When setting up an online business, there are a lot of elements that you need need to consider. For example, websites designed for children under age 13 or sites that know they're collecting information from children under 13 are subject to rules concerning child online privacy. Failure to comply with these rules can lead to steep government fines. Congress enacted the Children's Online Privacy Protection Act (COPPA) in 1998.
The law allows parents to control the information collected by businesses and websites from children. Since that time, the Federal Trade Commission (FTC) has monitored businesses to ensure they're in compliance with COPPA. With the first changes to the rules coming July 1, 2013, we reviewed new COPPA guidelines to find answers to the most important questions you may have about this law.
Does COPPA apply to my business?
COPPA applies to any commercial website or online service (including mobile apps and social networking sites) targeting kids under 13 that collects, uses, or discloses personal information from children. The law also applies to general audience websites or online services that are knowingly collecting, using or disclosing personal information from children under 13. Personal information is defined as a screen name, or a "persistent identifier" such as IP address, or traditional information including phone number, social security number, photographs, video, and more.
What does my business need to do to comply with COPPA?
If your app or website fits the criteria above, you are required under COPPA to post privacy policies, provide notice to parents, and obtain verifiable parental consent before collecting personal information from children. You can get parental consent by offering a mail-in consent form, a toll-free number or videoconference for parents to contact your staff.
In the case of a purchase made by a parent on the site, use of a credit card that provides notice of the sale to the account holder may suffice. The guidelines state, however, that use of a parent's app store account password is not sufficient to comply with the parental consent requirement. Some exceptions to the prior parental consent rule may apply, check the FTC website for more information.
Are there penalties for not complying with COPPA?
Yes. The FTC may file a complaint and a court may hold a site operator liable for up to $16,000 for each child your business unlawfully collects information about. States may also bring COPPA enforcement actions against businesses, such as issuing a court order for your company to comply with COPPA.
What if the child lies about his/her age on a general audience website?
The website owner isn't required to investigate the age of visitors to the site. However, if you have knowledge that a child is using your site (for example, you are notified by a concerned parent), then you could be responsible for gathering information from a child.
Lastly, if your website is subject to COPPA, you may want to contact an expert to ensure your site is in compliance. The FTC published a set of guidelines and Frequently Asked Questions to answer questions about COPPA and the rule revisions.