COPPA and the FTC COPPA Rule set forth a variety of requirements and procedures necessary for an online operator [you] to collect, secure and use the personal information of children under 13 years of age. The important thing to understand is the definition of “personal information” used in enforcing the law is much broader than one might expect.
Common Sense Definition
Ask yourself a simple question. What information do you consider to be personal? Is the fact you visited a particular website a private matter or no different than if someone knows you had dinner at a particular restaurant? Traditionally, most people define persona information as your:
- Full name,
- Birth date,
- Home address,
- Phone number,
- Email address, and
- Social security number.
This list makes sense in the real world, but the virtual world is different. The businesses you visit while driving around town cannot track your movements, but they can when you move about online. The key is to use identifiers you might not consider personal information per se. The expanded definition of “personal information” under COPPA accounts for this as least as it applies to kids under 13 years old.
COPPA Personal Information
In issuing a new COPPA Rule in 2013, the FTC sought to expand the definition of personal information to include non-traditional identifiers businesses use online to track individuals. The new definition reads as follows:
Personal information means individually identifiable information about an individual collected online, including:
(a) A first and last name;
(b) A home or other physical address including street name and name of a city or town;
(c) An e-mail address or other online contact information, including but not limited to an instant messaging user identifier, or a screen name that reveals an individual’s e-mail address;
(d) A telephone number;
(e) A Social Security number;
(f) A persistent identifier, such as a customer number held in a cookie or a processor serial number, where such identifier is associated with individually identifiable information; or a combination of a last name or photograph of the individual with other information such that the combination permits physical or online contacting; or
(g) Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described in this definition.
The expanded definition is a reflection of the fact profiles can be built for kids online by focusing on non-traditional identifiers. A person who uses the same screen name across five to 10 sites can be tracked and analyzed based on that screen name. The profile building process includes collecting and analyzing what the person likes, retweets, pins, and the words used in their posts. When combined, advertisements are targeted to the profile whenever the username or IP address appears. A full profile can be built if a name is every associated with the profile.
As an online operator, it is important you take into account this expanded definition of personal information. You may be gathering qualifying information under COPPA without realizing it. For example, the collection of a username of a child along with an indicator of their IP address and geolocation could well trigger the need for you to comply with the law. Failure to realize as much could lead to massive penalties such as the recent $800,000 settlement the app company Path had to cough up.
A New Standard?
Online operators have long relied on the “sign up” theory when determining whether or not they need to comply with COPPA. This theory suggests that so long as a visitor to your website, app, plugin or whatever is not signing up for an account or purchase, then COPPA compliance is not required. This may no longer be the case as capturing and tracking persistent identifiers such as IP addresses do not need any signup process.
The web represents the single greatest platform for the dissemination of information in the history of humanity. Unfortunately, the information is occasionally incorrect as is true with a particular bit of guidance commonly found online regarding COPPA.
Consider a form you recently filled out when registering for an account on a site or buying a product. You were required to provide information such as a username and password. You also were given the choice of providing other information. You will occasionally see forum posts and articles published by people who are not lawyers suggesting COPPA compliance is not required when information is provided voluntarily by a child under 13 on such forms.
Let’s be clear.
This rumor is 100 percent wrong.
COPPA applies to the collection of personal information directly from kids under 13 regardless of how that information is obtained. The only exception to this rule is if the parents of the child in question directly provide the information.
Do not rely on legal advice provided by people who are not lawyers. The fines are up to $40,000 per child for failing to comply with COPPA. A site attractive to kids under 13, such as a game site, is going to have hundreds or thousands of members. If 50 are under 13, the penalty could be as high as $800,000. Most COPPA cases settle in the six to seven figure ranges so this is no laughing matter.
The new definition of personal information significantly expands the reach of COPPA. Make sure you understand the expanded definition and adjust your compliance efforts accordingly.
Richard A. Chapo, Esq.