COPPA for Newbies: Who is Covered by this RULE?

By Gen Li, blogger for Famigo

The Children’s Online Privacy Protection Act (COPPA) was enacted by Congress in 1998. COPPA required the Federal Trade Commission (FTC) to issue and enforce regulations concerning children’s online privacy. The FTC’s original COPPA Rule became effective in 2000, and its amended Rule became effective on July 1, 2013.

COPPA’s primary goal is to ensure that parents have control over what information is collected from their young children online. If an online service or commercial website operator fails to comply with the Rule’s requirements, then he/she is subject to a penalty of up to $16,000 per violation.

The Rule only covers developers (1) that operate mobile apps that are directed to children under 13 and collect, use or disclose personal information from children, and (2) those who have actual knowledge that they are collecting, using, or disclosing personal information from children under 13.

What does “directed to children” mean?

When determining whether an app is directed to children or not, the FTC will take the following factors into consideration: (1) the app’s subject matter, (2) its visual content, (3) whether it uses animated characters or child-oriented activities and incentives, (4) its music and other audio content, (5) age of models, (6) whether it includes any child celebrities or celebrities that appeal to children, (7) the app’s language, and (8) whether the app’s advertisements are directed to children. Bottom Line: if you are in doubt, assume the Rule applies to you.

The above listed factors indicate that the FTC is not only focused on the actual audience of the app, but also on the potential and intended audience of the app. Thus, developers should make a reasonable effort to determine what kinds of people may be attracted to the app, rather than just focusing on who they want the audience to be.

What types of information count as “personal information”?

Based on the FTC’s definition, personal information includes:

(1) first and last name;

(2) a home or other physical address including street name and name of a city or town;

(3) online contact information;

(4) a screen or user name that functions as online contact information;

(5) a telephone number;

(6) a social security number;

(7) a persistent identifier that can be used to recognize a user over time and across different websites or online services (this includes a customer number held in a cookie, an IP address, a processor or device serial number, or a unique device identifier);

(8) a photograph, video, or audio file, where such file contains a child’s image or voice;

(9) geolocation information sufficient to identify street name and name of a city or town; or

(10) information concerning the child or the parents of that child that the developer collects online from the child and combines with an identifier described above.

The good news is that this list is the exhaustive definition of personal information; any information that does not belong to the list will not be treated as personal information.

Developers should make sure that they think of privacy practices as an iterative process so that they can adapt their information collection, use and disclosure practices to the ever evolving technological landscape.  In other words; you need to embrace privacy protection into your daily design and business.

If you are interested in reading the original FTC Rule, you can find it at: http://business.ftc.gov/privacy-and-security/childrens-privacy.

Disclaimer: This blog post is not legal advice. You must not rely on the information on this website as an alternative to legal advice from your attorney or other professional legal services provider.  If you have any specific questions about any legal matter you should consult your attorney or other professional legal services provider.You should never delay seeking legal advice, disregard legal advice, or commence or discontinue any legal action because of information on this website.