COPPA: The Basics 2016-12-21T00:14:08+00:00

The new COPPA goes into effect on July 1, 2013. Are you ready? Here are some basics for you to know prior to the effective date. This is not an exhaustive post. Please visit the FTC’s COPPA FAQ for additional answers.

1.    What is COPPA?

COPPA, the Children’s Online Privacy Protection Act, is a law passed over a decade ago in the United States. The United States Federal Trade Commission (FTC) oversees and enforces this law. The rules were recently updated by the FTC to reflect the changes in technology over the past decade.  This law describes how app developers can treat their users who are under 13.

The goal of the rule is to give parents control of how their children’s data is collected through an app. If your make apps are directed at children under 13 in the U.S. (even if you, the developer, are not based in the U.S.), you need to follow the rules for COPPA.

2.    How does one comply with COPPA?

The COPPA rule outlines how apps may and may not collect data from users under the age of 13.  If you collect data (even for just a short time), you must display a privacy policy, notify parents, and get their verifiable consent if you or any of your third parties (analytics, plug-ins, etc.) collect any personally identifiable information. This does not apply to data stored on the device that is NOT collected by the developer (example: your app allows photos to be taken but those photos are ONLY stored on the device).

The following are personally identifiable information (PII):

  • First and last name;
  • A home or other physical address including street name and name of city or town;
  • Online contact information;
  • A screen or user name that functions as online contact information;
  • A telephone number;
  • A social security number;
  • A persistent identifier that can be used to recognize a user over time and across different web sites or online services;
  • A photograph, video, or audio file, where such file contains a child’s image or voice;
  • Geolocation information sufficient to identify street name and name of city or town; or
  • Information concerning the child or the parents of that child that the website or app collects online from the child and combines with one of the points listed above.

3.    If the app does not collect any data, what does one need to do to follow the law?

When you make an app, you need to be sure that you and any third parties you use are not collecting ANY information. If you can guarantee that you and your third parties do not collect any data, you still may want to consider having an easy-to-read privacy policy that clearly outlines that policy.

You should also keep in mind that if you ever receive any personally identifiable information, you must delete that information.

4.    What is verifiable parental consent?

If you collect any of the PII listed above, you MUST get verifiable parental consent BEFORE you collect any data. The FTC has outlined a few ways for you to get that consent:

  • Providing a consent form to be signed by the parent and returned via U.S.  mail, fax, or electronic scan (the print-and-send method);
  • Requiring the parent, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder, which does NOT include the initial purchase in the app store;
  • Having the parent call a toll-free telephone number staffed by trained personnel, or have the parent connect to trained personnel via video-conference; or
  • Verifying a parent’s identity by checking a form of government-issued identification against databases of such information, provided that you promptly delete the parent’s identification after completing the verification.

After obtaining parental consent, you need to provide a parent access to their child’s information to review or have information deleted, if requested. You also need to keep that information secure and for only as long as necessary.

FTC Safe Harbors (to be discussed in a future post) may be able to guide you on acceptable methods for obtaining verifiable parental consent. The current COPPA safe harbors are: Aristotle, Children’s Advertising Review Unit (CARU), Entertainment Software Rating Board (ESRB), TRUSTe, and PRIVO.

5.    Are there other laws around the world that also might have an impact?

YES! There are laws in many countries that govern what data and from whom you can and cannot collect. Here are just a couple (these apply to all people, not just children):

The EU Cookie Law was changed on May 26, 2011 and applies to how you use cookies for storing information on a user’s device.

Mexico’s Privacy Notice guidelines require privacy notices prior to data collection in Spanish.

There are more laws in the works. For example, the EU is also looking to overhaul their data protection laws. The EU General Data Protection Regulation was proposed on January 25, 2012. This will unify data protection within a single law across the European Union. This is not law as of right now but something we’re monitoring.