Children’s online privacy has been making headlines as lawmakers in California and Washington, DC grapple with how to best protect children online. (See the CBS coverage here.) While we’ll need to wait and see whether these bills are enacted into law and what provisions they contain, it seemed like a good time to cover the existing Children’s Online Privacy Protection Act (COPPA).
What is COPPA?
The Children’s Online Privacy Protection Act is a U.S. federal law that has been in effect since 2000. It regulates the collection of personal information from children 13 and under by certain online services including websites, advertising, and mobile apps.
COPPA requires certain companies to obtain verified parental consent (“VPC”) before collecting personal information from a child.
It’s important to note that the definition of personal information under COPPA is different than the definition under other privacy laws.
Under COPPA, personal info includes anything that can be used to track a child across sites, apps, or devices. Persistent identifiers are all considered personal information under COPPA, which means companies are barred from using or tracking any of the following information about children without parental consent:
- Cookies,
- Google Ad IDs,
- Precise geolocation,
- Full IP address,
- Full referrer URLs,
- Full user agents,
- Photos,
- Videos, and
- Voice recordings of children.
What this means in practice is that COPPA bars behavioral advertising, retargeting, and user profiling.
5 Quick COPPA Compliance Tips:
Restrict Advertising
As a content owner, COPPA restricts you to contextual advertising with partners that do not collect any personal information from children.
Provide Parents with Direct Notice
Before collecting personal information from children under 13 you must provide parents with direct notice. Additionally, if you materially change your practices, you must provide updated direct notice to parents. The notice must inform parents:
- That you collected their online contact information for the purpose of getting their consent;
- That you want to collect personal information from their child;
- That their consent is required for the collection, use, and disclosure of the information;
- The specific personal information you want to collect and how it might be disclosed to others;
- A link to your online privacy policy;
- How to consent; and
- That if the parent does not provide consent within a reasonable time, you will delete the parent’s online contact information from your records.
Obtain Verifiable Parental Consent (VPC):
Obtaining VPC requires you to contact a parent, verify his or her identity, and then obtain his or her consent. (Find more information about how to do so in our blog post about Verifiable Parental Consent).
Honor Parents’ Ongoing Rights Regarding their Children’s Information.
If a parent asks you to, you must:
- Enable them to review the personal information you have collected from their child;
- Provide them with a way to revoke their consent and prohibit further processing of their child’s information; and
- Delete their child’s information.
Take Reasonable Measure to Protect the Security of Children’s Information
Basic principles include:
- Data Minimization: Minimizing what you collect.
- Third-Party Management: Ensuring any third parties (including service providers) with whom you share information are capable of maintaining its confidentiality, security, and integrity.
- Data Retention: Retaining children’s data only for so long as reasonably necessary.
- Disposal: Securely disposing of children’s information once you no longer need it.
If you’re uncertain about your obligations under the COPPA, reach out. Our privacy attorneys would be thrilled to help.
Disclaimer
The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.