If you are considering building digital products for students or children, it is vitally important to be well-versed in the laws and regulations governing student and child privacy. This post is the third in a series aimed at providing an overview of the most important federal regulations to keep in mind when building software aimed at young audiences for both educational and recreational purposes.
- Family Educational Rights and Privacy Act (FERPA)
- Protection of Pupil Rights Amendment (PPRA)
- Children’s Online Privacy Protection Act (COPPA)
This series is a non-exhaustive list of regulations and does not include everything you need to know to be compliant with the laws. Beyond the federal laws, there are state and local laws that must be consulted as well as school district ethical guidelines to consider before you get started. This is not a legal resource and none of the information contained herein should be taken as legal advice or opinion. If you have compliance questions, please consult a lawyer who specializes in these types of regulations.
Children’s Online Privacy Protection Act (COPPA)
At a glance:
- Purpose: Protect online information collected from children
- Who must comply: Any commercial website or online service targeted to children or that knowingly collects information from children
- Consequence for noncompliance: Fine of up to $42,530 per violation
The Children’s Online Privacy Protection Act (COPPA) protects children’s personal information online. It grants rights to parents to control what information is collected online about their children who are under 13. COPPA was enacted in 1998 and took effect in 2000. As the internet and technology continue to evolve, COPPA is regularly updated to account for new types of identifiable information that can be collected about people online.
The FTC defines a child’s personal information to include their
- First and last name
- Email or other online contact information (including their usernames)
- Telephone number
- Social security number
- Any persistent identifier that can be used to recognize a user over time across different web services
- Photo, video, or audio containing the child’s image or voice
- Geolocation information that allows identification of a street name and city
- Any information combined with the list above.
Any commercial website or online service that is directed to children under 13 and who collect or use personal information from children must comply with COPPA. The term “online services” broadly means any service available over the internet, including mobile applications and internet-connected gaming platforms. COPPA also applies to websites and services whose target audience may not be children if they know that they are collecting information from children under 13. This is why many social media websites require a birth date even if it’s not displayed.
Two things to note about COPPA is that nonprofits are exempt and that it only applies to companies who are collecting information _from_ children. If information about children is provided by a parent or an adult, it is not subject to the same protections. There is an assumption that adults have a better understanding of the safety and privacy issues of sharing personal information online and can make informed decisions about whether to share certain information.
## How does this affect you
Unlike the Family Educational Rights and Privacy Act (FERPA) and the Protection of Pupil Rights Amendment (PPRA) which apply to and put the burden of enforcement on schools, COPPA applies directly to technology operators. And it’s important to note that COPPA applies to all information collected from children on your online service, whether voluntary or mandatory. With a fine from the Federal Trade Commission (FTC) of up to $42,530 per violation, it is absolutely essential that a business with a child audience is well-versed in COPPA compliance.
COPPA also requires that companies get the proper level of parental consent. The FTC does not consider a notification email saying that a child is interested in signing up for an online service to meet the need for verifiable parental consent. Some examples of verifiable parental consent that the FTC provides include:
- Clear display of downloadable consent forms that may be mailed or faxed to the operator.
- Requiring that a parent use a credit card to authenticate age and identity.
- Requiring that a parent call a toll-free phone number.
- Accepting an email from a parent that includes a digital signature.
Although in some specific situations, operators may rely on the schools to obtain the required verifiable parental consent.
It is also essential that when you add features that collect additional information from children that you seek verifiable parental consent for these new features as well.
COPPA is a comprehensive law aimed at protecting children’s privacy on the internet. If you knowingly collect data from children, you are responsible for complying with COPPA and risk steep penalties from the FTC if you fail to do so. In the fast-changing world of technology, COPPA tries to protect some of the most vulnerable users of the internet and is wide-reaching in its scope. I hope this overview provides a starting point for you to dig deeper into what you’ll need to do to comply with COPPA.
As stated above, **this post is not a legal resource and none of the information contained herein should be taken as legal advice or opinion.**