the child’s parent or legal guardian.

Passive consent is insufficient for COPPA compliance. For example, a privacy policy that says, “By using this site, you are deemed to have agreed to the information collection, use, and disclosure practices described in this privacy policy,” may suffice as consent to collect PI for online services targeting general audiences, but not children under 13.

Operators have some flexibility as to the method they use to obtain affirmative, verifiable consent from parents. COPPA requires that the method be “reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent.”³ The FTC has provided guidance on what methods meet these criteria, but also considers proposals of new methods.

Common ways to obtain verifiable parental consent, which the FTC has determined satisfy the requirements of COPPA, include:

• A consent form signed by the parent or legal guardian, returned electronically by scan, mail, or fax
• Credit card, debit card, or other online payment (use of such a payment method is considered verification of the parent’s identity)
• A toll-free number that parents or guardians can call to give or withhold consent
• A videoconference with personnel trained in the verification process
• A government-issued ID
• Email plus (see below)
• Knowledge-based authentication (see below)

Except in limited circumstances, including collecting PI for the sole purpose of obtaining parental consent, an operator must obtain consent from a child’s parent or guardian in one of these ways, or as otherwise approved by the FTC, before collecting any additional PI from that child. See Limited Exceptions to Parental Consent, below.

E-mail Plus

E-mail Plus is considered a relatively simple way to verify a parent’s consent under COPPA, but it can only be used if the operator is not disclosing any PI to third parties. COPPA defines such disclosure as the sharing of a child’s PI with third parties, or otherwise allowing that information to be made public (e.g., on message boards, chat rooms, social media, share with a friend function, or any form of public posting).

If your client does not disclose child PI to third parties, then it may request that the parent or guardian reply to its direct notice via e-mail to provide consent.

When requesting that the parent or guardian reply to the direct notice, an operator must do one of the following to confirm that parent’s consent:

• Ask the parent or guardian to include a phone number, fax number, or mailing address in their reply, and follow up with that parent or guardian to confirm their identity using the method they’ve supplied.
• After a reasonable amount of time passes from the initial consent, send a second message to the parent or guardian’s online contact information asking for confirmation of the consent. This ensures that a child or other third party did not take advantage of temporary, unauthorized access to the parent’s e-mail account to send the original confirmation.

The second confirmation e-mail should:

• Include all the information contained in the original direct notice message.
• Inform the parent or guardian of the right to revoke consent for collection and use of their child’s PI.
• Provide details about how the parent or guardian may revoke consent.

Knowledge-Based Authentication

The FTC recently approved knowledge-based authentication for COPPA compliance. This method of identity verification is sometimes also found when logging into certain financial institution websites and accounts.

Knowledge-based authentication works as follows:

• The operator requests the online contact information of the parent or guardian from the child.
• The operator sends the parent or guardian a series of challenge questions of sufficient complexity to establish that the parent or guardian is indeed who he or she claims to be, but to which the operator can confirm the answers.
• The operator confirms the answers to the challenge questions.

These questions ask for “out-of-wallet” information, meaning information that cannot typically be obtained through the contents of a person’s wallet. Examples include past addresses or phone numbers.

Limited Exceptions to Parental Consent

The receipt of verifiable parental consent in certain situations may be overly burdensome. The FTC allows for certain limited exceptions to the parental consent requirement, and even then imposes certain obligations on the operator.

COPPA allows operators to collect a child’s PI without prior verifiable parental consent in the following situations:

• To request parental consent. In order to get a parent’s verifiable consent, the operator needs certain contact information about the child and parent. Thus, operators may collect the parent’s and child’s name and online contact information for this purpose.
• For one-time requests. If a child is asking a question or entering a contest, and the only use of the child’s PI is in direct response to that one-time instance, an operator may collect the child’s online contact information only.
• For ongoing or multiple contacts strictly limited to online contact information.This exception arises when the child requests to receive a weekly newsletter or similar information that is distributed regularly. An operator does not need verifiable consent to collect and use such data because of the limited use and scope of PI collected. However, an operator must still provide the child’s parent with notice containing the following:
  • The child has requested multiple or ongoing communications.
  • The operator has collected the child’s online contact information but nothing else.
  • The parent has the right and ability to stop the communications.
  • A link to the operator’s privacy notice.
• To protect the safety of the child. If an operator believes that a child’s safety is at risk, for example, if the child is sharing PI publicly or claims to be in some kind of danger or harm, then the operator may collect the online contact information of the child and the child’s parent or guardian in order to protect the child.
• To comply with legal obligations. This exception refers to an operator’s obligation to comply with law, court order, or subpoena, as well as to protect the operator’s website from being attacked by or through a child’s account. If such situations arise, the operator may collect the child’s name and online contact information to respond accordingly.

