This article was first published in the IAPP Privacy Tracker blog on 10/28/14
By Joanne Furtsch, Director of Product Policy at TRUSTe, CIPP/C, CIPP/US
It’s not just online services and websites targeted toward children that need to be diligent about following Children’s Online Privacy Protection (COPPA) regulations. A few months ago the Federal Trade Commission (FTC) took two companies to court for violating COPPA.
These most recent cases highlight two ends of the spectrum of COPPA violators: One was an app specifically targeted toward children, while the other was a popular app for all audiences that had a faulty age-gate mechanism and was collecting personal information from children under age 13 who were using the app.
Regardless of the audience a website or online service is intended for, these recent cases underscore the importance for companies to ensure they comply with COPPA.
COPPA first went into effect in 2000. It only applies to children under 13 because that age group was deemed the most vulnerable to online marketing (although best practices suggest asking parental permission for all minors). Two years ago the FTC revised the COPPA Rule to keep pace with rapidly changing technology by adding five additional regulations to the existing set of rules. The updates include expanding the types of personal information companies cannot collect from minors under the age of 13 unless the company gets verifiable parental consent (VPC).
The COPPA rules are fairly straightforward, however companies struggle with compliance and implementation. One of the challenges for companies is the process of notifying parents and obtaining VPC before the child or parent loses interest. To combat this concern, the FTC is currently encouraging more user-friendly ways to obtain parental consent. For instance, in the near future, some companies could have a one-stop site where parents can manage consent and controls of the apps, websites and online services their children access.
For companies operating globally the challenges to comply with COPPA don’t stop at obtaining VPC. Changes in the proposed EU Data Protection Regulation will define children as data subjects for the first time. Under the EU Data Protection Regulation, data collected from children under 13 will necessitate parental consent. This will require companies operating in the EU to implement a mechanism to verify that consent was given by the parent and not the child. Companies operating globally will need to comply with both COPPA and EU regulations.
Technology changes rapidly and today’s youth can access the Internet in myriad of ways and share information with nearly every device they use. Children under the age of 13 can play games on mobile devices, meet other players virtually and share their personal information. According to data from InternetMatters.org, 45 percent of parents whose children had a profile on Facebook didn’t know the minimum age restriction was 13. From toddlers to teens, kid’s online activity is monitored and their personal data is collected, stored and possibly shared.
Our own analysis, using TRUSTe’s comprehensive Website Monitoring Service, of the levels of tracking on 40 of the top websites visited by children discovered 1,110 third party trackers on these websites from 644 different tracking organizations. There was an average of 24 third party trackers on pre-school websites, 25 on education sites, 29 on gaming sites and 34 on entertainment sites. The level of tracking varied significantly, ranging from less than 10 to over 180 third party trackers on the 40 sites analyzed.
In some cases it’s not the responsibility of the website or online service provider to determine the age of its users, like if a child lies about their age. However, if at any point during that child’s use of the website or online service the site administrators learn that user is 13 or younger, COPPA rules kick-in.
The most successful companies earn parents’ trust by being transparent about how they use kids’ data.Consumers lose trust when companies lack transparency with the information that’s being collected—and even more so with children. Not only does that cause a loss of trust but if a website doesn’t comply with COPPA, it can incur severe penalties.
Despite COPPA critics saying the regulations are difficult to enforce because children under 13 can lie and say they’re older, the FTC is continuing to clarify how companies can successfully abide by COPPA. This past summer, the FTC revised its FAQs to clarify the rules for mechanisms companies can use to obtain VPC. The updated FAQs provide greater flexibility when it comes to implementing VPC mechanisms—for instance, credit cards do not have to be in conjunction with a transaction. Companies can now use other types of checks to make sure it’s the parent providing the credit card information and not the child, as well as the ability to use third-party platforms to obtain consent.
To learn more about how COPPA impacts your organization, we invite you to attend these upcoming events: On October 30 I will be joining Peder Magee from the FTC for an IAPP web conference on COPPA and kids’ privacy. Then, on November 19 I’ll be speaking on a panel of privacy experts at the IAPP Data Protection Congress in Brussels.