How does a company protect kid’s COPPA rights?
As the majority of American schools have closed their doors because of the COVID-19 outbreak, children stuck at home are spending more time on social media and online games than ever before. If a company markets games or other content to children, it’s important to make sure they are in compliance with the applicable federal law – the Children’s Online Privacy Protection Act (COPPA).
Over twenty years ago, Congress passed COPPA to ensure parents had control over how online services collected their children’s personal information. This post will outline what COPPA requires from a company. For an overview of COPPA and how it may affect game companies, see our previous post here.
Is a company subject to COPPA?
The short answer is: maybe.
Does the company collect PII?
First, to be subject to COPPA, acompany must collect personally identifiable information (PII), this includes persistent identifiers (like device trackers, IP addresses, or cookie identifiers).
Collection is defined broadly to mean “requesting, prompting, or encouraging a child to submit personal information online.” The FTC’s Q&A provides a helpful example that suggests if an app allows users to share a particular game score or progress level via email or social media, that feature of the app is considered to be collecting PII–and the company must obtain parental consent.
Even if your company contracts with a third-party advertiser or a plug-in that collects this information, a company is still responsible for complying with COPPA. For example, a group of parents sued Twitter and Tiny Lab, in part, because the companies’ third-party advertisers did not, allegedly, comply with the notice and consent requirements of COPPA.
Does the company know children are using its services?
Second, the company must either (1) know children are using its games or (2) direct the games to children. COPPA defines a child as a person under the age of thirteen. The FTC sets out various factors it uses in determining whether a game is “directed to children:”
- the subject matter,
- the visual content,
- the use of animated characters or child-oriented activities and incentives,
- the kind of music or other audio content,
- the age of models,
- the presence of child celebrities or celebrities who appeal to children,
- language or other characteristics of the site,
- whether advertising that promotes or appears on the site is directed to children, and
- competent and reliable empirical evidence about the age of the audience.
A company is subject to COPPA – now what?
If a company is subject to COPPA there are three major requirements: (1) Notice to parents; (2) parental consent; and (3) right to review.
Provide parents with notice of data collection practices
Businesses have to provide notice and get verifiable parental consent before collecting a child’s personal information.
If your policy changes, with respect to the compan’ys data practices, COPPA requires businesses to notify parents of those changes.
Obtain parents’ consent
With a few exceptions, a company subject to COPPA must obtain verifiable parental consent before it begins collecting data from children. This consent must be twofold: (1) consenting to the collection and use of the child’s information and (2) consenting to the disclosure of that information to third parties.
For consent to be verifiable, a company must utilize the available technology to take reasonable steps to ensure the person consenting is the child’s parent or guardian. The FTC provides the following methods as examples:
- Signed consent form mailed, faxed, or emailed to the business;
- The requirement that a parent, in monetary transactions, use a debit or credit card that would alert the primary cardholder of individual transactions;
- A toll-free telephone number or video-conference link staffed with trained personnel;
- Verifying a parent’s identity by checking an ID against databases of such information, then promptly deleting the record of the ID; or
- Allowing a parent to email consent with additional, follow-up steps to provide adequate assurances that the person providing the consent is the parent. Those steps could be a follow-up email or text message.
Give parents the right to review
Parents must have the right to review the information the Internet site or mobile app collects from their children. Upon request, a company must provide:
- A categorical description of the type of information collected
- The opportunity to refuse to allow the company to continue to use or collect the information from the child;
- The right to direct the company to delete the child’s personal information; and
- A way for the parent to review any personal information collected from the child.
This process must ensure that the person requesting review is, in fact, the parent and cannot be unduly burdensome for the parent.
Don’t collect too much, and keep information secure.
Much like the CCPA, a company cannot require a child to submit more information than necessary to participate in a game or another activity. Additionally, COPPA requires companies to enact reasonable security measures to protect the confidentiality and security of the child’s collected information.
What is the future of COPPA?
Last month Senators Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.) introduced the KIDS Act, which, if passed, would force game companies to drastically change various design elements of their games and any other online, interactive media.
That bill comes at a time when Congress is eager to strengthen children’s online protections: Bills like the Kids PRIVCY Act and PROTECT Kids Act aim to amend COPPA in order to strengthen children’s online safety. If you’re concerned about COPPA and want to stay in the loop, contact us to sign up for our monthly newsletter and we’ll keep you in-the-know.