Understanding COPPA and its Risk Ramifications

Posted by Mark Greisiger

A Q&A with James Prendergast and Chris DiIenno of Nelson Levine De Luca and Hamilton
First put into effect in 2000, the Children’s Online Privacy Protection Act (COPPA) was designed to protect the PII of children under age 13 online. In July, 2013, the regulation was revised to address more recent ways that children use the internet—namely, through social networking, apps and mobile devices. To better grasp the new amendment’s implications for businesses that collect the PII of children online, I talked to Jim Prendergast and Chris DiIenno, partners in the Privacy and Data Security Group at Nelson Levine De Luca and Hamilton, LLC.

Can you give us a summary of the COPPA amendment that went into effect July 1, 2013?
The main highlights are the following:

  1. The regulation requires parental notification and consent for any entity collecting children’s PII.
  2. Personal information has now been much more expansively defined under COPPA so that collecting some forms of data that were routinely collected in the past without parental consent would now be in clear violation of the regulation. This includes geographic location information, photographs, video, audio, user names and persistent identifiers.
  3. Third party vendors providing plug-ins and ad networks are now expressly required to obtain parental consent and notification.

What are the cyber liability risk ramifications for any company that collects, stores and shares PII from children?
The risks include fines and injunctions from the FTC and class action lawsuits if the data is not collected carefully and properly. This new legislation targets app makers and website operators who have consciously directed their marketing to a younger audience. The FTC is  looking for violations. If they catch violators, expect a substantial fine and bad publicity. I would also say that the third party plug-in providers, which were left out of the first law through a loophole, and have routinely been collecting information, might be the most threatened by this regulation. The worst-case scenario would be an app designer that either hasn’t paid attention to the amendment or has chosen to ignore it and has collected PII from kids for a long time.

What are the penalties?
Any entity that violates the new COPPA statute is subject to the full wrath of the FTC.  The FTC can put  violators out of business—either by substantial fines (up to $16,000 per violation) or by ruining their business reputation. When you’re looking at the fine amounts, consider that a company could be collecting information from 1,000 children and might have multiple violations per child. The FTC, or the states, can also take you to court for an injunction to prohibit you from doing business.

Are you predicting class action lawsuits?
Yes. Class action Lawyers have awaited these modifications with glee. I believe judges would be more inclined to find an identifiable class (which they generally haven’t been for cyber suits) because in this case they are protecting children. And while plaintiffs’ lawyers have had difficulty defining damages in some privacy cases, here, the FTC has done that for them and articulated the $16,000 per violation figure.

What can a company do to mitigate their exposure?

  1. Know the rules.
  2. Get parental consent. If you have any doubt at all that your website is directed at children, go to the COPPA website and figure it out.
  3. Post your privacy policy prominently online.
  4. If you have any change in your data collection at any point you must go out and tell mom and dad that you need their consent again—it’s not good enough to send a notice and then start collecting information.

Another consideration is that companies should try to understand what data they are collecting and how they are using it. They might find that they are collecting and storing data that they once had the intent to use or sell but no longer serves any purpose for them. If you don’t need to collect it, don’t.

Any other thoughts?
Because these regulations are new and directed at children it would definitely help app makers and related vendors to have a privacy liability policy that specifically addresses these issues.

In summary…
COPPA raises the stakes for transparency in a company’s privacy practices if data pertaining to children is involved. For children-directed app makers and others subject to this regulation, staying in compliance may mean facing potential hurdles such as the need for a Direct Notice (email or mail to parent) and getting ‘Verifiable Consent’ by the parents of the child. Some consent methods might be seen as laborious for both the company and parents (such as those that require that parents call, send a fax, mail a signed form, use their credit card, or email with their digital signature) but there’s no way around the regulation. So the big question is: Are website operators and app owners ready to put these practices in place today? Certainly, readiness requires a serious investment. But not tackling these issues might lead to FTC, State AG or plaintiff lawyer suits—something that no company can afford.