COPPA compliance constitutes a substantial financial burden for online businesses. Most consider the burden simply a cost of doing business, but what if the business is a non-profit entity? The majority of non-profits are not exactly flush with cash, which is most likely why Congress created a COPPA exemption for them.
Enforcement actions initiated by the Federal Trade Commission are the bane of just about any business. These actions are both expensive to defend and a major interruption to the day-to-day functioning of the business.
There is an anomaly of sorts, however, when it comes to FTC enforcement actions. The FTC rarely has the authority to bring enforcement actions against non-profit entities, and this is certainly true for COPPA. Section 15 U.S. Code § 6501 (2)(B) of the Children’s Online Privacy Protect Act states:
The term “operator”—
(B) does not include any non-profit entity…
Businesses that qualify as operators much comply with COPPA. Since the definition excludes non-profit entities, the FTC cannot pursue enforcement actions against non-profits collecting personally identifiable information from children under 13 online.
Does this mean non-profits should ignore COPPA? No. Parents and child advocacy groups will expect online businesses to comply with COPPA. The failure of a non-profit to do so could lead to a tsunami of bad publicity. Offering up a technical legal reason for failing to comply is not going to act as a soothing salve for angry parents.
When the subject of non-profit entities is brought up, most of us picture various groups helping out the less fortunate. Non-profits exist for many different purposes. One is to act as an association for a certain group of businesses or professional endeavors. For example, there are plenty of business organizations that are non-profit, yet can hardly be said to be operating for any purpose other than advancing the business goals of the members and contributors of the association. An example might be a dental association set up to promote the interests of dental professionals in a particular state.
With pseudo non-profits, the FTC takes the view it has the authority to regulate and pursue enforcement actions since the non-profits act for the benefit of profitable members or contributors. In FTC v. California Dental Association, 526 U.S. 756 (1999), the United States Supreme Court agreed. In delivering the majority opinion, Justice Souter wrote:
“The Commission’s jurisdiction extends to an association that, like the CDA, provides substantial economic benefit to its for-profit members. The Act gives the Commission authority over a “corporatio[n],” 15 U.S. C. §45(a)(2), “organized to carry on business for its own profit or that of its members…” [Emphasis Added.]
Given this ruling, it is clear the FTC can regulate the actions of non-profits where a profit motive exists in relation to the underlying members. It then follows that if a non-profit business is collecting personally identifiable information from kids under 13 for the benefit of its for-profit members, the FTC could pursue an enforcement action or at least attempt one.
Is there a non-profit exemption when it comes to COPPA? Yes, but a technical review of the non-profit is required to determine if a “for the profit of members” characteristic exists that will trigger a duty to comply. Even if none exists, business management teams must take into consider the potential backlash from foregoing voluntary compliance.
Richard A. Chapo, Esq.