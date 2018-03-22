VOL. 133 | NO. 59 | Thursday, March 22, 2018

The Children’s Online Privacy Protection Act (COPPA) requires a company to safeguard information collected online from children under 13. That includes clearly disclosing to parents what information it collects and how it will be used, and seeking verifiable parental consent. The company must take reasonable measures to protect the confidentiality and security of the information.

The rule applies to operators of commercial websites and online services specifically directed to children under 13, as well as sites and services geared toward general audiences that have “actual knowledge” they’re collecting information from children under 13. Having actual knowledge would include asking for information that allows the company to determine a user’s age and getting responses from children under 13.

Third-party companies that connect with websites that collect information on children under 13 must also comply with COPPA. That includes ad networks or plug-in services.

The Federal Trade Commission found in several studies that many apps and websites weren’t complying with COPPA. It recently landed on two companies that were violating various provisions of the law.

An online talent agency doing business as Explore Talent collected the personal information of more than 100,000 children. In its privacy policy, the company said it didn’t knowingly collect information from children under 13 and that accounts had to be created by a legal guardian. But the site imposed no restrictions on who could establish an account, including children, and did not attempt to verify whether a profile was created by a legal guardian.

In its first COPPA case dealing with internet-connected toys, the FTC settled violations by VTech that only came to light after a hacker stole personal information on kids and parents who used the company’s electronic learning products. One alleged violation involved failing to encrypt information despite its privacy policy saying that was done.

Businesses that collect information online about children under 13 should thoroughly familiarize themselves with all of the guidance, including definitions, provided in the FTC’s six-step plan for complying with COPPA. The steps are:

• Determine if your company is a website or online service that collects personal information from kids under 13.

• Post a privacy policy that complies with COPPA.

• Notify parents directly about your information practices before collecting personal information from their kids.

• Get parents’ verifiable consent before collecting personal information from their kids.

• Honor parents’ ongoing rights with respect to personal information collected from their kids.

• Implement reasonable procedures to protect the security of kids’ personal information.

Violating COPPA can be expensive. Explore Talent and VTech were assessed civil penalties of $500,000 and $650,000, respectively. VTech also agreed to audits of its data security program every other year for the next 20 years.

Randy Hutchinson is president and CEO of the Better Business Bureau of the Mid-South and can be reached at rhutchinson@bbbmidsouth.org