If you operate a website, game or app you should consider whether the U.S. Children’s Online Privacy Protection Act (COPPA) applies to your data collection practices. Even if you complied with COPPA in the past, it is surprisingly easy to violate in the future when the development team adds new features without running them by legal counsel.
1. if directed to children under 13 and you collect personal information from them;
2. if directed to children under 13 and you let others collect personal information from them;
3. if you have a general audience, but actually know that you collect personal information from children under 13; or
4. if you operate a plug-in or other third party service, and have actual knowledge that you collect personal information from websites, games or apps directed to children under 13.
What is personal information? Personal information is information that can identify a user, such as their full name, email address (or other persistent online identifier), image, voice or geolocation data.
How do you know if your website, game or app is directed at children under 13? A number of factors are considered, such as subject matter, content, whether animated characters are used, child-oriented activities or incentives, ads directed at children or any other evidence regarding the age of the actual or intended user base.
Can I use an age screen? Maybe (my apologies for the typical lawyer answer). Age screens are permitted if the service does not target children as its primary audience. The determination of primary audience is (once again) a factor-oriented analysis.
Penalty? Penalties depend on a number of factors, but each violation can cost up to $16,000.
COPPA will not always apply to your website, app or game but you should consult legal counsel to determine whether COPPA applies. Additionally, before adding any new features that collect personal information, consult with legal counsel once again to ensure that these new features don’t implicate COPPA.
During development, consider the following:
2. What are you collecting? Create a list of all information that your software collects and make sure this list is shared between development teams and is kept up to date. If possible, separate this information into “Personal”, such as first and last names, geolocation data or email addresses, and “Anonymous”, such as number of clicks or how long a user stayed on a page.
3. What are you using this information for? Opposite each piece of information you collect, note what you are using this information for. For example, in a restaurant app, beside geolocation data: “determines user location to list nearby businesses that are similar to type requested by user”. If you can’t find a use for information, consider not collecting that information.
4. Are you disclosing this information outside the company? Opposite each piece of information you collect, note if you disclose that information to 3rd parties outside of your company and how those companies are using this information.