Jump to Main Content
USA flagAn Official Website of the United States Government
Managing a Business

Blogs.Managing a Business

Register

Does Your Website or Online App Target Kids? Stricter COPPA Rules Go into Effect Soon

Comment Count:
5

Comments welcome on this page. See Rules of Conduct.

Does Your Website or Online App Target Kids? Stricter COPPA Rules Go into Effect Soon

By Caron_Beesley, Contributor
Published: May 1, 2013 Updated: May 1, 2013

Do you target children or a youth demographic online? Perhaps you’ve developed or are marketing a mobile app that appeals to a youth market? If so, you should be aware of the Children’s Online Privacy Protection Act (COPPA) – a federal ruling enforced by the Federal Trade Commission (FTC) that gives parents control over what personal information websites can collect from children under the age of 13.

The COPPA Rule recently underwent an important overhaul of which online marketers need to be aware. The revised rule (which goes into effect in July 2013) put additional protections in place and streamlines other procedures that companies covered by the rule must follow.

If you run a website or mobile app designed for children or collect any kind of information from someone you know is under 13, here’s what you need to know about the revisions to COPPA:

Key COPPA principles remain unchanged

Most of the key requirements of COPPA haven’t changed. You must still give notice to parents and get their verifiable consent before collecting, using or disclosing personal information from children under 13. You must keep collected data secure and you can’t request that a child disclose more information than is reasonably necessary in exchange for participation in an activity.

Expansion of who is covered by COPPA – Plug-Ins and advertising come under the spotlight

If you operate a child-directed website and you allow outside services—including plug-ins (like YouTube videos) or advertising networks—to collect personal information from visitors, you will be required to comply with COPPA. This means you will need to provide notice and get parental consent for any user that identifies themselves as under 13, before the third party can collect the child’s information. In effect, as the site owner or operator, the FTC will now hold you liable for any personal information requests made by these third parties.

According to the FTC, this “close(s) a loophole that allowed kid-directed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent.

In addition, plug-in or ad network operators who have actual knowledge that they are collecting personal information through a child-directed website or service must also comply with COPPA.

What constitutes personal information has changed

Under the new Rule, the types of personal information that cannot be collected from children under 13 (without parental consent) has expanded to include geolocation information, as well as photos, video and audio that contain a child’s image.

In addition, persistent identifiers (such as cookies, IP addresses and mobile IDs) that can be used to recognize a user over time and across different websites or online services are also now considered personal information and parental consent must be obtained before collecting this data. If, however, you use persistent identifiers solely to support the internal operations of your site or service, rather than for marketing purposes, parental consent is not required.

Certain information collection is now permitted in “support for internal operations”

COPPA now allows businesses to apply for formal approval to collect certain information if it is used in “support for internal operations.” Permitted activities include contextual advertising, frequency capping, site analysis and more. However, you can’t use the information collected to contact a specific person through behavioral advertising or to amass a profile on that person for any other purpose – without parental consent.

Changes to how businesses get parental consent

COPPA has always required that parental consent must be requested via email or postal mail. The new Rule requires that key information (such as how the information will be used) is displayed up front in that notice so that parents can get the details they need quickly.

The new Rule also offers more ways for businesses to get the “OK” from parents (for more details of what was previously acceptable read the Direct Notice to Parents section of the FTC’s How to Comply with COPPA). These include scans of parental consent forms, videoconferencing, use of a government-issued ID and more.

Stronger provisions to keep kids info secure and confidential

Before releasing information to service providers and third parties, site operators must take reasonable steps to make sure these companies are capable of maintaining the confidentiality, security and integrity of that information – with assurances that they’ll follow through. In addition, you are now only allowed to retain kids’ personal information for as long as is reasonably necessary, and must ensure that it is disposed of securely.

Safe harbor programs to get more oversight

COPPA previously allowed industry groups to create self-regulatory programs that governed member-compliance with COPPA. The new Rule strengthens the FTC’s oversight of these programs with new auditing capabilities.

More Information

For more information about all these changes, read the FTC’s December, 2012 press release and refer to the site’s Child Privacy Guide for more tips and insights.

It is highly recommended that you discuss any concerns you have about COPPA compliance with a lawyer. The new rules are complex and have consequences beyond the content that you create or originate on your business website of online service. In addition, you can also email your questions to CoppaHotLine@ftc.gov.

Check out these related articles too:

 

About the Author:

Caron Beesley

Contributor

Caron Beesley is a small business owner, a writer, and marketing communications consultant. Caron works with the SBA.gov team to promote essential government resources that help entrepreneurs and small business owners start-up, grow and succeed. Follow Caron on Twitter: @caronbeesley

Comments:

Can you tell me how COPPA works and what the benefits involved?
Under the new Rule, the types of personal information that cannot be collected from children under 13 (without parental consent) has expanded to include geolocation information, as well as photos, video and audio that contain a child’s image.
I can't seem to remember what kids under 13 did before all this technology! The laws and regulations are great, but how are they going to be enforced? What are the penalties? The penalties can't be slaps on the wrists because it would have all been a good waste of time.
Thanks for reaching out about your recently moved comment on the SBA.gov Community. You'll note in the Rules of Conduct that to maintain quality of discussions, contributions that do not provide a substantive purpose or relevance will be removed. If you have additional commentary related to the discussion topic or blog post, you're welcome to post that along with your original comment. Thank you for your understanding and for joining us on the SBA.gov Community.
Wow, my site This post was edited to remove a link. Please review our Community Best Practices for more information about how best to participate in our online discussions. Thank you. is about the things for kids, So I must take notice of this. Thanks the writer.

Leave a Comment

You must be logged in to leave comments. If you already have an SBA.gov account, Log In to leave your comment.

New users, Register for a new account and join the conversation today!