What Should I Know About COPPA For My Online Business?

 
 

Lately there has been an uptick in concern over internet-based companies’ data collection and privacy practices, most recently in May 2023 when the Federal Trade Commission (FTC) issued a letter saying that Meta (formerly Facebook) had violated a 2020 consent order by violating the federal law known as the Children’s Online Privacy Protection Act—or COPPA—by, among other things, misleading parents as to the extent of their abilities to control who their children communicate with, and misrepresenting the access it provided some app developers to private user data. Because of this violation, the FTC is now proposing an amendment the consent order that would prohibit Meta from profiting off of the data it collects from users under the age of 18. As this letter shows, failure to comply with COPPA, which is arguably one of the most expansive and harshest data protection laws, can cause numerous problems for online businesses.

What Is COPPA?

             COPPA is a federal law that regulates the online collection and use of personal information from children under the age of 13. The law was first introduced in 1999 as the internet was becoming more widely used by children.  COPPA applies to operators of commercial websites and online services (including mobile apps and IoT devices, such as smart toys) that either direct the sites at children under the age of 13 and collect their personal information or have actual knowledge that the sites are collecting personal information from children under 13. The primary goal of COPPA is to place parents in control over what information is collected from their young children online.

             COPPA is enforced by the FTC, the federal agency tasked with protecting consumers from unfair or deceptive acts or practices in or affecting commerce (and deceptive practices include companies misrepresenting what they are doing with their customers’ data).  With the rise of the digital age, this has put the FTC as the federal de facto leader of protecting consumers’ data privacy rights.  However, states can also enforce COPPA through their state attorneys general.

What Does COPPA Require? 

            Among other things, COPPA requires commercial website operators and online services to:

1.       Obtain verifiable consent from the children's parents before collecting, using, or disclosing children's information (subject to certain limited exceptions);

2.       Provide notice of their collection, use, and disclosure practices relating to this information (the notice must meet certain specified requirements);

3.       Collect only personal information reasonably necessary for a child to participate in an activity; and

4.       Create and maintain reasonable security measures to protect this information.

Additional information about COPPA’s requirements for businesses can be found here.

What Happens If My Business Violates COPPA? 

            With limited exceptions for certain regulated entities, violations of COPPA are subject to FTC enforcement actions, including injunctive relief, civil penalties, or consumer redress.  Civil penalties for COPPA violations can be steep.  In fact, courts can hold operators who violate COPPA liable for civil penalties of up to $50,120 per violation.  And, as mentioned above, state attorneys general may also bring civil actions.  

Depending on the severity of the violations, the FTC, in addition to imposing a fine on a violative business, may also make the business enter into a consent order that outlines certain compliance and reporting obligations.  This has happened to several large companies in recent years such as Meta, Microsoft, and Amazon.  For example, Google’s 2019 consent order imposed a $170 million fine for alleged violations, outlined requirements for YouTube (a Google subsidiary) to develop, implement, and maintain a system that permits channel owners to identify their child-directed content on the YouTube platform to ensure compliance with COPPA, and required the company to provide annual training to employees who deal with YouTube channel owners about COPPA compliance.

We regularly counsel clients on COPPA and other online privacy laws.  If you have questions about how COPPA might impact your business, feel free to contact us.

Previous
Previous

Should Your Business Have an AI Use Policy?

Next
Next

Trademarking Foreign Words: An Introduction to the Doctrine of Foreign Equivalents