Does COPPA Apply to Your Apps and Content?

Two recent FTC decisions remind us that with the Children’s Online Privacy Protection Act (COPPA), responsibility always starts with the content and data collection happening on the site and/or mobile app. This includes a “strict liability” standard when it comes to “knowing” whether your audience includes children under 13 years of age, thereby triggering COPPA’s requirements.

The FTC’s recent settlement with TinyCo, an app developer and maker of games like Tiny Pets, Tiny Monsters, and Mermaid Resort, provides some important lessons.

Like many free games, TinyCo used in-app incentives to further the gaming experience. For example, TinyCo encouraged users to turn over email addresses in exchange for extra game points. But since many of these users were also children, TinyCo neglected to comply with COPPA’s primary requirements by not providing a privacy policy outlining how data from children was being collected, not giving parents direct notification about this data collection and use, and not obtaining verifiable parental consent. In addition, TinyCo repeatedly ignored emails from parents who were concerned that the company was collecting information from kids without the requisite notice and parental consent.

The FTC’s decision against TinyCo also provides some valuable insights into determining whether COPPA applies to a site or app. For instance, the FTC looks at the following factors (among others) to determine whether a site or app is “kid-directed”:

• Subject matter
• Visual content
• Use of animated characters or child-oriented activities and incentives
• Music or other audio content
• Presence of child celebrities or celebrities who appeal to children

But what happens if you are not targeting children through your site’s content or cute little characters, or don’t intend to include children in your target audience? COPPA still applies to “general audience” sites and apps (sites and/or apps not specifically directed to kids), and it also applies to data collection activities across all your sites and apps – as Yelp learned recently.

Yelp knew that children were using its site and mobile app, and had implemented an age gate to screen out users under the age of 13. Unfortunately, the company implemented the age gate incorrectly on its mobile app; as a result, access to Yelp’s app and services was provided irrespective of which age was initially entered in the company’s age gating feature. By doing this, Yelp committed further COPPA no-nos, by collecting device identifiers and location data (both considered personal information under COPPA) without providing the requisite notice, and getting verifiable parental consent.

So what does COPPA require, and what do you, as a site operator or app developer, need to do to comply? Over the next few weeks, we’ll be exploring those questions.

Webinar: Getting Proactive with COPPA

We will kick off the discussion with a webinar next Tuesday, September 30th at 11:00 am pacific. During this session, I’ll host “Getting Proactive with COPPA” – which will focus on:

• How a site or app’s audience, content and other features could trigger COPPA (even if you intend otherwise).
• What to do if COPPA applies to you – with a particular focus on privacy policies, direct notice to parents, and verifiable parental consent.
• Age-gating – and how to do it right.

Since the FTC announced revisions to the COPPA rule last year, much of the focus has been on third-party/plug-in activity on sites and apps. But these recent FTC settlements with TinyCo and Yelp remind us that when it comes to COPPA, compliance starts with your audience and content.

I look forward to drilling down into more details about the TinyCo and Yelp FTC settlements, as well as COPPA’s specific requirements, and taking your questions next Tuesday.

UPDATE

If you weren’t able to attend the live webinar, you can view a recorded version in its entirety and access the slides below:

Full Video Presentation