The internet has brought unprecedented opportunities to connect, share, learn and express opinions on matters that affect peoples’ lives. While the opportunities for children are not any different, the levels of safety and privacy for this age group need to be much tighter.
The Children’s Online Privacy Protection Act 1998 (COPPA) was passed by the US Federal Trade Commission (FTC) to help protect children’s privacy online. Under it, websites are required to use an approved service to verify parental consent if they engage with, or market to children under the age of 13. The law also applies to websites or online services directed to a general audience that have knowledge they are collecting data from children and those running third-party services like an ad network or plug-in.
So how effective is the law and how does it impact business?
The FTC has handed out millions of dollars in COPPA fines to companies such as Yelpand Path for collecting personal information without parent’s consent, but according to internet lawyer Richard Chapo, there is more it could do.
“The FTC averages at about two cases a year where it enforces the law, which is a mockery compared to the hundreds and thousands of websites and apps that have no COPPA compliance.”
FTC expands data protection
However, the FTC recently ruffled some industry feathers by targeting mobile app developers LAI Systems LLC and Retro Dreamer for allegedly collecting unique data linked to children for the purpose of advertising. The allegations, which the app developers agreed to pay a combined $360,000 (£252,000) to resolve, mark the first time that the commission has based an enforcement action solely on a company’s collection and use of “persistent identifiers”, a category of data that was added to the COPPA rule’s definition of personal information in 2013. Persistent identifiers are bits of code such as cookies that can be used to identify a person over time across different websites and apps.
Overall, the prosecutions that have occurred mostly focus on domestic companies but because COPPA extends to foreign websites and online services that collect information from children in the US, it has also sent warnings overseas.
In 2014 the FTC issued a public warning letter to Chinese app developer BabyBus regarding potential violations of COPPA. It made a clear case that BabyBus needed to comply with COPPA because it sells apps through the iTunes and Android app stores which target US consumers. Subsequently all BabyBus apps were pulled by Google from the Android store. The company responded to the FTC’s letter with a statement on its website saying it intended to bring its apps into compliance with US law.
“In these cases the FTC will seek judicial injunctions barring foreign offending companies from accessing consumer markets in the US. It will also likely seek a “till tap” order requiring all companies based in the US that are handling any part of the monetary transaction to transfer the revenues to the FTC instead of the international entity in question. Both are devastating results for the corporate entity,” said Chapo.
Traditionally, most companies focus on COPPA compliance over any laws in the EU member states because enforcement actions in the EU have been considered a remote risk. However, this may soon change. Article 8 of the new General Data Protection Regulation, drafted in January, describes a COPPA-like compliance process but the triggering age for compliance will be “under 16” instead of 13. This higher age limit could radically alter the children’s privacy landscape online as there are millions of teens between the ages of 13 and 16 on social networking sites.