Other than the specific pieces of PI noted above under each exception, collection of any other child PI remains prohibited under COPPA without verifiable consent. Exceptions to COPPA’s parental consent requirement are displayed in the adjacent flowchart.

COPPA Compliance: After Collecting a Child’s PI

Although most of the COPPA requirements apply before a child’s PI is collected, an operator’s obligations continue as long as the operator holds that PI. Parents and guardians rely on the safety and proper use of a child’s PI when they give the operator consent to collect it, and failure to do so exposes that operator to the same enforcement actions and reputational harm previously discussed in this note.

Once an operator collects a child’s PI, COPPA requires the operator to:

• Give parents control over their child’s PI
• Keep the child’s PI secure
• Carefully vet all third party service providers

Give Parents Control over Their Child’s PI

An operator must give parents and guardians control over the ongoing collection, use, and disclosure of their child’s PI, as well as its deletion. Specifically, an operator must allow parents:

• Access to review and/or delete the child’s information that the operator has collected
• The right to consent to collection and internal use of the child’s PI while withholding consent for disclosure of that information to third parties
• The ability at any time to revoke consent and to stop further collection, use, and disclosure of the child’s information

Keep Child PI Secure

COPPA requires operators to adopt reasonable measures to keep child PI secure and confidential. Look to general data privacy industry standards, including:

• Encrypting highly sensitive information
• Implementing administrative, technical, and physical safeguards to protect the security and integrity of data collected and stored
• Creating and implementing a data privacy and security policy
• Adequately training any employees or contractors who have access to child PI on the applicable privacy and security policies

Vet Third-Party Service Providers

Operators are responsible for the PI they collect from children on their online service or app, even when that PI is in the possession or control of a third-party service provider. The same is true for third parties that operators allow to collect and use PI on the operator’s online service or app.

Best practice is to design and implement procedures for carefully reviewing and monitoring the data collection and use practices of all service providers, as well as their information security practices. For example:

• Ask service providers to provide you with any written policies and procedures they have.
• Place contractual security obligations on the service provider that are equal to or greater than the operator’s own under COPPA.
• Seek a right for your client to audit compliance with such security obligations in the contract.
• Perform reasonable diligence on the service provider’s privacy and information security system and practices through conversations with the service provider’s privacy and/or technology teams, review of documents, etc.

COPPA’s Safe Harbor Program

If you determine that your client must comply with COPPA, consider taking advantage of COPPA’s safe harbor program, established according to 16 C.F.R. § 312.11. Under this program, the FTC accepts the applications of independent third-party industry members or others that propose self-regulatory frameworks regarding COPPA’s information collection, storage, and verifiable consent requirements. Upon the FTC’s review and approval of such frameworks, these independent third-party frameworks are deemed to be COPPA-compliant safe harbor programs.

Operators participating in the FTC-approved safe harbor program, in most cases, are only subject to the review and enforcement procedures described in the program’s guidelines, and not the traditional and more formal FTC investigation and enforcement procedures.

Unrelated operators who follow these FTC-approved selfregulatory frameworks are considered COPPA-compliant.

These FTC-approved safe harbor services include:

• Children’s Advertising Review Unit
• iKEEPSAFE by the Internet Keep Safe Coalition
• Integrity by Aristotle International, Inc.
• kidSAFE by Samet Privacy, LLC
• PRIVO, Inc.
• Enertainment Software Rating Board
• TRUSTe

Angela Bozzuti is a Product Manager for Lexis Practice Advisor. She joined LexisNexis from Davis & Gilbert, LLP where she handled intellectual property issues and was previously associated with the intellectual property boutique firm of Ostrolenk Faber LLP. Research assistance was provided by Lori A. Bennett, associate at Lowenstein Sandler LLP.

To find this article in Lexis Practice Advisor, follow this research path

RESEARCH PATH: Intellectual Property & Technology > Privacy & Data Security > Privacy & Data Security Compliance > Practice Notes > Complying with Privacy & Data Security Laws

Related Content

1. FTC Press Release (Mobile Advertising Network InMobi Settles FTC Charges It Tracked Hundreds of Millions of Consumers’ Locations Without Permission FTC (June 22, 2016) available at https://www.ftc.gov/news-events/press-releases/2016/06/mobile-advertising-network-inmobi-settles-ftc-charges-it-tracked (mobile ad network settled charges that it deceptively tracked consumers’ locations, including children, for geo-targeted advertising purposes without obtaining parental consent; subject to $950,000 civil penalty). 2. See, e.g., The Internet of Things Has a Child Privacy Problem, The Wash. Post (June 6, 2016), available at: https://www.washingtonpost.com/news/the-switch/wp/2016/06/06/the-internet-of-things-has-a-child-privacy-problem/. 3. Children’s Online Privacy Protection Rule, 16 C.F.R. § 312.5(b)(1)