If you run a mobile app or website that targets and/or collects information from children under 13, you may need to take another look at your Privacy Policies and guidelines.
A recent case between the Federal Trade Commission (FTC) and a Chinese-owned mobile app, TikTok, reinforced why it is important for any internet company collecting information from minors to have a clear Privacy Policy and guidelines to comply with COPPA (the Children's Online Privacy Protection Act).
With the continued growth and accessibility of technology, online operators will be interacting with children at an increased frequency. This makes it more important than ever that you learn from the TikTok case and make sure you comply with COPPA's guidelines.
- 1. Summary of the TikTok COPPA Case
- 2. What is COPPA?
- 2.1. What Counts as Personal Information Under COPPA
- 2.2. What Counts as Collecting Information Under COPPA
- 3. When Does COPPA Apply
- 4. How to Comply With COPPA
- 4.1. Getting Parental Consent
- 4.2. Securing Data
- 4.3. Deleting Data When Requested or Informed
- 4.4. Have a Privacy Policy
- 5. Summary
Summary of the TikTok COPPA Case
It is important to understand why the FTC. will be looking more closely at mobile apps and websites that collect data from children under 13. Recently, the New York Times reported the FTC agreed to a $5.7 million settlement with Musical.ly over violating COPPA.
Musical.ly (now merged with TikTok) is a social network mobile app that allows users to create video and share with other members of the app. The app has millions of followers in the U.S., even after the merger with the Chinese company ByteDance.
TikTok was accused of illegally withholding information of children under 13. Additionally, the FTC concluded TikTok was retaining this personal information without the previous consent of the children's parents, thus violating COPPA. The data the app was withholding included the child's "email addresses, names and schools."
At COPPA's core, it is meant to protect the privacy of minors under 13, many of who make up the users of TikTok. COPPA's jurisdiction extends to all internet operators, including websites and mobile apps, targeted at children and who collect data from those minors.
The FTC claimed TikTok violated COPPA on four counts:
- First, TikTok did not seek previous permission of the parents to retain the data.
- Second, TikTok did not properly secure the minor's data from third parties or other users of the app.
- Third, when parents were informed their child's information was being collected and they requested TikTok to remove the data, TikTok did not delete the information from the app.
- Finally, since the children's information was still public on the app, adults using TikTok were able to contact the minors.
To better understand how TikTok violated COPPA, let's take a look at what COPPA is and its requirements.
What is COPPA?
COPPA is the governing code that protects the exploitation or illegal collection of children's data on any online resource. Its main goal is to protect the privacy and information of minors under the age of 13 from internet companies illegally collecting, persuading, or retaining private data.
Additionally, COPPA requires all internet sites or apps directed at children to request and receive permission from the child's guardian or parents to collect the data.
COPPA is applicable to not only websites, but also mobile apps, internet gaming, location services, and any online business that collects any form of information from a child or is targeted towards children.
Its jurisdiction extends to companies operating in the U.S., having their headquarters in the U.S., or if your data is going through servers that are based in the U.S. However, this does not mean foreign companies are exempted.
If you are a foreign company operating on the internet or mobile apps, like TikTok, you may still be under the jurisdiction of COPPA. If your app or website falls under any of the above requirements, or collects information from U.S. residents, a foreign company is deemed under COPPA's authority.
What Counts as Personal Information Under COPPA
Under Sec. 312.2 of COPPA, personal information is defined as:
- First and last names
- Home or other physical address that includes a street name and city or town
- Online contact information
- Screen names or user names
- Telephone numbers
- Social Security numbers
- Persistent identifiers such as cookies, IP addresses, device serial numbers, etc.
- Photos, videos and audio files that contain the child's image or voice
- Geolocation information
- Other information about a child or the parents that can be combined with any of the above to identify a child
COPPA's definition is expansive in an attempt to include any type of information that would be deemed as private or could be collected or requested by an online website.
