The Children’s Online Privacy Protection Act of 1998 (COPPA): What You Should Know

Introduction

Data remains an invaluable asset for organizations. It is growing in volume and breadth, with data from numerous sources giving organizations a chance to have a more rounded understanding of their potential audiences.

One such source is children. Children's behavior and browsing habits online differ radically from adults. As they are only sometimes aware of how data related to their browsing habits can be exploited, regulation is necessary to ensure adequate safeguards are in place to avoid that from happening.

In such an environment, it has become increasingly critical to be extra vigilant about the personal information belonging to children online. This is exactly what the Children's Online Privacy Protection Act of 1998 (COPPA) aims to do.

This landmark regulation provides parents greater control and insights over what data websites can collect from their children and ensures children can continue navigating the Internet safely and securely.

For organizations themselves, it is critical to be vigilant of the obligations COPPA places on them, specifically when it comes to ensuring they proceed with any data collection only after having acquired the parent's informed consent.

Read on to learn more about what exact responsibilities COPPA places on organizations as well as other careful considerations:

Who Needs to Comply with COPPA

Material Scope

The provisions of the law apply to the following:

1. Any operator of a website or an online service directed to children; and
2. Any operator that has actual knowledge that it is collecting or maintaining personal information from a child.

Exemptions

The law does not apply to non-profit entities that would be exempt from the application of the law in accordance with section 5 of the Federal Trade Commission Act (15 U.S.C. 45).

Definitions of Key Terms

A. Child

An individual under the age of 13.

B. Collection

Gathering of any personal information from a child by any means, including but not limited to:

1. Requesting, prompting, or encouraging a child to submit personal information online;
2. Enabling a child to make personal information publicly available in an identifiable form; or
3. Passive tracking of a child online.

C. Obtaining Verifiable Consent

Making any reasonable effort (taking into consideration available technology) to ensure that before personal information is collected from a child, a parent of the child:

1. Receives notice of the operator's personal information collection, use, and disclosure practices; and
2. Authorizes any collection, use, and/or disclosure of personal information.

D. Operator

Any person who operates a Web site located on the Internet or online service and who collects or maintains personal information from or about the users of or visitors to such Web site or online service, or on whose behalf such information is collected or maintained, or offers products or services for sale through that Web site or online service, where such Web site or online service is operated for commercial purposes.

E. Personal Information

Individually identifiable information about an individual collected online, including:

1. A first and last name;
2. A home or other physical address, including street name and name of a city or town;
3. Online contact information as defined in this section;
4. A screen or user name where it functions in the same manner as online contact information, as defined in this section;
5. A telephone number;
6. A Social Security number;
7. A persistent identifier that can be used to recognize a user over time and across different Web sites or online services, including, but not limited to, a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier;
8. A photograph, video, or audio file where such file contains a child's image or voice;
9. Geolocation information sufficient to identify the street name and name of a city or town; or
10. Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described in this definition.

F. Third-party

Any person who is not:

1. An operator with respect to the collection or maintenance of personal information on the Web site or online service; or
2. A person who provides support for the internal operations of the Web site or online service and who does not use or disclose information protected under this part for any other purpose.

Obligations for Organizations Under COPPA

A. Consent Requirements

All operators must obtain verifiable parental consent before initiating any collection, use, and/or disclosure of personal information belonging to children. Similarly, they must also seek the parent's consent before making any material change in their collection, use, and/or disclosure of personal information practices previously consented to by the parents.

It is important to note that the operator must ensure the parent has the option to consent to the collection and use of their child's personal information without having to consent to the disclosure of their personal information to third parties.

As far as the methods to collect this verifiable consent are concerned, the following methods can be adopted:

• Consent forms physically signed by the parent and returned to the operator by postal mail, facsimiles, or electronic scan;
• Requiring a parent to use a credit card/debit card or any other online payment method that provides a notification of each discrete transaction to whoever holds the account;
• Letting the parent call a toll-free phone number and communicate with a trained representative from the operator;
• Letting the parent connect to the trained representative via video conference;
• Verifying a parent's identity by checking their government-issued identification.

