In the U.S., all companies that collect children’s personal information must abide by the Children’s Online Privacy Protection Act. Here’s why it was enacted and how to comply.
Companies that collect the personally identifiable information of their customers and employees must follow certain regulations that help assure the safeguarding of that sensitive personal information.
The same goes for any company that the collects the information of children under the age of 13. Specifically, the Children’s Online Privacy Protection Act (COPPA)—which came into effect in the United States in 2000—protects children from exploitation online and regulates what apps, online services, and websites must do to protect the privacy and safety of children online.
COPPA was passed in 2000 as reaction to the rise of social media websites such as MySpace, Xanga, and to address the rapid growth of websites collecting personal information from children for marketing purposes without parental consent. Children at the time were among the first to use the modern Internet, and they didn’t understand the potential harmful effects of giving away personal information. As such, COPPA requires apps and websites to provide clear and comprehensive privacy policy, to gain parental consent, and to refrain from using kids’ data for marketing purposes at the risk of fines up to $40,000 per violation.
COPPA applies to services and sites directed towards children under 13, with kid-friendly subject matter that include animated characters, young celebrities, and the usual kid-oriented fare. But companies that serve a wide or general audience need to comply as well. Basically, any company that uses an app that sends or receives online information such as social networking apps, advertising networks, or gaming platforms must comply. Companies that sell connected toys or other Internet of Things devices must comply as well.
A famous example of a connected toy falling under scrutiny for children’s privacy concerns is the Hello Barbie connected doll from a few years ago. Because it recorded audio files containing kids’ voices, parents and privacy groups were scared it could lead to misuse. Under COPPA, a child’s image or voice must be protected. The same goes for a child’s full name, home address, online contact information, telephone number, screen name, and Social Security Number.
As for how parental consent is obtained, that’s up to the individual company. A common way is a paywall that requires a credit or debit card. Or they can sign a consent form via email or fax. But parents hold the power in COPPA. They can request to receive the collected data, delete it, or revoke consent at any time. If there are any policy changes, parents must be notified. They must also be informed of how the child’s data is collected, what will be done with the data, and who it’s shared with.
In many ways, COPPA shares much in common with the EU’s General Data Protection Regulation (GDPR). Both laws heavily emphasize consent, notification, clear and concise language, transparency regarding what is done with the collected data, and the protection of that sensitive data. The big difference is the GDPR applies to European Union citizens of all ages, and companies must comply even if they’re not located in the EU.
To more easily comply with COPPA and GDPR, companies that deal with personal data can use encryption software. Solutions such as eperi Gateway provide encryption through pseudonymization, which renders personal information unreadable before it is transmitted to a web service. That way, no sensitive information gets compromised even in the event of a data breach. Only those who hold the encryption keys can decrypt the data, and the encryption keys are always in the hands of the company that uses eperi Gateway.
Recommended for You