A note to remember, the description includes geolocation information of the child. Even if your app does not explicitly request this information, but is an included feature, it still falls under COPPA's description of information. Examples of mobile apps that use geolocation to connect users are Facebook or Snapchat.
What Counts as Collecting Information Under COPPA
You can see COPPA is trying to spread a wide net to protect a child's privacy and making sure that companies are aware of what information is collected and how that information is obtained. It is a law that is solely created to protect the private information and exploitation of minors, placing the duty of care on the companies to comply with the law.
Section 312.2(1) defines the collection of information as "requesting, prompting, or encouraging a child to submit personal information online."
The definition goes on to include "enabling a child to make personal information publicly available in identifiable form." In other words, if you provide a fillable form for a minor that includes requesting "personal information," that is also considered collection.
You should also be aware that COPPA doesn't only apply to the active collection of information, but also the passive collection. Section 312.2(c) of COPPA's definitions explicitly states "the passive tracking of a child online," is still a collection of a child's information. An example of passive tracking would be geolocation or GPS tracking.
When Does COPPA Apply
In addition to sites or apps directly targeting minors and collecting information, COPPA also applies to internet companies that indirectly or passively collect and release the information.
If a company collects information from a child and shares it with a third-party, COPPA will also apply to the third-party. A third-party under COPPA can be either an "operator" who is involved in the "collection or maintenance" of any information gathered, like the email collection service Mailchimp, or an individual who offers tech support.
An important note to all websites or mobile apps, even if minors are not your target audience, you can still violate COPPA.
General audience, teenager, or adult apps can violate COPPA if:
- You collect information and later learn it is a minor's
- One of your directed audiences is children under 13
- You do not directly delete the minor's information from your system
How to Comply With COPPA
COPPA's primary goal is to protect the private information of minors. COPPA does not put the blame of leaked information on the children, but on the sites that collect the information. This means it is the company's responsibility to use reasonable care in the collection, storage, and release of the child's information.
While complying with COPPA may seem initially daunting, there are some key things you must do to stay in COPPA's good graces:
- Get parental consent
- Properly secure data
- Delete data when requested, or when informed that it's from a minor, and
- Provide a clear and encompassing Private Policy
Getting Parental Consent
One of the FTC's main goals in creating COPPA in 1998 was to "place parents in control of over what information is collected from their young children online."
Section 312.4 of COPPA requires that you not only have a Private Policy, but you also include "direct notice" to the parent of the "operator's practices" of how they go about collecting and storing the child's information.
Sec. 312.4 notes what's required to be included in a direct notice:
- That the operator has obtained the parent's contact information from the child
- That the "parent's consent is required" and the company will not collect, use or disclose the information without their consent
- Any additional information the operator plans to collect from the child or disclose
- Including a hyperlink to the Privacy Policy and why the information is being used
- How a parent can provide verifiable consent
- A note that if a parent doesn't provide verifiable consent in a reasonable timeframe, the parent's contact information will be deleted
It should be noted that the collection of the child's information should not be done until notice has been given to the parents and the parents give permission.
Bloxels Builder - a website directed towards children - sends parents an email to get permission (consent) before a child can create an account. This email lets parents know that they need to give permission for their children to create an account, and that they can do so either by clicking a link or entering a code directly within the app.
Parents are informed that the only personally identifiable information stored will be the children's email addresses, and they will only be used for password retrieval purposes.
Links to the company's Help Desk and main website where the Privacy Policy and other important agreements are included in the email.
Microsoft obtains parental consent by giving a notice that it will charge a one-time fee of 50 cents to a parent's credit card. Parents are informed that they're consenting to their child's disclosure of information through Microsoft online services, products, apps and stores.
In order to get parental consent for third-party apps, Microsoft requires the parent to check a box next to a statement that shows the parent will allow the child to use the apps. Parents are informed that these third-party apps may collect information from the child or allow them to communicate with others.
A link to the Microsoft Services Agreement is included in the notice, and this agreement includes a link to the Microsoft Privacy Statement in its very first section.