Exceptions to Consent Requirements

Operators are not required to comply with the requirements of prior parental consent in the following circumstances:

• Where the purpose of collecting the parent's online contact information is to provide a voluntary notice and update the parent about their child's participation on a website that does not collect, use, or disclose their personal information;
• Where the sole purpose of collecting the name and online contact information of the parent or the child is to provide notice and gain parental consent;
• Where the sole purpose of collecting online contact information from a child is to respond directly to a one-time request from a child, and such information cannot be used to re-contact the child or any other purpose and will be deleted promptly once the request is honored;
• Where the sole purpose of collecting online contact information from a child is to respond directly more than once to a request from a child, and such information cannot be used to re-contact the child or for any other purpose and will be deleted promptly once the request is honored. The operator must make reasonable efforts to ensure the parent receives a notice;
• Where the purpose of collecting a child's and parent's name and online contact information is to protect the safety of the child and such information is not used or disclosed for any other purpose other than the child's safety;
• Where the operator collects a persistent identifier and no other personal information, and the identifier is only used for the internal operations of the website;
• Where the operator collects a persistent identifier and no other personal information, and the identifier indicates that the user is no longer a child;
• Where the purpose of collecting a child's name and online contact information is to:

• Take precautions against liability;
• Respond to a legal request;
• Protect the security and integrity of the website;
• Provide information to law enforcement agencies for an investigation on a public safety-related matter.

Privacy Notification

Operators are required to provide the parents with a direct notice before collecting, using, or disclosing personal information from the children. An operator is responsible for ensuring reasonable steps are undertaken to provide the parents of a child a direct notice of the operator's practices regarding the collection, use, and/or disclosure of their children's personal information. Any changes in these practices must also be communicated.

Various types of notices to be provided to the parents under the law are as follows:

a. Notice to Obtain Parent’s Affirmative Consent

Operators must provide the parents a direct notice before obtaining their affirmative consent for the collection, use, or disclosure of personal data from the children. The contents of such a notice must include the following:

• Confirmation that the operator collected the parent's online contact information from the child for the purpose of collecting their consent related to data collection;
• Confirmation that the parent's consent is necessary for the collection, use, and/or discharge of any personal information related to the child;
• Details related to any additional information the operator needs to collect from the child, should the parents’ consent;
• A link to the operator's online notice of these information practices;
• Details related to how parents can provide their verifiable consent for the collection, use, and/or discharge of any personal information related to the child;
• Confirmation that if the parent does not provide consent within a reasonable amount of time from the date the direct notice was sent, the operator must delete the parent's online contact information from its records.

b. Voluntary Notice to Parents

In case the operator of a website does not collect any personal information related to the child apart from the parent's online contact information, the operator can provide a voluntary direct notice to the parent. The contents of such notice must include the following:

• Confirmation that the operator collected the parent's online contact information from the child for the purpose of collecting their consent related to data collection;
• Confirmation that the parent's online contact information will not be used for any other purpose;
• Confirmation that the parent may choose to refuse their child's participation on the operator's website;
• Details on how the parent can request the deletion of their online contact information;
• A link to the operator's online notice of these information practices.

c. Notice of the Operator’s Intent to Communicate with the Child Multiple Times

In case the operator of the website intends to communicate with the child multiple times, it must provide the parent a direct notice which includes the following:

• Confirmation that the operator collected the parent's online contact information from the child for the purpose of collecting their consent related to data collection;
• Confirmation that the operator collected the child's online contact information to provide multiple online communications to the child;
• Confirmation that any data collected from the child will only be used for the stated purpose;
• Confirmation that in case the parent refuses to permit further contact with the child, the operator must delete the child's and the parent's online contact information;
• Confirmation that if the parent does not provide consent within a reasonable amount of time from the date the direct notice was sent, the operator must delete the parent's online contact information from its records.

d. Notice to Protect a Child’s Safety

In case a notice needs to be sent to a parent to protect a child's safety, such notice must contain the following:

• Confirmation that the operator collected the name and online contact information of the child and parent to protect the safety of the child;
• Confirmation that the information will not be used for any other purpose not related to the child's safety;
• Confirmation that the parent may refuse to permit the use of the personal information and request the deletion of all such information;
• Confirmation that if the parent does not provide consent within a reasonable amount of time from the date the direct notice was sent, the operator may only use the information for safety purposes as stated within the direct notice;
• A link to the operator's online notice of its data collection practices.

e. Notice on the Web Site or Online Service

In addition to direct notice to parents, as discussed above, the operators must also post a prominent and clearly labeled link to an online notice of its information practices with regard to children on the home or landing page or screen of its Web site or online service. Such a link must also be posted at each area of the Web site or online service where personal information is collected from children.

The online notice must include the following information to be complete:

• The name, address, contact number, and email address of all the operators that may collect or maintain the collected personal information of children;
• A description of what information the operator collects from children, how such information is used, and the operator's data disclosure practices;
• Details on how the parent can request to review or delete any of the information collected on their child and refuse permission for any further collection of their child's information.

