If you run a mobile app or website that targets and/or collects information from children under 13, you may need to take another look at your Privacy Policies and guidelines.
With the continued growth and accessibility of technology, online operators will be interacting with children at an increased frequency. This makes it more important than ever that you learn from the TikTok case and make sure you comply with COPPA's guidelines.
It is important to understand why the FTC. will be looking more closely at mobile apps and websites that collect data from children under 13. Recently, the New York Times reported the FTC agreed to a $5.7 million settlement with Musical.ly over violating COPPA.
Musical.ly (now merged with TikTok) is a social network mobile app that allows users to create video and share with other members of the app. The app has millions of followers in the U.S., even after the merger with the Chinese company ByteDance.
TikTok was accused of illegally withholding information of children under 13. Additionally, the FTC concluded TikTok was retaining this personal information without the previous consent of the children's parents, thus violating COPPA. The data the app was withholding included the child's "email addresses, names and schools."
At COPPA's core, it is meant to protect the privacy of minors under 13, many of who make up the users of TikTok. COPPA's jurisdiction extends to all internet operators, including websites and mobile apps, targeted at children and who collect data from those minors.
The FTC claimed TikTok violated COPPA on four counts:
To better understand how TikTok violated COPPA, let's take a look at what COPPA is and its requirements.
COPPA is the governing code that protects the exploitation or illegal collection of children's data on any online resource. Its main goal is to protect the privacy and information of minors under the age of 13 from internet companies illegally collecting, persuading, or retaining private data.
Additionally, COPPA requires all internet sites or apps directed at children to request and receive permission from the child's guardian or parents to collect the data.
COPPA is applicable to not only websites, but also mobile apps, internet gaming, location services, and any online business that collects any form of information from a child or is targeted towards children.
✓ They're legally required: Privacy Policies are legally required by global privacy laws if you collect or use personal information.
Excerpt from TermsFeed Testimonials:
Its jurisdiction extends to companies operating in the U.S., having their headquarters in the U.S., or if your data is going through servers that are based in the U.S. However, this does not mean foreign companies are exempted.
If you are a foreign company operating on the internet or mobile apps, like TikTok, you may still be under the jurisdiction of COPPA. If your app or website falls under any of the above requirements, or collects information from U.S. residents, a foreign company is deemed under COPPA's authority.
Under Sec. 312.2 of COPPA, personal information is defined as:
COPPA's definition is expansive in an attempt to include any type of information that would be deemed as private or could be collected or requested by an online website.
A note to remember, the description includes geolocation information of the child. Even if your app does not explicitly request this information, but is an included feature, it still falls under COPPA's description of information. Examples of mobile apps that use geolocation to connect users are Facebook or Snapchat.
You can see COPPA is trying to spread a wide net to protect a child's privacy and making sure that companies are aware of what information is collected and how that information is obtained. It is a law that is solely created to protect the private information and exploitation of minors, placing the duty of care on the companies to comply with the law.
Section 312.2(1) defines the collection of information as "requesting, prompting, or encouraging a child to submit personal information online."
The definition goes on to include "enabling a child to make personal information publicly available in identifiable form." In other words, if you provide a fillable form for a minor that includes requesting "personal information," that is also considered collection.
You should also be aware that COPPA doesn't only apply to the active collection of information, but also the passive collection. Section 312.2(c) of COPPA's definitions explicitly states "the passive tracking of a child online," is still a collection of a child's information. An example of passive tracking would be geolocation or GPS tracking.
In addition to sites or apps directly targeting minors and collecting information, COPPA also applies to internet companies that indirectly or passively collect and release the information.
If a company collects information from a child and shares it with a third-party, COPPA will also apply to the third-party. A third-party under COPPA can be either an "operator" who is involved in the "collection or maintenance" of any information gathered, like the email collection service Mailchimp, or an individual who offers tech support.
An important note to all websites or mobile apps, even if minors are not your target audience, you can still violate COPPA.
General audience, teenager, or adult apps can violate COPPA if:
COPPA's primary goal is to protect the private information of minors. COPPA does not put the blame of leaked information on the children, but on the sites that collect the information. This means it is the company's responsibility to use reasonable care in the collection, storage, and release of the child's information.
While complying with COPPA may seem initially daunting, there are some key things you must do to stay in COPPA's good graces:
One of the FTC's main goals in creating COPPA in 1998 was to "place parents in control of over what information is collected from their young children online."
Section 312.4 of COPPA requires that you not only have a Private Policy, but you also include "direct notice" to the parent of the "operator's practices" of how they go about collecting and storing the child's information.
Sec. 312.4 notes what's required to be included in a direct notice:
It should be noted that the collection of the child's information should not be done until notice has been given to the parents and the parents give permission.
Bloxels Builder - a website directed towards children - sends parents an email to get permission (consent) before a child can create an account. This email lets parents know that they need to give permission for their children to create an account, and that they can do so either by clicking a link or entering a code directly within the app.
Parents are informed that the only personally identifiable information stored will be the children's email addresses, and they will only be used for password retrieval purposes.
Microsoft obtains parental consent by giving a notice that it will charge a one-time fee of 50 cents to a parent's credit card. Parents are informed that they're consenting to their child's disclosure of information through Microsoft online services, products, apps and stores.
In order to get parental consent for third-party apps, Microsoft requires the parent to check a box next to a statement that shows the parent will allow the child to use the apps. Parents are informed that these third-party apps may collect information from the child or allow them to communicate with others.
A link to the Microsoft Services Agreement is included in the notice, and this agreement includes a link to the Microsoft Privacy Statement in its very first section.
These are both effective ways of giving parents direct notice of what's going on with their children's personal information and getting parental consent.
Under Sec. 312.8, the company "must establish and maintain reasonable procedures" to make sure all of the information collected is safe. Additionally, it is important that operators only release the collected information to "third-parties" who are able to maintain the privacy and security of the child's data.
Many companies include a section on the security of data, like Pokemon, but also a clause that not every transfer of information is 100% secure. The clause indicates the company will follow "reasonable procedures," but with being an online operator, there are always possible breaches.
Section 312.10 sets out that online companies "shall retain personal information collected...only as long as reasonably necessary." The rule limits the amount of time a company may retain information to protect the child's privacy.
The section also states "the operator must delete such information using reasonable measures" when requested by the parent (Section 312.6). If the operator does not timely delete the information after they are informed by the parent, they would be in violation of COPPA, as Tik Tok failed to do.
1. Disclosing You Collect Data from Minors and Operators
Some companies include all devices or cookies that also collect the information through their own website or third-parties, such as Google.
2. What Information is Collected, How it is Collected, and Disclosure Methods
Mattel, who owns companies such as Barbie and TurnSpell, includes each of these clauses in its Online Privacy Statement.
The clause above lets parents know that information such as first names, email addresses and usernames are sometimes collected, and that cookies are used to recognize website visitors.
The clause below discloses more information that may be collected for things like getting a subscription or registering for an account. The use of third-party technology partners is disclosed and that certain information is automatically collected by these parties.
3. How Users Can View and Request Deletion of Data
Another important requirement of COPPA is that parents or children may request to see their information or delete the data.
Companies must "state the procedures" parents must follow to request information to be destroyed or request no further information to be collected.
Parents are given clear instructions on how to see what information has been collected about their children, as well as how to take other actions:
Make sure you:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
18 January 2021