If yours is a business that caters to kids, and you have a website that is more than just an “online brochure”, you likely need to comply with the Children’s Online Privacy Protection Rule (COPPA).
How do you know if COPPA applies to your website?
Answer the following questions:
Is your website or online service directed to children under 13 and do you collect personal information from them?
Is your website or online service directed to children under 13 and do you let others collect personal information from them?
Is your website or online service directed to a general audience, but do you have actual knowledge that you collect personal information from children under 13?
Does your company run an ad network or plug-in, for example, and do you have actual knowledge that you collect personal information from users of a website or service directed to children under 13?
If you said YES, to any of the above – you need to comply with COPPA.
How do I comply?
If you believe COPPA applies to your website (or online service), then you need to take a few measures. First, your Privacy Policy needs to be clear and easy to find/access. Link to it from your home page. The link should be clear, legible, and conspicuous.
Your Privacy Policy must address/include the following: a list of all third-party operators collecting information for you with their contact information; a description of the data you collect and how it is used; and, a description of parental/guardian rights.
But having a compliant privacy policy is not enough! You have to walk the walk, not just talk the talk. Compliance requires that your internal processes include notifying parents/guardians about information practices before collecting data and, getting verifiable consent from parents/guardians before collecting data. How you do that is up to you; there are several acceptable ways, varying from obtaining a physical signed consent form, getting confirmation via video conference, checking a valid government-issued ID against a database, or using knowledge-based questions that would be difficult for a non-parent or guardian to answer correctly.
Are there exceptions?
Of course, there are always exceptions to any law, and COPPA is no different. For example, you don’t need to collect parent/guardian consent to collect information from a child so that you can get parent/guardian consent to collect the data you actually need for the service. Otherwise, you’d be stuck in an endless loop! You don’t need parental/guardian consent to collect data to protect a child’s safety, nor do you need consent to collect data to protect the security or integrity of your website, to respond to a judicial process, or to provide information to law enforcement. However, the data you collect in those instances must be limited and cannot be used for any other purpose.
The easiest exception is if you are not, in fact, knowingly collecting the information of a child under 13 years old. Even if your business provides services or products for children, if you don’t collect their information then you don’t fall under COPPA.
What happens if I accidentally collect information from a child under 13?
Your privacy policy should address this situation. You should have a way to make a reasonable attempt to notify the child’s parent or guardian about the data collection and have a process in place to delete such information once the parent/guardian has been notified or a reasonable attempt was made.
What happens if I violate COPPA?
If COPPA applies to your website and you are not complying, you can face up to $46,517 per violation, based on a number of factors including the egregiousness of the violations, whether the operator has previously violated the Rule, the number of children involved, the amount and type of personal information collected, how the information was used, whether it was shared with third parties, and the size of the company and will vary on a case by case basis. COPPA is enforced by the Federal Trade Commission but gives states and certain federal agencies the authority to enforce compliance with respect to entities over which they have jurisdiction.
What do I do if COPPA does apply, but I am not in compliance?
Stop collecting, disclosing, and using personal data already collected from children under age 13 until you are in full compliance.
Need help? You can find more information here:
And you can connect with a Safe Harbor Program here: https://www.ftc.gov/enforcement/coppa-safe-harbor-program