Protecting Kids' Information Under the COPPA Cabana
November 2, 2017
In August 2017, Disney and three of its software developer vendors were sued in a class action in California in which it was alleged that Disney collected children’s information in violation of the Children's Online Privacy Protection Act of 1998 (COPPA). In May 2011, a Disney subsidiary, Playdom, agreed to pay a $3M settlement to the FTC for the same practices. This was a settlement, which implies that an award could have been much greater had it gone to trial. The bottom line is that even Disney, which claims to have a robust compliance program and would presumably have the resources to ensure compliance, has been brought to task under COPPA. Joe Leibowitz, then chairman of the FTC, stated:
“Let’s be clear: Whether you are a virtual world, a social network, or any other interactive site that appeals to kids, you owe it to parents and their children to provide proper notice and get proper consent. It’s the law, it’s the right thing to do, and, as today’s settlement demonstrates, violating COPPA will not come cheap.”
What is COPPA?
COPPA is a federal statute that governs the collection of information from children under the age of 13. Among other things, COPPA requires a website operator to provide notice on the website as to what information is collected, how the information is used, and the operator’s disclosure practices. Importantly, the website operator is required under the statute to obtain verifiable parental consent for the collection, use or disclosure of personal information from children. Website operators are required to provide, upon request of a parent, a description of the specific types of personal information collected from the child, the opportunity for the parent to refuse future collection, and a reasonable means for the parent to obtain the actual information collected from that child.
COPPA also prohibits website operators from conditioning a child's participation in a game, the offering of a prize, or another activity for which the child would disclose more personal information than is reasonably necessary to participate. Further, website operators are required to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children. Geolocation and IP addresses fall under the statute.
If you think that your product or service does not fall under COPPA because it is not a “website”, you could be in for a surprise. The Internet of Things, for example, provides significant opportunity for the collection of information from children under 13. This also is true for smart toys and other web-enabled devices. The increasing monetization of collected data, and the continuously improving systems for exploiting and mining such information, has led to a tremendous incentive to build data collection into seemingly innocent apps and web-enabled hardware.
COPPA is enforced in the United States by the Federal Trade Commission (FTC). Yes, the FTC actively enforces COPPA and has jurisdiction to prosecute lawsuits to enforce it. And, by the very nature of the subject matter being online services, the FTC can and does conduct monitoring operations by simply browsing the Internet.
If you operate or are considering operating any website that may collect information from children, you would be well advised to establish COPPA compliance procedures. As is true for most regulatory matters, compliance on the front end is almost always less expensive than fixing non-compliance on the back end. If you have received an FTC letter or email asking for information about COPPA compliance, be aware that this often signals that an investigation has already begun. This is generally the first step in the FTC enforcement process. FTC investigations can sometimes be handled and closed confidentially before they proceed to a lawsuit, but only if they are timely and properly addressed. Engaging qualified counsel may save significant trouble and expense.