The drafters of the Children’s Online Privacy Protect Act of 1998 were looking to create a framework governing the collection of personal information from children online by third parties such as websites and advertisers. When COPPA applies and to what information is a complex topic. One question commonly asked by online operators is whether collecting IPs of anonymous users triggers the need for COPPA compliance?
The scenario being envisioned here is fairly straightforward. Let’s assume I own a site showing videos targeted to adults. There is a free membership option. However, visitors can view the videos without signing up for an account.
COPPA applies to the collection of information from minors under 13 years of age. Let’s assume a 10-year-old comes to my site. He doesn’t try to open a free account, but he does view various videos.
Does COPPA apply? If so, must I comply with it because I collect his IP as part of my general data collection for analytics? Let’s analyze the issue.
“IP” is an abbreviation for Internet Protocol. An IP address is a numerical designation assigned to every device accessing the web. In practical terms, an IP address is similar to the street address for your residence.
The FTC issued a revised COPPA Rule in 2013 that expanded the definition of personal information to include IP addresses. Given this new view, COPPA would appear to apply to our hypothetical. However, a closer analysis reveals this is not the case.
The first step of the analysis is determining whether my video site is “directed at children under 13.” It is not. The videos are tailored towards a general audience much as is the case with YouTube.com.
We then must ask if there is evidence indicating there is a child under 13 using the site. This standard is referred to as “actual knowledge.” In our example, no such knowledge exists. The child did not sign up for an account, so I have no method for determining his age. All I have is an IP address and incidental analytical information such as what pages he visited and how long he was on the site.
Returning to our query – does COPPA disallow for the collection of IP addresses from anonymous users of a site, app or other online property. In a word – no.
There is a potentially significant caveat to this conclusion – if actual knowledge exists. Let’s assume the child comes to the site. He opens a free account and bypasses the age gateway by lying about his age. I have no COPPA obligation here because, again, there is no evidence the individual is under 13. If he then starts posting comments to videos that indicate his true age and I am made aware of such information, I have actual knowledge and must comply with COPPA immediately.
The expansion of the COPPA Rule by the FTC in 2013 is redefining when COPPA applies to an online data collection scenario. The collection of anonymous information is usually insufficient to trigger a compliance obligation, but the exact answer is dependent on a case-by-case analysis. Contact me today to arrange for a free consultation.
Richard A. Chapo, Esq.