Website COPPA compliance: it’s not kid stuff
November 2016 | EXPERT BRIEFING | DATA PRIVACY
Regulators are sharpening their focus on the Children’s Online Privacy Protection Act (COPPA), causing companies to consider whether tracking technologies improperly foray into the personal lives of children. New York Attorney General Eric T. Schneiderman recently settled with several large companies whose websites allegedly violated COPPA by incorporating common third-party tracking technologies, such as cookies, to track children’s online activity.
With this landmark settlement announced on 13 September 2016, the New York Attorney General, as well as the Federal Trade Commission (FTC), expressed their commitment to actively enforce COPPA and “send a strong message to companies about the importance of complying with the COPPA Rule”. This focus poses new challenges for companies in an environment of rapidly evolving tracking technologies, making it difficult for website operators to reliably monitor the activities of third-party advertisers and entities.
What is COPPA?
COPPA’s purpose is to place parents in control over what information is collected from their young children online. It applies to a wide variety of websites and online services – even those that may not be obviously geared towards children. And, as recent enforcement actions demonstrate, common technologies may fall within the province of COPPA.
In general, COPPA applies to operators of commercial websites or online services which collect personal information from users or visitors who are children if the site or service is: (i) ‘directed’ to children under the age of 13; or (ii) is meant for a general audience, but the operator has ‘actual knowledge’ that users may be children under the age of 13. COPPA also applies to operators of third-party services such as ad networks or plug-ins that have actual knowledge they are collecting personal information from users of other websites or online services directed to children under the age of 13.
In determining whether the site is ‘directed’ at children, regulators will consider the visual content of the site, its use of animated characters and other characteristics, in addition to the intended audience of the site. For example, even though TinyCo makes mobile app games for general audiences, because some of its apps appeal to children with brightly coloured characters and simple language, in 2014 the FTC found that those apps are subject to COPPA.
What constitutes ‘actual knowledge’ is more difficult to discern. Actual knowledge of a user’s age includes asking for, and receiving, information that allows an operator to determine the age. While asking for and receiving a date of birth or year in school on a site’s registration page may provide actual knowledge of users under 13, other indicators may be less clear but still potentially provide ‘actual knowledge’. For example, the FTC has stated that a third-party site or service, such as an ad network or plug-in, may have ‘actual knowledge’ if it receives direct communication or recognition through its representatives of the child-directed nature of a site where it operates. It may also have actual knowledge if a concerned parent informs a representative of the ad network or plug-in that it is collecting information from children.
If an operator of a website or online service falls within COPPA, it must meet three main requirements. First, operators must post clear and prominent privacy policies describing their own activities and the activities of their third-party business associates. Second, operators must take reasonable steps to safeguard the confidentiality and security of any personal information collected from children. Finally, and most crucially, operators cannot collect personal information from children without meeting COPPA’s strenuous requirements to obtain verifiable consent from parents after providing direct notice to parents.
While COPPA covers what is typically understood as personal information – name, address, email address, telephone number or social security number – it also includes geolocation information sufficient to identify a street and city name, photographs or audio files containing a child’s image or voice, and ‘persistent identifiers’, such as a customer number held in a cookie, an IP address, a device serial number, or a unique device identifier, that can be used to recognise a child across different websites and over time.
This prohibition on the collection of ‘persistent identifiers’ can make compliance difficult for many companies. The NY Attorney General’s two-year ‘Operation Child Tracker’ enforcement action was aimed at this type of activity. This application of COPPA creates risk for any operators using information, such as cookies or IP addresses, to track users of their websites for marketing or advertising purposes.
Enforcement actions targeted at ‘persistent identifiers’
In late 2015, the FTC first alleged violations of COPPA based solely on the collection of personal identifiers by advertisers. The defendants, two makers of mobile apps for children, LAI Systems, LLC and Retro Dreamer, were alleged to have violated COPPA when they allowed third-party advertising networks to collect personal information from children in the form of persistent identifiers in order to target advertisements. The two companies paid a combined $360,000 in penalties and agreed to comply with COPPA in the future.
On 22 June 2016, Singapore-based mobile advertising company InMobi settled charges brought by the FTC for $950,000 in civil penalties and an agreement to implement a comprehensive privacy programme. The FTC alleged that the company deceptively tracked the locations of children consumers without their knowledge or consent in order to serve targeted advertising.
On 13 September 2016, NY Attorney General Schneiderman reached a landmark settlement with four companies that operate some of the country’s most popular children’s websites, requiring a combined $835,000 in penalties and implementation of significant reforms. According to the NY Attorney General, ‘Operation Child Tracker’ discovered that tracking technology at children’s websites operated by Viacom, Inc., Mattel, Inc., Hasbro Inc. and JumpStart Games, Inc. allowed third-party vendors, such as marketers and advertising companies, to track children’s online activity in violation of COPPA.
For example, Viacom, which operates popular children’s websites such as Nick Jr. and Nickelodeon, was alleged to have allowed advertisers to implement technology on its websites that tracked and profiled children’s information. Of note, even though Viacom considered some of its websites to be parent-directed, the NY Attorney General found that portions of mixed audience websites “appealed to children”, and must comply with COPPA.
What to do?
Compliance with COPPA is no simple task. Even if the target audience of a company or business is not children under the age of 13, the company should consider whether any of its online or mobile sites or information appeal to or attract children, or whether it collects information that may give ‘actual knowledge’ of a child’s use of the website, which would subject the company to the requirements of COPPA.
In addition, as part of third-party risk management, companies should sufficiently monitor and vet all advertising companies and third parties allowed to operate on websites and online applications. Such third parties can inject significant risk by collecting personal information of children or using tracking. COPPA’s broad definition of ‘persistent identifiers’ causes the most uncertainty for companies trying to comply with COPPA.
In the NY Attorney General’s investigation, JumpStart, a developer of educational and entertainment software and websites for children, was alleged to have violated COPPA by allowing a Facebook plug-in to a website to track user behaviour. According to the AG, JumpStart should have notified Facebook that its website was directed to children.
Given the continued rapid growth of online activity by children and the changing advertising practices in this digital age, companies should closely monitor their online and digital activity and consider COPPA’s scope and requirements, particularly given its strict liability provisions and potential for large amounts of civil penalties for violations. Both the FTC and state attorneys general provide various compliance guides and checklists that can aid companies in navigating COPPA.
Phyllis B. Sumner is a partner and leader of the Data, Privacy and Security Practice, Elizabeth D. Adler is a senior associate and Anush Emelianova is an associate at King & Spalding. Ms Sumner can be contacted on +1 (404) 572 4799 or by email: email@example.com. Ms Adler can be contacted on +1 (404) 572 3555 or by email: firstname.lastname@example.org. Ms Emelianova can be contacted on +1 (404) 572 4616 or by email: email@example.com.
© Financier Worldwide
Phyllis B. Sumner, Elizabeth D. Adler and Anush Emelianova
King & Spalding