In a recent episode of the HBO startup drama Silicon Valley, the development team at Pied Piper have created and are marketing a video messaging app, PiperChat. Unfortunately, the team fails to successfully migrate their terms of service onto the app, and they come to learn that a significant percent of their user base is pre-teen girls. Their failure to put forth any terms of service and their significant child user base combine to open them up to significant liability under the Children’s Online Privacy Protection Act of 1998 (COPPA). Dinesh, the CEO, calculates that Pied Piper could be liable for up to $21 billion in fines if the Federal Trade Commission brought an enforcement action—bankrupting their startup.
Do I Need to Worry About COPPA?
- Is your web-connected product or service directed at children or teens—does it use cartoon characters or mascots, bright colors, or targeted advertising?
- Do you know, for a fact, that children under 13 years old are using your product or service?
How to Comply with COPPA
You can’t entirely solve COPPA compliance by screening potential users for age. In fact, if your product is targeted towards an audience under eighteen years old, you can’t screen for age at all. You can, however, lock some parts of your product—such as forums, a chat function, or the ability to make in-app purchases—for users thirteen or older. If your product is targeted towards a general audience, you can screen for users under thirteen—and many platforms do. Many social media sites, such as Facebook and Instagram, not only screen for age, but also consider child users to be a violation of their terms of service—so that if management learns of a child user, the team can quickly delete their account. However, if you learn, for a fact, that a user of your website or app is under the age of thirteen and continue to allow them to use the service, their data needs to be protected under the terms of COPPA.
Compliance under COPPA mostly consists of allowing children to use devices and products able to connect to the internet, but with the ability of parents to revoke some or all of their information from being stored with your product. If your service or device is targeted at children, parents need to have a “back door” where they can control what types of information their child can submit, and parents need to have the choice to be able to delete their child’s information permanently from your product or service.
For more information, the FTC has published an informative COPPA Compliance Guide.
This post is provided for general information purposes and is not legal advice. As always, if you have any questions about this post or how it might impact your business, contact one of our attorneys.