The $450,000 Question: How to Avoid a COPPA Violation

Cute Kid CryingTwo recent FTC settlements in complaints brought against Yelp and a mobile app developer called TinyCo demonstrate how seriously the government takes violations of the Chlidren’s Online Privacy Protection Act (COPPA) Rule.

Yelp was accused of collecting personal information from children through its app without first notifying parents and obtaining their consent. According to the FTC, the violations occurred between 2011 and 2013, during which time Yelp required registrants under the age of 13 to provide a date of birth, their name, email address, location, and other content without obtaining parental consent.  Yelp agreed to pay a $450,000 civil penalty and delete the information it collected from children.

TinyCo was also accused of including an optional feature that collected email addresses from users (including children under 13), without first providing parents with notice and obtaining consent.  TinyCo agreed to a $300,000 penalty and to delete the offending information it.

TinyCo develops a line of popular children’s apps, including Tiny Pets, Tiny Zoo, and Tiny Monsters.  Therefore, the FTC action should not come as a total surprise.  In contrast, Yelp is a business search and review service, and is in no way directed to children, which begs the question: Why is it writing a $450,000 check to the government?

Here’s why: when Yelp launched its app in 2013, it required new users to input their age when signing up.  Several thousand of children under the age of 13 downloaded the app, and although Yelp had actual knowledge of their age, it still allowed them to sign up and have access to all of the features, regardless of what date of birth they input.

Anyone with a phone can download an app regardless of their age- there are no muscle-bound bouncers checking ID cards.  The issue here is that, because it asked a registrant’s age, Yelp had actual knowledge of the fact that it was collecting personal information from children.  The COPPA Rule requires any company that is aware of the fact that it is collecting such information to provide notice to parents of its information practices, and to obtain verifiable parental consent prior to collecting, using, or disclosing that information.

Complying With COPPA

Every company that operates a commercial website or online service is likely covered by COPPA if it collects a birthdate during the registration process, because it is deemed to have actual knowledge of the age of its users.   T0 avoid a fate similar to  Yelps, every site operator should follow these simple rules:

1.  Prepare a COPPA-compliant privacy policy:  Be certain to make it accessible via a clear and prominent link on your home page and anywhere you collect a birthdate or personal information from children under 13.

2.  Develop COPPA compliance procedures:  Develop a COPPA-compliant parental notice form and use it to provide direct notice to parents before collecting personal information from their children and  use an approved verifiable parental consent method to obtain parental consent before collecting, using, and disclosing a child’s personal information.

3.  Employ reasonable (industry standard) data protection procedures:  Protect the confidentiality, security, and integrity of personal information collected from children.

4.  Collect as little personal information as possible.   You should also keep it only as long as reasonably necessary, and delete when you no longer need it or if requested to do so by a parent.

Finally, be certain that your service providers with whom you share information are also COPPA compliant.  If you are operating a website or online service that is directed to children, you should consider participating in an FTC-approved Safe Harbor program.  Safe harbor program participants are generally deemed to be in compliance with the COPPA Rule if they are in compliance with the program’s guidelines; and are subject to review and disciplinary procedures outlined in the program’s guidelines.

Seth Heyman
Seth D. Heyman is a California attorney with extensive experience in advertising and marketing law, corporate law, contracts, governmental regulations, international business, and Internet law. He has counseled numerous successful companies, both public and private, and was responsible for regulatory compliance, contract management, corporate governance, and HR best practices for multiple organizations in many diverse industries, including marketing, telecommunications, energy, and technology development. He offers insight and guidance on federal and state direct mail, TV, radio, telemarketing, and Internet marketing laws, as well as online promotions, Internet privacy, data protection regulations, and similar matters.