As with most laws, the devil is in the details when addressing interactions with children that may or may not trigger compliance requirements with the Children’s Online Privacy Protection Act [“COPPA”]. One question that pops up repeatedly is what COPPA compliance obligation does a general audience online operator have when a child under 13 makes contact via email?
You run a forum discussing the latest movies. The visitors to your site range from older teens to adults. In short, a basic general audience website such as Rotten Tomatoes that should not need to comply with COPPA.
On a Monday [because it is always a Monday!], you receive an email from a person who has questions about when Frozen 2 will come out. The message includes the person’s name, email address, phone number and name. The person also indicates that she and her second-grade classmates are huge Frozen fans.
Houston, we have a [clichéd] problem.
The average child in second grade is anywhere from six to nine years old. Unless the individual contacting you has been held back in school a lot, you are talking with a child under 13 and COPPA becomes a concern.
Can you respond to the inquiry?
Should you just delete their message?
Fortunately, the FTC takes a common sense approach to handling such communications.
Single Contact and Response
To its credit, the Federal Trade Commission created a “single contact” exception to COPPA when creating regulations for the law. The key provision is found in 16 C.F.R. §312.5(c), which reads:
“Verifiable parental consent is required prior to any collection, use and/or disclosure of personal information from a child except as set forth in this paragraph. The exceptions to prior parental consent are as follows:
(2) Where the operator collects online contact information from a child for the sole purpose of responding directly on a one-time basis to a specific request from the child, and where such information is not used to recontact the child and is deleted by the operator from its records;”
Put simply, being contacted by a child under 13 does not trigger the need to obtain verified parental consent under COPPA so long as you reply one time and then delete the child’s information. This makes logical sense. Requiring online operators to comply with COPPA after a single unsolicited communication from a child under 13 would be an immense burden, particularly for smaller businesses.
Children are becoming tech savvy at an ever younger age as the web continues to grow in importance. As an online operator, it is your duty to stay on top of your COPPA obligations. This is true even if you are a general audience platform, but obtain actual knowledge that a child under 13 is on the platform and you are collecting personal information from them.
It is vital that you establish clear policies for handling communications from qualifying children for both yourself and the employees of your business. Contact me if you have any questions about the best way to proceed.
Richard A. Chapo, Esq.