The Children’s Online Privacy Protection Act (COPPA) regulates how companies collect, use and disclose personal information a child provides to a website, app or online program. COPPA’s intent is to have a parent or other legal guardian monitor kids’ online information and to run interference between them and commercial or other interests that might exploit them. The Federal Trade Commission (FTC) enforces COPPA.
This month, COPPA was amended “to clarify the scope of the Rule and strengthen its protections for children’s personal information, in light of changes in online technology since the Rule went into effect in April 2000.”
Courtesy of FDA Law Blog, here’s a primer about COPPA and how the FTC is on alert for food, drug and device manufacturers that go astray of its rules. In general, according to Law Blog, food companies that market online or appeal mostly to children are at the greatest risk of FTC scrutiny.
Food companies have encountered COPPA enforcement regarding child-directed web programs promoting snack foods. The FTC’s new round of enforcement, says Law Blog, probably will include food companies whose websites, apps or other online programs collect, use or disclose personal information from children.
Drug and device companies, the blog says, probably are less likely to be hammered because they are less likely to use online programs that appeal to children. “There have been no enforcement actions to our knowledge against a drug or device company,” it says. Still, in developing online programs or services for children’s drugs or devices, such as a kid-oriented app to help parents teach how to use an inhaler, COPPA could apply.
The FTC’s definition of personal information (PI) includes a first and last name, telephone numbers, electronic files containing a child’s image or voice and “persistent identifiers” that can recognize a user over time and across different online programs. According to the FTC, COPPA applies to three types of entities that might encounter this type of PI:
- operators of commercial websites or online programs (including mobile apps) directed to children younger than 13 and that collect, use or disclose PI provided by children under 13;
- operators of commercial websites or online programs that are directed to a general audience if the operator has “actual knowledge” that it is collecting, using or disclosing PI provided by children under 13; and
- companies that have actual knowledge that they are collecting PI via another company’s website or online service directed to children.
If a company is covered by COPPA, the FTC expects it to:
- provide a parent or legal guardian with prior “direct notice” of the collection of PI from children;
- obtain a parent or legal guardian’s prior “verifiable consent” for any collection (subject to some limited exceptions);
- provide the parent or legal guardian access to their child’s PI to review and/or delete;
- maintain the confidentiality, security and integrity of PI collected from children;
- retain PI collected from children for only as long as is necessary to fulfill the purpose for which it was collected; and
- delete PI collected from children using reasonable measures to protect against unauthorized access or use.
For additional information about the vulnerability of children on the Internet, see our blog “The Perils of Underage Use of Social Media.”