If your website, app, game or online service attracts kids under the age of 13, your technology product could trigger COPPA.

According to the FTC, The Children’s Online Privacy Protection Rule seeks to put parents in control of what information commercial websites collect from their children online.  Most companies that run websites directed to children under 13 are aware of their responsibilities under the COPPA Rule.  But if you run a site directed to a general audience or operate an ad network, plug-in, or other third-party service used by kid-directed sites, you may have COPPA compliance obligations, too.

If your technology product does any of the following, you likely trigger COPPA regulations:

    • Do you collect personal and/or demographic information such as first name, last name, email, phone, username, password, age, gender, city, state, hobbies?
    • Does your product have the ability for children under 13 to upload pictures, video or audio?
    • Do you share information with third parties or plug-ins?
    • Do you allow third parties or vendors to contact your subscribers?
    • Do you provide online sharing features such as “share with a friend” or “add to wish list”?
    • Do you provide Facebook Connect or other open ID authentication services?
    • Do you provide chat, messaging board, or other instant messaging functions?
    • Do you use behavioral or contextual marketing; done by using cookies to determine the best ads to deliver to the viewer?

What is COPPA?

Congress passed the Children’s Online Privacy Protection Act (COPPA) to ensure that parents are in control when it comes to information that websites collect on children under the age of 13. The rule has been in place since 2000, and was revised in 2013.

What does COPPA require?

The simple answer: Websites and online services that trigger COPPA must post privacy policies, provide parents with direct notice of their information practices, and get verifiable consent from a parent or guardian before collecting personal information from children.

The more complex answer: In certain circumstances, educational institutions can provide consent on behalf of parents. COPPA also has specific requirements on retention and disposal of data, and disclosure and availability of data to parents. You can learn more specifics on the FTC COPPA FAQ page, and our COPPA 101 page.

What happens if you don’t comply with COPPA?

There are a number of factors that the court assesses, but violators of COPPA can be held liable for penalties of over $40,000 per violation. COPPA gives states and certain federal agencies authority to enforce compliance.

How can you protect your product and company?

COPPA Safe Harbor Programs, such as iKeepSafe COPPA Data Privacy Certification, can assess your product for any deficiencies in compliance. iKeepSafe works with clients to make sure there are no holes in privacy policy, data retention, and parental consent practices. iKeepSafe’s certification process includes continued, customized support to help you meet current industry best practices. We are dedicated to helping technology vendors achieve and remain in compliance year-round in the constantly evolving data privacy landscape.

If your technology product triggers COPPA, as a trusted third-party non-profit organization, iKeepSafe can help keep you in compliance. For more information, register for a short demo here, call us at (540) 385-9862 or email privacy@ikeepsafe.org.

This blog post is not legal advice. Instead, we hope to introduce basic issues of COPPA and privacy, and help technology companies consider ways to build parent confidence and protections for personal information of young students.