With the recent passage of the California Consumer Privacy Act and the GDPR in Europe, it’s easy to forget that regulators have renewed their focus and enforcement of children’s privacy through the Children’s Online Privacy Protect Act (“COPPA”). Enacted over twenty years ago, COPPA requires, among other things, for operators of commercial websites directed towards children under 13 years old to provide notice to parents and obtain such parents’ consent before collecting personal information from the children and to provide parents the ability to stop further use or collection of a child’s personal information.
Until a couple of years ago, enforcement of COPPA was relatively rare, and the penalties were not particularly steep for violators of children’s privacy. However, it appears regulators have renewed their focus on enforcing and protecting children’s privacy. The latest two enforcements of COPPA (discussed below), which exceeded $10 million, indicate that federal and state regulators plan to investigate child privacy complaints and enforce COPPA aggressively.
In December 2018, AOL was fined nearly $5 million fine for knowingly violating COPPA. Between October 2015 and February 2017, AOL conducted billions of auctions for ad space on hundreds of websites which AOL knew were directed towards children. Through these ads, AOL collected children’s personal information without parental consent. AOL knew that many of these websites were subject to the COPPA, as AOL was informed by both the websites and through its own internal review. Despite these warnings, AOL continued its practice of collecting children’s information without parental consent. For these actions, the New York Attorney General imposed a $4.95 million fine which at the time was the largest COPPA fine in US history.
In February 2019, TikTok, an app developer that allowed users to share videos of the user lip-syncing to music and whose accounts are public by default, suffered a similar fate to that of AOL. TikTok required children to input their age to create a profile with TikTok, and the app also shared the children’s location, even going so far as to allow others to see which children were in a 50-mile radius of that user. Despite receiving thousands of complaints and knowing that they were collecting children’s personal information without parental consent, TikTok failed to delete the children’s personal information from their servers. Because TikTok knew it was violating COPPA and did not delete the children’s information after receiving so many complaints, the FTC imposed its record-setting $5.7 million fine.
Helpful Tips to Comply With COPPA:
At the outset, it should be noted that COPPA has quite a few requirements; however, when looking at the recent enforcement cases, it’s apparent that companies are failing at the most basic levels of adhering to COPPA. First, its important to determine whether your website online service is subject to COPPA. FTC guidance on this matter states that if any of the following scenarios apply, you are subject to COPPA:
- Your website or online service is directed to children under 13 and you collect personal information from them;
- Your website or online service is directed to children under 13 and you let other collect personal information from them;
- Your website or online service is directed to a general audience, but you have actual knowledge that you collect personal information from children under 13; or
- Your company runs an ad network or plug-in, for example, and you have actual knowledge that you collect personal information from users of a website or service directed to children under 13.
After notifying the children’s parents of your intent to collect the child’s personal information, you’ll need to obtain parental consent. The FTC provides several options on how this can be done, but some of the most common are having the parent sign a consent form and send it back to you by fax, mail or electronic scan; having the parent use a credit card, debit card, or other online payment system that provides notification of each separate transaction to the account holder; or you can have the parent call a toll-free number staffed by trained personnel.
Finally, its important to note that after examining the TikTok and AOL cases, the FTC came down particularly hard on these companies because both AOL and TikTok had direct knowledge that they were collecting children’s information without parental consent and still chose to not completely remediate the problem. This is a problem that plagues many organizations when they learn that they may be violating the law – they either ignore the warnings or they enact half-measures that do not completely remediate the problem. If your company receives information that it may be violating a regulation, its important to take heed of these warnings and to take action that fully addresses the problem. While it will cost time and money to fix these problems, it beats the alternative of having to pay millions of dollars in fines as well as having to experience the reputational damage that came about because of the knowing violations.
About the Author:
Dan Kiehl obtained his Juris Doctor degree from Valparaiso Law
School in 2012, and practiced law for three years before transitioning to a
compliance-based consulting role allowing him to help a wide variety of
healthcare organizations remain compliant with multiple healthcare laws and
standards.In his current role as a CompliancePoint Policy Analyst, he consults
with a wide variety of organizations to ensure their privacy and information
security policies are compliant with the various regulatory and third-party frameworks
(e.g., GDPR, HIPAA, HITRUST, PIC, SOC 2, NIST and ISO). He is also a veteran of
the Iraq war.
 “Children’s Online Privacy Protection Rule: A Six Step Compliance Plan for Your Business,” Federal Trade Commission (June 2017) (Last accessed March 24, 2019), <https://www.ftc.gov/tips-advice/business-center/guidance/childrens-online-privacy-protection-rule-six-step-compliance#step1>.