The Children’s Online Privacy Protection Act (COPPA) is a U.S. federal law that (usually) requires companies to obtain verifiable parental consent before collecting, using or disclosing personal information from a child 13 and under. It has been in effect since 2000 and impacts companies providing online services including websites, advertising, and mobile apps.
However, the COPPA legislation leaves it up to companies to determine how they will collect verifiable parental consent. In this post, we’ll outline some general principles and acceptable methods for achieving this:
General Principles for Collecting Verifiable Parental Consent
Companies Must Obtain Parental Consent Before Collecting Personal Information
With very limited exceptions, companies must get verifiable parental consent before collecting any personal data online from children under 13.
There are a number of limited exceptions to the COPPA Rule. However, we wanted to elaborate on one exception that we regularly see clients misinterpret: the internal operations exception.
Internal Operations Exception: COPPA
The internal operations exception applies where personal information collected from a child is used to support internal operations, such as:
- Authenticating users;
- Personalizing content;
- Serving contextual advertising or frequency capping;
- Protecting the security or integrity of the user, website, or online service;
- Ensuring legal or regulatory compliance;
- Performing network communications;
- Maintaining or analyzing the functioning of the service; and
- Responding to a child’s specific request.
Under this exception, companies are not required to obtain verifiable parental consent where the collection of this information from children 13 or under is solely for the above purposes.
It’s important to note that this exception must be adopted with a very narrow interpretation.
Moreover, companies cannot use the information you collect to contact or amass a profile about a specific person. Nor can it be relied on if personal information other than a persistent identifier is collected.
Parties Permitted to Provide Verifiable Parental Consent
A child’s parents (or legal guardians) will typically be required to provide the verifiable consent, however, COPPA allows a child’s teacher, school, or school district (“educators”) to act as the parent’s agent and consent on a parent’s behalf in some circumstances.
The school’s authority to act on behalf of a parent is limited to the school context. This means that the school’s ability to consent is limited to situations in which the student’s personal data is used for the benefit of the school and for no other commercial purpose (such as behavioral advertising or building user profiles for commercial purposes).
The Consent Must Be Verifiable
The verifiability of the consent is a key element of COPPA compliance. While the FTC hasn’t prescribed exactly how companies can meet this requirement, they have offered guidance.
Whatever method you choose to get parental/educator consent “must be reasonably calculated, in light of available technology, to ensure that the parent/educator providing consent is the child’s parent/educator.”
Accepted Methods of Obtaining Verifiable Parental Consent
Examples of methods that meet this standard include:
- Print & Send. Providing a consent form to be signed by the parent/educator and returned by mail, fax, or by electronic scan;
- Credit/Debit Card. Requiring the parent, in connection with a monetary transaction, to use a payment card or other online payment system that provides notification of each discrete transaction to the primary account holder;
- Telephone or Videoconference. Having the parent/educator call a toll-free telephone number staffed by trained personnel or having the parent/educator connect to trained personnel via video-conference; or
- Facial Recognition-Facilitated Photo Matching. Verifying a parent/educator’s identity by checking a form of government-issued ID against a recognized database of such information. Bear in mind that, if you use this method, you must be sure that you promptly delete the parent/educator’s identification after completing the verification.
- Knowledge-based Challenge Questions. Asking the parent/educator to answer a series of knowledge-based questions that would be difficult for someone other than him or her to answer.
So long as you use a reasonably reliable method of contacting a parent/educator, you do not need to collect additional information to confirm that it is, in fact, the parent/educator and not another adult who is submitting consent for the child.
You may want to offer multiple methods for obtaining consent in case some parents/educators cannot or will not use your chosen consent method. For instance, if you choose to use a credit card or a telephone/video conference with a parent/educator as your primary verifiable parental consent method, you could also rely on the “print-and-send” consent form as a backup.
Finally, be sure you keep a record of having obtained verifiable parental/educator consent for each child from which you collect personal data.
The Email Plus Method of Collecting Consent
Another method commonly used is the “email plus” method. The “email plus” method involves collecting parental/educator consent by simply sending an email to a parent/educator’s email address and having the parent/educator click an “I consent” link (and then following up with a second email to confirm consent – the “plus”).
You may use the “email plus” method if you use the information you collect from children solely for internal business uses and never display this information publicly. If you disclose children’s information to third parties or allow children to make the information publicly available then you cannot use the “email plus” method. If a company allows users to upload profile photos and otherwise displays children’s personal data publicly (e.g., via video feeds during online classes) this option is not available.
Obtain Updated Consents When Information Practices Change
Remember that if you change your information practices in a material way in the future, you will have to send a new Direct Notice and obtain updated consent to the new practices.
The updated notice must inform parents:
- That you collected their online contact information for the purpose of getting their consent;
- That you want to collect personal information from their child;
- That their consent is required for the collection, use, and disclosure of the information;
- The specific personal information you want to collect and how it might be disclosed to others;
- How to consent; and
- That if the parent does not provide consent within a reasonable time, you will delete the parent’s online contact information from your records.
The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.