Operators of commercial websites must be careful when designing and using interactive websites that collect personal information and other data from customers and consumers. Interactive websites that collect information by:
- Requesting, prompting or encouraging the submission of information (even if it's optional)
- Letting information be made publicly available (example: open chat room or posting function)
- Passively tracking information through a separate child-directed site or service, or through an advertisement network, may be collecting such information from children.
There are special rules governing the online collection of data and personal information from children under the age of 13 through commercial websites.
In April of 2000, Congress enacted the Children’s Online Privacy Protection Act (COPPA), which applies to operators of commercial websites and online services directed to children under the age of 13 that collect personal information. “Personal information” under COPPA includes:
- Full name
- Home or other physical address
- Online contact information (email address, voice-over internet protocol identifiers, cookie numbers, video chat identifiers, and other identification identifiers)
- Telephone number
- Social Security number
- Photo, video or audio file containing a child’s image or voice
- Geolocation information sufficient to identify a street name and city or town
- Other information collected from a child
The Federal Trade Commission (FTC) enforces COPPA and has the authority to issue regulations with respect to COPPA. Commercial websites and online services covered by COPPA must post privacy policies, provide parents with direct notice of their information practices and obtain verifiable consent from a parent or guardian before collecting personal information from children under the age of 13.
In December 2012, the FTC issued revisions to COPPA, which create additional parental notice and consent requirements (the 2013 Revisions). The 2013 Revisions to COPPA became effective on July 1, 2013. Under the 2013 Revisions, COPPA applies to operators of commercial websites when they have “actual knowledge” that they are collecting personal information from users of another site or online service directed to children under the age of 13. The 2013 Revisions do not define the term “actual knowledge.” The FTC has stated that an operator has actual knowledge of a user’s age if the site or service asks for – and receives – personal information from the user that allows it to determine the person’s age. In addition, third-party child-directed websites may communicate to an ad network about the nature of its site and information collected from children under the age of 13. If the operator of the commercial website has access to such information, COPPA will likely apply.
After July 1, 2013, operators of commercial websites subject to COPPA must:
- Notify parents directly before collecting any personal information from a child under the age of 13
- Obtain the parent’s verifiable consent before collecting personal information from their child
- Honor parents’ ongoing rights with respect to information collected from their children
- Provide parents with access to the personal information collected from their child in order to edit or delete it
- Implement reasonable procedures to protect the security and privacy of personal information collected from a child
Violations of COPPA can result in enforcement actions, including civil penalties and fines. McDonald Hopkins has a team of skilled franchise, business and data privacy professionals who can help tailor a specific solution for your company’s needs.
For more information, please contact:
McDonald Hopkins counsels businesses and organizations in a myriad of industries regarding all aspects of data privacy and cybersecurity, including proactive compliance with the numerous state, federal and private data security regulations relative to the protection of personal information and protected health information, training of employees and preventative measures to decrease the risk of data theft. Our attorneys specialize in drafting data privacy policies, written information security programs, incident response plans, confidentiality agreements, vendor agreements, and document retention policies. When a data breach occurs, McDonald Hopkins acts as a breach coach to ensure compliance and minimize exposure. Our attorneys work with federal, state and local authorities, as well as third party vendors, throughout the breach response process. We coordinate notifications to affected individuals and state attorneys general as well as the media, as needed. Our team has significant experience litigating matters involving data security and privacy. We can help properly assess your risks to ensure compliance. Once our brief McDonald Hopkins Data Privacy and Cybersecurity Review is completed, your company will receive an assessment of the areas which have the greatest need of attention and improvement to ensure compliance.