Think the Children’s Online Privacy Protection Act (COPPA) and the expanded revisions don’t affect you? If you are an app or website and you collect, share or store information about your users, you could be wrong. And that one assumption could cost you loads of money in fines and legal fees, as well as time spent rebuilding your brand’s reputation.
COPPA, a privacy law created by the Federal Trade Commission in 1998, was designed to give parents more control over the personally identifiable information (PII) that websites collect from children under the age of 13. Startups tend to ignore COPPA, believing they are exempt because their site or app wasn’t initially designed for kids. But over time, many startups discover that children are a part of their audience – sometimes growing into a large segment of active users. If this sounds familiar, then COPPA definitely applies to you.
There are many aspects to the law (which you and your lawyer should read in full), but the bulk of it involves what PII is collected from users, how it is stored and finally, how it is shared. PII includes any of the following:
First and last name
A home or other physical address, including street name and name of a city or town
Online contact information
A screen name or username that functions as online contact information
A telephone number
A social security number
A persistent identifier that can be used to recognize a user over time and across different websites or online services
A photograph, video or audio file, where such file contains a child’s image or voice
Geolocation information sufficient to identify street name and name of a city or town
Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above
While only some of the law is new, all of it will be more strictly enforced after July 1 of this year. And, if startups choose to ignore the compliance guidelines, they face fines of up to $16,000 per child user after a lengthy investigation into company records. Still don’t believe this could really happen to you? Path, the popular private social networking app, is the most recent startup fined by the FTC for violating COPPA, costing them $800,000! Imagine explaining that line item to your investors.
So if you’re reading this and just realizing now that you may have a problem, what should you do?
1. Read and understand COPPA law and the most recent changes thoroughly. The law is detailed, but you should understand it in and out, just like you do your monthly analytics and financials. Check out the FTC’s website, which offers extremely valuable information and Q&As about the law, too.
2. Find a COPPA lawyer to work with. There aren’t a ton of them out there who truly are experts on COPPA, so you may need to look out of state. Make sure you check references – attorneys who regularly work with sites directed at children and participate in online security discussions are best.
3. Participate in a safe harbor program. These programs are endorsed by the FTC to audit participating websites and provide guidance on COPPA compliance. Be sure the safe harbor you select is actually approved by the FTC to offer these services.
4. Make any needed changes immediately. Don’t wait! The modifications you will need to make may seem overwhelming, but trust me – you’ll never regret becoming compliant as soon as possible. It will only save you time, money and sleepless nights in the long run.