In our previous post we have described what COPPA is and who is covered by its provisions. Today, we discuss what are the sanctions for non-compliance and what should be done to avoid them.

How to Collect Children’s Information on Your Site/Online Service in Compliance with COPPA

I have a website/I provide online services, what am I required to do?

First and foremost, you need a clear and detailed privacy policy and place a link to the policy visibly on any page of the site where personal information is collected. Within the privacy policy, you need to include:

  • any information you collect from children,
  • the manner in which the information is used, and
  • whether it is disclosed or shared with third parties.

You must also disclose the names and addresses of the website operators that may be contacted by parents. If there are multiple operators collecting information via your site, you can designate one person who will respond to all parents’ inquiries.

Secondly, you need to provide parents of the child user with a notice and obtain their consent before using personal information of their child. In your notice, you need to do the following:

  • tell parents that you collected their contact information for the purpose of obtaining their consent,
  • describe what information of their child’s you are seeking to collect, in what manner it may be disclosed, and that parental consent is required to do so,
  • include a link to your privacy policy,
  • provide them with a way to give consent, and
  • let them know you will delete their information if you do not receive their consent within a reasonable time.

If you won’t be disclosing the child’s personal information and it’s just used for internal purposes, parental consent suffices when a parent just responds to the e-mail with their permission. If the information will be disclosed to others, however, you will need to provide a more stringent method for consent, such as having them sign a form, or call a toll-free number.

After giving consent, parents should also be given an adequate means of reviewing and deleting their child’s information.

I don’t collect personal information, do I need to worry about anything?

Even though COPPA only applies to websites or services that collect, use, or disclose personal information of children, it is always good to have a transparent privacy policy that shows users in what manner their data will be used and gives them means of reviewing and deleting their data. Another way to avoid COPPA issues is to restrict access to users above the age of 13, and provide for a way for persons to contact you when they discover children under 13 are using the site/service.

What happens if I don’t comply?

You may be liable for civil penalties of up to $16,000 per improper data collection, depending on various factors, such as the egregiousness of the violation, the number of children involved, type of information collected, and whether the operator previously has not complied with the Act. A notable example is Xanga, which was fined $1,000,000 back in 2006, or more recently, Yelp, which was fined $450,000 last year.

Don’t hesitate to contact us or leave a comment underneath if you have any questions or remarks regarding COPPA compliance.