How to Ensure Your Data Collection Complies With COPPA

Six tips for avoiding the legal risks of collecting data from minors.
deborah
Deborah Bone
Expert Columnist
October 27, 2020
Updated: October 28, 2020
deborah
Deborah Bone
Expert Columnist
October 27, 2020
Updated: October 28, 2020

While TikTok’s battle with the White House has taken center stage, its ongoing saga with the Federal Trade Commission over children’s privacy laws continues to provide both guidance and forewarnings to platforms that collect the data of children under 13.

Consider this: A 10-year-old registers for an online gaming account but misrepresents their age as 16 to skirt the site’s age filter. The online platform proceeds to collect personal data from the minor user. Could the collection run afoul of children’s privacy laws? The answer may depend on a number of factors.

The Children’s Online Privacy Protection Act requires covered online platforms to obtain parental permission prior to collecting the personal information, such as email or IP addresses, geolocation information or other identifiers, of children under 13. COPPA applies to online platforms that collect personal information from children under 13 if the platform is:

  • directed to children under 13 and collects (or allows others to collect) personal information from them; or
     
  • directed to a general audience but has actual knowledge that it collects personal information from children under 13.

If an online platform is covered, it must provide COPPA-specific language in its privacy policy, obtain verifiable parental consent prior to collecting personal information from children under 13, reasonably secure any such data, and delete data pursuant to parental request. Verifiable consent requires the use of a method reasonably designed in light of available technology to ensure that the person giving the consent is the child’s parent, such as providing a government ID, use of an online payment system that provides notification of each transaction to the account holder, or other accepted methods.

Many platforms, including TikTok, largely rely on user input to confirm the age of a user. But that may not always be enough to disclaim knowledge of a user’s age. In 2019, the FTC claimed that TikTok had actual knowledge of the true age of its young users because many users listed their ages or grades on the site. Notably, the FTC also claimed that the app met COPPA’s definition of “directed to children” based on a variety of factors, including the use of music folders with Disney and school themes.

TikTok settled with the FTC for $5.7 million earlier this year, but recent reports indicating that TikTok now classifies more than a third of its U.S. users as “14 and under” is bringing further scrutiny to the questions of its knowledge regarding the age of its users. According to the New York Times, TikTok assigns an age range to each user utilizing a variety of methods, including facial recognition algorithms and the way they interact with the app. While the FTC has not yet weighed in, internal analyses like these could lead it to find “actual knowledge” of a user’s age despite that user’s provided date of birth.

The FTC may soon update COPPA. Last year, it concluded a voluminous public comment period seeking input on changes to address the current technological landscape. In the meantime, several best practices can help ensure compliance:

  • Ensure age filters are adequately tested and working on all platforms. Yelp found itself on the wrong side of COPPA when it failed to ensure its age filter was activated on its mobile app.
     
  • Consider both the intended and actual audience in any evaluation of whether the website is “directed” toward children.
     
  • While user-provided age information may offer some protection, it may not be a failsafe and companies should be cautious when other data suggests the reported information is inaccurate.
     
  • Take care to ensure the parental notification requirements are followed and ensure that parents receive direct notice of the collection, use, or disclosure practices, including notice of any material changes to those practices. The rule provides a very detailed roadmap of what information must be included in a direct notice.
     
  • Be sure to obtain parental consent before collection. COPPA is structured to ensure parents are in control. The parental notification requirements are intended to notify parents prior to collection, not after.
     
  • Consider joining a Safe Harbor program.

Read More From Deborah BoneHow to Avoid the Legal Risks of Biometric Data Collection

Expert Contributors

Built In’s expert contributor network publishes thoughtful, solutions-oriented stories written by innovative tech professionals. It is the tech industry’s definitive destination for sharing compelling, first-person accounts of problem-solving on the road to innovation.

Learn More

Great Companies Need Great People. That's Where We Come In.

Recruit With Us