October 29, 2020

Volume X, Number 303


October 29, 2020

Subscribe to Latest Legal News and Analysis

October 28, 2020

Subscribe to Latest Legal News and Analysis

October 27, 2020

Subscribe to Latest Legal News and Analysis

Back to School Special: COPPA Consent in the COVID Era

In the current pandemic era, kids are spending more time online, be it for school or entertainment. Companies are therefore gearing up for increased interaction with children online or through connected devices. As children around the globe return to school, whatever  that return looks like, the FTC and the International Consumer Protection Enforcement Network (ICPEN) remind us that certain rules apply when dealing with kids online.

In the U.S., the Children’s Online Privacy Protection Act (COPPA) requires parental consent to collect personal information from kids under the age of 13. There are exceptions, like getting the parent’s information in order to seek consent, or responding one time to an inquiry from a child. There are also requirements under CCPA. Countries in the EU and countries with comprehensive privacy regimes also have laws that impact collecting information from children online. Most are not as specific as COPPA, which is where ICPEN’s guidelines can be of help. Of the myriad requirements (notice, choice, etc.), we focus our first article in this series on one that is often forgotten: the need to get parental consent.

To help companies in this virtual world, the FTC recently published a “decluttered” version of its COPPA FAQs. ICPEN similarly recently released a set of online marketing best practices. While the FTC FAQs remain the same in substance, they are now more user-friendly and streamlined. This is timely as companies gear up for increased interaction with children in an online environment. As noted, one thing that companies often forget is that if collecting information online from a child, COPPA requires prior parental consent. ICPEN similarly recommends obtaining parental consent. (Principle 3, no. 38). In this back to school series, we will look at situations where consent might not be required including potential exceptions of situations where the law does not apply.

But first, what does parental consent look like?  It will require specific disclosures (COPPA has several, including explaining how the child’s information will be used, and ICPEN mirrors this). Consent can take many forms, including:

  • Asking the parent to sign and return a consent form via mail, fax or electronic scan;

  • Requiring payment for services by credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder; and

  • Asking the parent to call a toll-free number or connect to trained personnel via video conference.

Putting it Into PracticeBusinesses that collect personal information from a child online are required to obtain verifiable parental consent, and the FTC has tried to give some flexibility so that they can do so in ways that works for their product. When designing the approach, a good rule of thumb is that the chosen method must be reasonably calculated to ensure that the person providing consent is the child’s parent.

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume X, Number 238



About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

Snehal Desai, attorney, Sheppard Mullin

Snehal Desai is an associate in the Intellectual Property Practice Group in the firm's San Francisco office. She is a member of the Privacy and Cybersecurity Team, the Advertising Team and the Technology Transactions Team.

Areas of Practice

Advertising: Snehal advises clients in conducting advertising campaigns, contests and sweepstakes, and brand marketing campaigns. 

Technology and Commercial Transactions: Snehal drafts and negotiates...