These are both effective ways of giving parents direct notice of what's going on with their children's personal information and getting parental consent.
Securing Data
Under Sec. 312.8, the company "must establish and maintain reasonable procedures" to make sure all of the information collected is safe. Additionally, it is important that operators only release the collected information to "third-parties" who are able to maintain the privacy and security of the child's data.
Many companies include a section on the security of data, like Pokemon, but also a clause that not every transfer of information is 100% secure. The clause indicates the company will follow "reasonable procedures," but with being an online operator, there are always possible breaches.
Deleting Data When Requested or Informed
Section 312.10 sets out that online companies "shall retain personal information collected...only as long as reasonably necessary." The rule limits the amount of time a company may retain information to protect the child's privacy.
The section also states "the operator must delete such information using reasonable measures" when requested by the parent (Section 312.6). If the operator does not timely delete the information after they are informed by the parent, they would be in violation of COPPA, as Tik Tok failed to do.
Have a Privacy Policy
The most important thing for an internet company to do when it comes to privacy laws is to post a Privacy Policy. The Privacy Policy not only lays out what information will be collected, but also how you secure the data, and if requested, how the data can be deleted.
A link to your Privacy Policy must be included "clearly and prominently" on the "home or landing page" of the website.
Here's how Funbrain links its Privacy Policy on its homepage. Note how it uses bolder font and spacing to make the link stand out on the page:
Section 312.4(d), explicitly lays out what must be included in a Privacy Policy. The section states "an operator must post a prominent and clearly labeled link to an online notice of its information practices" to comply with COPPA.
To aid companies in complying with COPPA, the FTC has published answers to common COPPA questions. In the answers, they specifically state three clauses that must be included in your Privacy Policy:
1. Disclosing You Collect Data from Minors and Operators
The Privacy Policy must clearly state that you collect data from minors either directly or indirectly. Additionally, operators who will have any hand in "collecting or maintaining" the information must be included and an operator must be listed for who will "handle all inquiries from parents."
Some companies include all devices or cookies that also collect the information through their own website or third-parties, such as Google.
Cartoon Network, for example, has a Privacy Policy section dedicated to operators and how they collect data.
2. What Information is Collected, How it is Collected, and Disclosure Methods
Companies must include clauses that not only clearly state what type of information is collected, but also the how. Additionally, a company's Privacy Policy statement must also state "the operator's disclosure practices for such information." All three must be included in the Privacy Policy to comply with COPPA.
Mattel, who owns companies such as Barbie and TurnSpell, includes each of these clauses in its Online Privacy Statement.
The clause above lets parents know that information such as first names, email addresses and usernames are sometimes collected, and that cookies are used to recognize website visitors.
The clause below discloses more information that may be collected for things like getting a subscription or registering for an account. The use of third-party technology partners is disclosed and that certain information is automatically collected by these parties.
3. How Users Can View and Request Deletion of Data
Another important requirement of COPPA is that parents or children may request to see their information or delete the data.
Companies must "state the procedures" parents must follow to request information to be destroyed or request no further information to be collected.
Here is how Nickelodeon complied by including a parental control clause and information about how personal information can be deleted. The first clause is part of the Summary section of the Privacy Policy, and links are provided to the more detailed, full clauses related to the topic:
Parents are given clear instructions on how to see what information has been collected about their children, as well as how to take other actions:
Summary
If the FTC's recent decision is any indication of how the Commission will crack down on websites and mobile apps violating COPPA, explicitly following the law and including a Privacy Policy is now even more important.
Make sure you:
- Receive parents' permission before collecting personal information from children
- You must provide a direct notice to the parents
- You cannot collect information until the parent's permission is received
- Reasonably and properly secure the child's data
- This includes third-party operators you disclose information to
- Immediately delete information when requested or informed by a parent
- Provide and include a link to your Privacy Policy that includes:
- What information you collected and how it is collected
- How users can view and request deletion of data
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.