Recent COPPA Settlements Offer Compliance Reminders
The recently announced FTC settlement with YouTube and its parent company, as well as the 2018 settlement between the New York Office of the Attorney General and Oath, have set a new bar when it comes to COPPA compliance.
The settlements offer numerous takeaways, including reminders to those that use persistent identifiers to track children online and deliver them targeted ads. These takeaways include, but are not limited to the following.
FTC CID attorney Joseph Simons stated that “YouTube touted its popularity with children to prospective corporate clients … yet when it came to complying with COPPA, the company refused to acknowledge that portions of its platform were clearly directed to kids.”
First, under COPPA, a child-directed website or online service – or a site that has actual knowledge it’s collecting or maintaining personal information from a child – must give clear notice on its site of “what information it collects from children, how it uses such information and its disclosure practices for such information.”
Second, the website or service must give direct notice to parents of their practices “with regard to the collection, use, or disclosure of personal information from children.”
Third, prior to collecting personal information from children under 13, COPPA-covered companies must get verifiable parental consent.
COPPA’s definition of “personal information” specifically includes persistent identifiers used for behavioral advertising. It is critical to note that third-party platforms are subject to COPPA when they have actual knowledge they are collecting personal information from users of a child-directed website.
In March 2019, the FTC handed down what, then, was the largest civil penalty ever for violations of COPPA following allegations that Musical.ly knew many of its users were children and still failed to seek parental consent. There, the FTC charged that Musical.ly failed to provide notice on their website of the information they collect online from children, how they use it and their disclosure practices; failed to provide direct notice to parents; failed to obtain consent from parents before collecting personal information from children; failed to honor parents’ requests to delete personal information collected from children; and retained personal information for longer than reasonably necessary.
Content creators must know COPPA’s requirements.
If a platform hosting third-party content knows that content is directed to children, it is unlawful to collect personal information from viewers without getting verifiable parental consent.
While it may be fine for most commercial websites geared to a general audience to include a corner for children, it that portion of the website collects information from users, COPPA obligations are triggered.
Comprehensive COPPA policies and procedures to protect children’s privacy are a good idea. As are competent oversight, COPPA training for relevant personnel, the identification of risks that could result in violations of COPPA, the design and implementation of reasonable controls to address the identified risks, the regular monitoring of the effectiveness of those controls, and the development and use of reasonable steps to select and retain service providers that can comply with COPPA.
The FTC and the New York Attorney General are serious about COPPA enforcement. Companies should exercise caution with respect to such data collection practices.