Prohibition Against Conditioning a Child

No operator may condition a child's participation in a game or website service, prize winnings, or any other activity on the child disclosing more personal information than is necessary for the child's participation in such activities.

Confidentiality, Security, and Integrity of Collected Personal Information

Operators must undertake all reasonable efforts to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of the personal information collected from children.

Such measures should specifically be extended towards ensuring that such personal information is only shared with service providers and third parties with similar adequate measures to protect such information's confidentiality, security, and integrity.

The operator must also seek written assurance from such third parties guaranteeing their maintenance and implementation of the aforementioned security measures.

Data Retention & Deletion

An operator of the website must retain all personal information collected from a child for as long as reasonably necessary to fulfill the purpose for the collection and in a context consented to by the parent.

The operator must delete such information via reliable measures whenever requested by the parent under the provisions of these regulations.

Right of the Parents to Review Personal Information Provided By a Child

A parent has the right to request a review of any and all personal information a website may have collected on a child. The operator of such a website is obligated to provide the parent with the following:

• A description of the different types or categories of personal information collected from children by the operator;
• The opportunity to refuse any prior given consent related to the use or collection of personal information from that child;
• The opportunity to direct the operator to delete the child's personal information;
• A means to review any personal information collected from the child. Such means must:
  • Verify and ensure that the request is made from the parent of the child via appropriate technological measures;
  • Not be unduly burdensome for the parent.

However, neither an operator nor the operator's agent may be held liable under any federal or state law for any disclosures they may choose to make in good faith within procedures while responding to a request for disclosure of personal information per the aforementioned requirements.

Similarly, an operator may choose to terminate any services provided to a child whose parents have refused to permit the collection of their child's personal information and has requested the deletion of the child's personal information.

The Safe Harbor Program

Under the law, industry groups or other persons may apply to the Commission for the approval of self-regulatory program guidelines, also known as ‘safe harbor programs. All the operators who comply with the Commission-approved safe harbor programs are deemed to be in compliance with the provisions of the law.

In order to be approved by the Commission, all safe harbor programs must demonstrate the fulfillment of the following requirements:

• The program must contain similar or greater protections for children as those contained in the law;
• They must be subject to an effective, independent assessment of the operator's compliance with the provisions of the law, at least annually;
• The program must contain disciplinary actions for operators found in non-compliance with the self-regulatory guidelines. This performance standard may be satisfied by:
  • Mandatory public reporting of any action taken against subject operators by the industry group issuing the self-regulatory guidelines;
  • Consumer redress;
  • Voluntary payments to the United States Treasury for violations of the regulatory guidelines;
  • Referral to the Commission of operators who engage in a pattern or practice of violating the self-regulatory guidelines; or
  • Any other equivalent action.

The Commission reserves the right to revoke any approval granted if it determines the approved self-regulatory program no longer meets the requirements of its safe harbor program.

Penalties for Non-Compliance

The Federal Trade Commission oversees the enforcement of COPPA. Additionally, state attorney generals and other federal agencies, such as the Comptroller of the Currency and the Department of Transportation, regulate COPPA compliance-related activities within their industries.

Any violation of the provisions of the law is an unfair or deceptive act or practice within the meanings of section 18(a)(1)(B) of the Federal Trade Commission Act and operators found in violation of the law may face various enforcement actions from the Commission including heavy civil penalties and fines.

How Can an Organization Operationalize COPPA

Here are some ways an organization can operationalize compliance with COPPA within their daily operations:

• Have a thorough and comprehensive privacy notice management framework in place with relevant information and resources related to your organization’s data processing activities in relation to children’s personal data;
• A detailed and easy-to-understand consent management framework that appropriately explains the need for collecting the child’s data as well as how the parents can revoke their consent at any time;
• Have appropriately trained representatives available on call or email if a parent reaches out related to any COPPA-related inquiry;
• Undertake strict and thorough data security measures with particular emphasis on appropriately categorizing and securing data belonging to children.

How Can Securiti Help

Consent and appropriate notice of data processing activities are the most important facets of the Children's Online Privacy Protection Act of 1998 (COPPA). All the obligations placed upon organizations, potential violations, and the best way to ensure compliance is via a strong consent and notice management framework.

Securiti, a market leader in providing organizations with data privacy, security, and governance solutions, offers organizations access to its renowned consent management and privacy notice management modules that make compliance with COPPA easily attainable.

Thanks to its Privacycenter.Cloud, you can deploy and monitor all consent and privacy notice-related activities in real-time and make due adjustments whenever necessary for effective and efficient compliance.

Request a demo today and learn more about how Securiti can help your organization's COPPA compliance journey.