COPPA and Children's Privacy: What Parents Should Know and Do

Aug 20, 2020 by BBB National Programs

As a parent, it can be difficult to keep up with all the ways your child uses technology. From board books to iPads, weekend cartoons to YouTube, even traditional schooling has had to adapt to online classes. Trying to stay on top of what your child is watching, what ads they are seeing, and what is happening with their data can be overwhelming, but understanding COPPA, the Children’s Online Privacy Protection Act, can help.  

COPPA was passed in 1998 with the goal of putting control over the online collection of children’s personal information into the hands of parents. This legislation regulates how online services like websites and mobile apps collect, use, and share personal information from children under 13. COPPA also gives the Federal Trade Commission (FTC) the power to enforce the law, usually by issuing fines to online services that are not compliant. 

 

What is personal information? 

 

COPPA helps protect a child’s personal information, which is the information that identifies that you are you.  

 

Some personal information is obvious. Other information is collected without you seeing it happen. 
  • First and last name 

  • Home or other physical address (street name and name of a city or town) 

  • Online contact information (such as an email address; anything that permits a child to be contacted online) 

  • Screen or username (when it functions as online contact information) 

  • Telephone number 

  • Social Security number 

 

  • Persistent identifier that can be used to recognize a user over time and across different websites or online services. Persistent identifiers include, but are not limited to, a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier 

  • A photograph, video, or audio file containing a child's image or voice 

  • Geolocation information sufficient to identify street name and name of a city or town; (or precise location) 

  • Any information about the child or the parents of that child that the operator collects online from the child and combines with any other personal information as outlined above 

 

Child-Directed, Notice, and Verifiable Parental Consent 

 

COPPA protects a child’s personal information for “child-directed” content. “Child-directed” is a term that means an online service is targeted exclusively or in part to children. For example, a gaming website that only provides games made for young children could be child-directed, but so could a gaming website that provides games made for both young children and teens.  

On these websites, platforms, and in these child-directed apps, COPPA applies.  

By contrast, general audience online services are not targeted to children at all, even though some children may still visit the site. If a website or app seems to be general audience rather than child-directed, the service may not have COPPA protections in place for children’s personal information.  

For example, most social media services like Instagram, SnapChat, and Twitter don’t allow children under 13 to be on their service and state that in their Terms of Service. As a result of requiring that all users be over the age of 13, there are no extra privacy protections for children that these social media services are obligated to provide.  

So as a parent, if you want to assess the online service or app that your child is using, step one is to check out the Terms of Service to see whether children should be using the service at all.  

When the FTC reviews an app, website, or other online service to determine if it should be considered child-directed content or not, here are some of the factors that are being taken into consideration: 

  • Subject matter that is likely intended for children, such as youth arts and crafts or toys and games. 

  • Visual content, for example bright colors or cartoons. 

  • Use of animated characters or child-oriented activities/incentives, like coloring. 

  • Music or other audio content that appeals to children, like the ABC song. 

  • Age of models on the service or platform. If a website depicts only children using their product or playing their games, that may be a good indicator the website is targeted to children. 

  • Presence of child celebrities/celebrities that appeal to children, such as a character from a popular children’s TV show, like Elmo. 

  • Language and other characteristics of the online service, such as using simple words, shorter sentences, and large text to make it easily accessible to children. 

  • Advertising placement promoting the service. For example, if a gaming app places an ad during children’s daytime programming on TV, that app is targeting children.  

 

Content creators across platforms, whether creating content for an advertisement or a video for YouTube, should be taking the above criteria into consideration when creating their content and determining where it will be placed online.   

Once a platform, website, or other online service is identified as “child-directed,” COPPA requires that that service or platform take three steps: 

  1. Include a notice that describes how they collect, use, and disclose children’s personal information that they have collected through use of the service. This notice can typically be found in the online service’s privacy policy; some services even have a separate privacy policy that is dedicated to explaining how they handle children’s information.

  2. Online services also must provide a direct notice to the parent or guardian that explains the same information, which is usually sent via email when a child signs up for the service. The direct notice should be sent to you even if the service does not collect or use the child’s personal information.

  3. In addition to providing notice, an online service must get your consent via a verifiable method before they can collect, use, or share any of your child’s personal information. This is called verifiable parental consent, or VPC.  


How will online services ask for this? Some services directed to children only collect persistent identifiers (such as cookies) to use in their internal operations, such as serving contextual ads on their site or performing site analytics and maintenance. In that case, if they are not collecting other types of personal information or sharing it with third parties for external uses, the service may ask your child for your email address. Then, they send you an email with a confirmation link or similar way to “activate” your child’s account. The FTC refers to this as the “email plus” method of consent.  

Sometimes online services directed to children collect other personal information or share it with third parties for behavioral advertising and other uses. In those circumstances, they can obtain VPC by asking the parent to call a toll-free number, videoconference with staff, sign and return a consent form, or by entering a credit or debit card to confirm you really are the child’s parent/guardian. 

The purpose of VPC is so that parents can be informed of the privacy and data practices of the online services their child is using, as well as how you can contact the site to review their children’s data or have the data deleted. 

 

If You See Something, Say Something  

 

Now that you know more about COPPA, what can you do if you notice something fishy about a service your child is using? If there is anything about the advertising or privacy practices on a child-directed site that you think doesn’t follow COPPA, you can file a complaint with us at CARU here, or by emailing us at infocaru@bbbnp.org. The complaint goes directly to CARU staff who will investigate the complaint and take necessary steps to make sure the issue is rectified.  

Suggested Articles

Blog

CFBAI and CCAI Publish the 2023 Annual Report on Participant Compliance and Program Progress

BBB National Programs has released the Children’s Food and Beverage Advertising Initiative (CFBAI) and Children’s Confection Advertising Initiative (CCAI) 2023 Annual Report. The report notes excellent compliance by the 22 CFBAI participants and the six CCAI participants in 2023.
Read more
Blog

The Case for Teaching Industry Self-Regulation in Law, Business, and Public Policy Schools

Law schools, business schools, and public policy programs have a unique opportunity to shape the future of corporate behavior by teaching students the importance of soft law and independent industry self-regulation.
Read more
Blog

5 Missteps to Avoid When Applying or Recertifying to the DPF Program

Each year, participants in the DPF Program need to recertify with the Department of Commerce. To help companies navigate it, our Global Privacy Division has outlined five key recommendations to keep in mind to avoid common missteps with the process.
Read more
Blog

Sharing Holiday Cheer (but Not a Child’s Personal Information)

Not surprisingly, cell phones, connected toys, and toys advertised on social media top wish lists of kids everywhere. To help ensure your holiday shopping experiences are as safe as possible, the team at CARU put together some holiday tips.
Read more