If you are considering building digital products for students or children, it is vitally important to be well-versed in the laws and regulations governing student and child privacy. This post is the third in a series aimed at providing an overview of the most important federal regulations to keep in mind when building software aimed at young audiences for both educational and recreational purposes.
- Family Educational Rights and Privacy Act (FERPA)
- Protection of Pupil Rights Amendment (PPRA)
- Children’s Online Privacy Protection Act (COPPA)
This series is a non-exhaustive list of regulations and does not include everything you need to know to be compliant with the laws. Beyond the federal laws, there are state and local laws that must be consulted as well as school district ethical guidelines to consider before you get started. This is not a legal resource and none of the information contained herein should be taken as legal advice or opinion. If you have compliance questions, please consult a lawyer who specializes in these types of regulations.
Children’s Online Privacy Protection Act (COPPA)
At a glance:
- Purpose: Protect online information collected from children
- Who must comply: Any commercial website or online service targeted to children or that knowingly collects information from children
- Compliance criteria: Prominently post a privacy policy, gather verifiable parental consent, safeguard children’s personal information, and follow advertising limitations to child audiences
- Consequence for noncompliance: Fine of up to $42,530 per violation
The Children’s Online Privacy Protection Act (COPPA) protects children’s personal information online. It grants rights to parents to control what information is collected online about their children who are under 13. COPPA was enacted in 1998 and took effect in 2000. As the internet and technology continue to evolve, COPPA is regularly updated to account for new types of identifiable information that can be collected about people online.
The FTC defines a child’s personal information to include their
- First and last name
- Address
- Email or other online contact information (including their usernames)
- Telephone number
- Social security number
- Any persistent identifier that can be used to recognize a user over time across different web services
- Photo, video, or audio containing the child’s image or voice
- Geolocation information that allows identification of a street name and city
- Any information combined with the list above.
Any commercial website or online service that is directed to children under 13 and who collect or use personal information from children must comply with COPPA. The term “online services” broadly means any service available over the internet, including mobile applications and internet-connected gaming platforms. COPPA also applies to websites and services whose target audience may not be children if they know that they are collecting information from children under 13. This is why many social media websites require a birth date even if it’s not displayed.
Two things to note about COPPA is that nonprofits are exempt and that it only applies to companies who are collecting information _from_ children. If information about children is provided by a parent or an adult, it is not subject to the same protections. There is an assumption that adults have a better understanding of the safety and privacy issues of sharing personal information online and can make informed decisions about whether to share certain information.
COPPA requires that companies post a clear and explicit privacy policy describing how they use personal information collected from children online. This policy must be posted anywhere data is collected. It also requires that companies obtain parental consent before collecting or using any personal information from a child. It specifies when and how to seek verifiable consent from the parent or guardian. It states that companies must protect the data they have protected from children and limit how long they retain the data. Finally, COPPA includes restrictions on the types and methods of marketing targeting children under 13.
## How does this affect you
Unlike the Family Educational Rights and Privacy Act (FERPA) and the Protection of Pupil Rights Amendment (PPRA) which apply to and put the burden of enforcement on schools, COPPA applies directly to technology operators. And it’s important to note that COPPA applies to all information collected from children on your online service, whether voluntary or mandatory. With a fine from the Federal Trade Commission (FTC) of up to $42,530 per violation, it is absolutely essential that a business with a child audience is well-versed in COPPA compliance.
COPPA requires that you post a clear and explicit privacy policy. What does clear and explicit mean? Your privacy policy must be prominently labeled on your home and landing screens and everywhere data is collected from children. The FTC does not consider a small link in the footer of a page or a link that is indistinguishable from adjacent links as ‘prominent’ and would not find you in compliance in those cases. Because of this, it’s important that your designers, as well as your developers, are aware of the compliance requirements when building your product to ensure that your privacy policy is displayed clearly enough to be compliant with COPPA.
But it’s not enough to clearly link to your privacy policy. You must also keep your privacy policy up to date. This means when adding new features and content to your product, updating your privacy policy’s collection and use of information sections accordingly to reflect those changes. Many companies fail COPPA compliance because they do not stay up to date with these material changes to the policy and only update the date.
COPPA also requires that companies get the proper level of parental consent. The FTC does not consider a notification email saying that a child is interested in signing up for an online service to meet the need for verifiable parental consent. Some examples of verifiable parental consent that the FTC provides include:
- Clear display of downloadable consent forms that may be mailed or faxed to the operator.
- Requiring that a parent use a credit card to authenticate age and identity.
- Requiring that a parent call a toll-free phone number.
- Accepting an email from a parent that includes a digital signature.
Although in some specific situations, operators may rely on the schools to obtain the required verifiable parental consent.
It is also essential that when you add features that collect additional information from children that you seek verifiable parental consent for these new features as well.
In addition to the privacy policy and parental consent requirements, COPPA also specifies data privacy and data retention requirements. You should always follow data best practices, but when dealing with the personal information of children the pressure to protect your data increases exponentially. Advocate for only collecting what is absolutely necessary for your product to function and place robust data retention policies in place to protect your child users.
Conclusion
COPPA is a comprehensive law aimed at protecting children’s privacy on the internet. If you knowingly collect data from children, you are responsible for complying with COPPA and risk steep penalties from the FTC if you fail to do so. In the fast-changing world of technology, COPPA tries to protect some of the most vulnerable users of the internet and is wide-reaching in its scope. I hope this overview provides a starting point for you to dig deeper into what you’ll need to do to comply with COPPA.
As stated above, **this post is not a legal resource and none of the information contained herein should be taken as legal advice or opinion.**
