In a recent episode of the HBO startup drama Silicon Valley, the development team at Pied Piper have created and are marketing a video messaging app, PiperChat. Unfortunately, the team fails to successfully migrate their terms of service onto the app, and they come to learn that a significant percent of their user base is pre-teen girls. Their failure to put forth any terms of service and their significant child user base combine to open them up to significant liability under the Children’s Online Privacy Protection Act of 1998 (COPPA). Dinesh, the CEO, calculates that Pied Piper could be liable for up to $21 billion in fines if the Federal Trade Commission brought an enforcement action—bankrupting their startup.

Although Silicon Valley is fictional, the Children’s Online Privacy Protection Act, FTC enforcement actions, and fines are not. COPPA covers nearly all objects, services, voice-activated devices, and apps which connect to the internet and collect user data from children. If your service or device is targeted towards children or is actually being used by children— complying with COPPA should be a priority when crafting a terms of service and a privacy policy.

Do I Need to Worry About COPPA?

Here’s a quick quiz to determine whether or not your product needs to have a COPPA-compliant terms of service and privacy policy:

  1. Is your web-connected product or service directed at children or teens—does it use cartoon characters or mascots, bright colors, or targeted advertising?
  2. Do you know, for a fact, that children under 13 years old are using your product or service?

If you answered yes to either of those questions, you might need to beef up your privacy policy or terms of service. There are a few exceptions, but overwhelmingly, if your product collects personal information and connects to the internet, it is going to need a strong privacy policy in compliance with COPPA.

Unlike Pied Piper in Silicon Valley, your company probably won’t face a $21 billion compliance fine, but the FTC has the ability to levy a fine of $16,000 to $40,654 per violation, so the fees can rack up quickly. The social media site Path settled for an $800,000 fine and a federal consent decree for mining the information of around 3,000 children; and Sony BMG Music Group was fined $1 million for collecting and failing to protect children’s data from over 196 websites. A strong privacy policy not only protects your company’s hard work, but also protects kids online.

How to Comply with COPPA

You can’t entirely solve COPPA compliance by screening potential users for age. In fact, if your product is targeted towards an audience under eighteen years old, you can’t screen for age at all. You can, however, lock some parts of your product—such as forums, a chat function, or the ability to make in-app purchases—for users thirteen or older. If your product is targeted towards a general audience, you can screen for users under thirteen—and many platforms do. Many social media sites, such as Facebook and Instagram, not only screen for age, but also consider child users to be a violation of their terms of service—so that if management learns of a child user, the team can quickly delete their account. However, if you learn, for a fact, that a user of your website or app is under the age of thirteen and continue to allow them to use the service, their data needs to be protected under the terms of COPPA.

Compliance under COPPA mostly consists of allowing children to use devices and products able to connect to the internet, but with the ability of parents to revoke some or all of their information from being stored with your product. If your service or device is targeted at children, parents need to have a “back door” where they can control what types of information their child can submit, and parents need to have the choice to be able to delete their child’s information permanently from your product or service.

Helpful Guidance

For more information, the FTC has published an informative COPPA Compliance Guide.

 

This post is provided for general information purposes and is not legal advice.  As always, if you have any questions about this post or how it might impact your business, contact one of our attorneys.