As the way we work, consume, travel, and interact has changed due to Coronavirus Disease 2019 (COVID-19), so too has the way our children learn and play changed. Millions of children (and families) affected by the closures of in-person schools, day cares, athletics, summer camps, and other kids programming now rely on home computers and devices for distance learning, exercise classes, music lessons, recreational gaming, and other activities.
For many businesses, engaging children online may be a new frontier, and one in which they are unwittingly wading into regulated waters for the first time. Online services directed to children under 13 years old are regulated by the Children’s Online Privacy Protection Act (COPPA).
Is My Business Covered Under COPPA?
If your business is offering to children under 13 any online class or activity, the service is likely subject to COPPA. The COPPA Rule applies to any operator of a commercial website or online service, including mobile applications, which are directed to children under 13, that collect, use, or disclose personal information. COPPA also covers businesses owning and operating general audience websites, if they have actual knowledge that they are collecting, using, or disclosing children’s information. Furthermore, businesses that collect from other businesses information directed to children, as may be the case with an outside service such as a plug-in or advertising network, are covered under the COPPA definitions.
What Does COPPA Require?
Operators of commercial websites and online services directed to children must comply with the following requirements, as summarized by the Federal Trade Commission (FTC) in a series of FAQs:
- Post clear and comprehensive privacy policies, describing their information practices for personal information collected online from children;
- Provide direct notice to parents, and obtaining verifiable consent (with few exceptions) before collecting personal information from children;
- Provide parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting businesses from disclosing children’s personal information to a third party (unless disclosure is integral to the site or service, and in such case, this must be made clear to parents);
- Provide parents access to the child’s personal information collected, and allowing parental deletion;
- Allow parents to prevent further collection or use of the child’s personal information;
- Maintaining the confidentiality, security, and integrity of information collected from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; and
- Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected, and delete the information using reasonable measures to protect against its unauthorized access or use.
Depending on where an operator fits into the online ecosystem, obligations may differ.
Operators Interacting with Children Through a Third-Party Service Provider
If a business uses streaming, video conferencing, messaging, or other third-party service provider platforms to host or aid in the facilitation of its online content, it must comply with COPPA if it collects personal information from children through the provider. To do so, it is paramount to review service providers’ privacy policies to confirm what personal information, if any, will be collected through the platform and understand how to comply with COPPA when using their services.
EdTech Companies Providing Educational Content
On April 9, 2020, the FTC issued COPPA-related guidance for operators of educational technology (EdTech) used both in physical world schools and for virtual learning. In the FTC’s view, schools can consent on behalf of parents to the collection of student personal information if two conditions are met. First, the information must be used for a school-authorized educational purpose and for no other commercial purpose. Second, the EdTech service must provide the school (or the school district) with the necessary COPPA-required notice of its data collection and use practices. EdTech services accordingly may wish to make the COPPA notice available to parents, and, where feasible, let parents review the personal information collected.
EdTech services also may be subject to the Family Educational Rights and Privacy Act (FERPA), which is a federal privacy law that applies to educational agencies, institutions, and applicable programs funded by the U.S. Department of Education (DOE). FERPA gives parents of students under the age of 18 years old:
- the right to access education records and seek amendment of such records;
- the general right to consent to the disclosure of any personally identifiable information (PII) from student education records; and
- the right to file a complaint under FERPA. The DOE has provided comprehensive guidance on the applicability of FERPA in light of distance learning precipitated by COVID-19.
Platform Service Providers
Businesses operating as service providers who facilitate child engagement – whether it be in the form of video conferencing, messaging, or back-end infrastructure – are also subject to the COPPA requirements. Not only should platforms develop the requisite safeguards and privacy policies to address any personal information they collect, but they should also ensure comprehensive record-keeping and reporting practices with respect to any required third-party sharing of information. In litigation, however, platform providers may benefit from immunity for privacy-related claims based on third party content, under the CDA, 47 U.S.C. § 230.
What Are the Risks of Non-Compliance with COPPA?
Companies that collect and use children’s data in violation of COPPA may be subject to both enforcement actions by the FTC and state attorneys general and litigation, with penalties imposed up to $43,280 per violation. Regulators at the state and federal levels are increasingly focused on COPPA compliance, and this trend will likely only increase as more child-directed content is developed online. At the state level, for example, the New York Attorney General launched “Operation Child Tracker,” a targeted investigation into illegal online tracking of young children in violation of COPPA. Moreover, the California Attorney General has indicated that one of his initial California Consumer Privacy Act (CCPA) enforcement priorities will be data privacy violations affecting children.
While COPPA itself does not afford a private cause of action, children’s privacy increasingly has been addressed under other statutes and common law claims raised in litigation. Several putative class action suits have been brought on behalf of children under the Video Privacy Protection Act or as state unfair trade practices. A common challenge in litigation involving children is that minors in most states are either deemed incompetent to enter into contracts, or their contracts are voidable at the minor’s discretion. As a consequence, it may be difficult for companies to limit their liability or compel arbitration in cases involving children, making it potentially more difficult to mitigate risk. Absent contractual limitations, companies potentially may be vulnerable to suits brought on behalf of minors subject to COPPA – as well as teenagers under the age of majority – including putative class action suits.
Subscribe the Data Privacy Dish blog for additional updates about COPPA and other privacy and security matters relevant to your organization.