Ed-Tech Start-ups: How to comply with the Children’s Online Privacy Act (COPPA)
| Tweet |
What is COPPA?
The Children’s Online Privacy Act (COPPA) is a federal regulation intended to protect the privacy of children under 13.
If you are an educational tech start-up or are otherwise have a product geared toward kids under 13 (or you know that young kids are using your product), then COPPA likely applies to you. If you are dealing with teenagers, COPPA does not apply.*
Under COPPA, an app or website may collect personal information from kids under 13, but parental consent is required and the company must comply with certain safeguards. “Personal information” means information that identifies an individual like full name, address, email, or phone number. COPPA covers situations where kids are directly sharing personal information, not where a third party like a teacher is providing the information.
How do I comply?
1. Verifiable Parental Consent. Before collecting any personal information, you need “Verifiable Parental Consent.”
a. If you are going to disclose kids’ personal info to third parties or have a social element to allow kids to post publicly or have a profile, the following forms of consent are acceptable:
i. parents sign and return a form (e.g. print and scan back)
ii. charge parent's credit card or do another money transaction that notifies the primary account holder of each discrete transaction
iii. have parent call a number and answer questions by trained personnel
iv. verify parent ID by checking a form of government issued identification
b. If you are going to use the kids’ personal info for internal purposes only, then use any of the above methods, OR the "email plus" method:
Send an email to the parent and receive a confirmation response, PLUS:
i. get a phone number to do a second confirmation by calling directly; OR
ii. after a reasonable time delay, send a second message to the parent to confirm consent. Include all information contained in the original notice, inform the parent that he or she can revoke the consent and explain how to do so.
c. School Consent: Schools can act as the parent’s agent and can consent to collection of a kid’s information on behalf of the parent. However, schools can only give consent when the information is used in the school educational context only, and not for any other commercial purpose.
2. Review and Removal. Give parents the ability to review and remove information, and prevent further use and collection.
3. Data Security. Take reasonable measures to protect data security and confidentiality. Only retain information for as long as necessary to fulfill the intended purpose.
4. Privacy Notice. Post a privacy policy prominently and clearly on the site.
For more information, see the FTC’s detailed Compliance FAQs.
Enforcement
The FTC enforces COPPA and violators can face civil penalties up to $16,000 per violation. There is no private right of action enabling individuals to sue a company based on failure to comply with COPPA, but individuals can submit complaints to the FTC.
------*Note: if you are working with teens, here are no specific privacy regulations that apply to minors age 13-18 at the federal level, but some states have some extra protections for this age group. Also, as a general rule, contracts with minors are not enforceable, but California and some other states actually do presume that a Terms of Service with a minor is valid, it is just easier for the minor to withdraw from the agreement.