Got content for kids?

If you say “COPPA” to somebody who works in the business of providing online content to kids, they will instantly know exactly what you are talking about, and it might cause them to have a panic attack. Due to regulations promulgated by the FTC this past December, many more business owners will need to become familiar with the law, the associated regulations and their requirements.

The Child Online Privacy Protection Act (“COPPA”) was passed in 1998. The purpose of the bill was to regulate how online businesses collected and used personal information of children under age 13. The act sets forth requirements for what must be disclosed in privacy policies and mandates that covered businesses seek verified consent from parents prior to obtaining any information from children under 13 years of age. 

Originally, the act applied to commercial content providers that focused primarily on delivering  content to children. Therefore, the “Dora The Explorer” website would have to adhere to COPPA, but Facebook, which requires its members to be at least 18, does not. This distinction made determining whether a company was subject to the COPPA regulations relatively easy. Additionally, to add a bit of extra clarity, many companies include a statement in their Terms of Service or Privacy policy that their website is not intended to be used by those under 13. By and large, that would make sure that a company was not subject to COPPA.

In December the FTC announced final regulations that will go into effect on July 1, 2013 that will exponentially expand the reach of COPPA in terms of who and what technologies will be subject to the regulations. The regulations no longer apply just to content providers that derive significant portions of their revenue from providing content to children, but apply if the content is directed at children under 13, regardless if it is 100 percent of the content or just a portion of the content made available by the provider.

In determining whether the content is directed at children, the FTC will look to the subject matter, visual content, use of animated characters, child oriented activities or incentives, the nature of any audio content and other “kid-centered” characteristics.  Furthermore, the FTC will also look at empirical evidence regarding the composition of the actual audience for the material (thereby creating the possibility that a content provider may be inadvertently subject to COPPA just because many under 13-year-olds visit the site, even though the site provider never intended the content to be “directed” to children). Companies can be subject to COPPA even if a small fraction of their overall content is directed at children. 

The FTC also broadened the scope of technology that falls under COPPA. Under the new regulations websites, parts of websites and even cell phone and tablet apps are covered under COPPA. The FTC also greatly broadened the definition of what constitutes “personal information,” which triggers an operator’s obligation to first obtain verified parental consent.

Back in the good old days, personal information was pretty much confined to the basics: name, date of birth, social security number, address, etc. Now any data that could be reasonably used to reveal the identity of the child is covered by COPPA, as long as it is not collected and maintained purely for the operation and maintenance of the website.  Basically this covers widely used tracking tools such as cookies, javascript tags, flash cookies and beacons. Additionally, in the cell phone app world, this would mean device IDs and other persistent identifiers. This can have major implications for ad-brokers, ad-networks, social networks and any other company that shares data with third party services.

If a content provider is subject to COPPA, the provider must obtain verified parental consent prior to collecting personal information from anyone under the age of 13. The new regulations include many new technological options, such as scanned signed consent forms, video-conferencing, or sending an email requesting consent with a delayed confirmation of the consent sent to the parent. As one can see, none of these methods are particularly painless, and they require substantial investment and forethought by the content provider.

In the next six months, it will be important for business owners to take stock of the electronic content they are producing and whether that content may subject them to the new COPPA laws. The federal government has been ramping up COPPA law enforcement in recent years. Companies such as Ms. Fields Cookies, Hershey, and Girls Life, Inc. have been slapped with COPPA enforcement actions. UMC Recordings, Inc. was fined $400,000 for COPPA violations in connection with a website that promoted then 13-year-old music star Lil’ Romeo.  As silly as it sounds, under the law Lil’ Romeo had to get his parents’ permission before signing up for his own website. 

With the broadening of the regulations, expect enforcement actions to continue and most likely exponentially increase in the years to come. Make sure your company isn’t added to the ever growing list of companies that were bitten by that little known law called COPPA.