This month, the Federal Trade Commission (FTC) issued guidance for businesses operating websites and online services looking to comply with the Children’s Online Privacy Protection Act (“COPPA”). COPPA addresses the collection of personal information from children under 13. Importantly, the determination of whether a business’s website is “directed to children under 13” (and thus subject to certain COPPA requirements) is based on a variety of factors – thus even website that do not target children as its primary audience may nonetheless be subject to COPPA’s requirements based on the website’s subject matter, visual and audio content, ads on the site that may be directed to children, and other factors.
- Step 1: Determine if Your Company is a Website or Online Service that Collects Personal Information from Kids Under 13.
- Step 3: Notify Parents Directly Before Collecting Personal Information from Their Kids.
- Step 4: Get Parents’ Verifiable Consent Before Collecting Personal Information from Their Kids.
- Step 5: Honor Parents’ Ongoing Rights with Respect to Personal Information Collected from Their Kids.
- Step 6: Implement Reasonable Procedures to Protect the Security of Kids’ Personal Information.
- Chart: Limited Exceptions to COPPA’s Verifiable Parental Consent Requirement
The six COPPA compliance steps are described below. To view the FTC’s full guidance webpage, click here.
NOTE: In addition to COPPA, it may be worth determining whether California’s state version of COPPA, the California Online Privacy Protection Act (“CalOPPA”) applies to your business and, if so, whether additional compliance measures may be necessary. CAlOPPA broadly applies whenever a website or app collects “personally identifiable information” or PII (as defined in the state’s business code) from a California resident, and thus applies to the vast majority of online businesses, even if not based in California.