Is Your Website COPPA-Compliant?
On March 27th, the Federal Trade Commission announced that it has settled its complaint that RockYou, Inc., an online gaming site, allowed hackers to access the personal information of 32 million users while it touted its security features and that it violated the Children’s Online Privacy Protection Act (COPPA) Rule when it collected information from approximately 179,000 children. The settlement requires RockYou to stop its deceptive claims about privacy and data security, implement a data security program, stop all future violations of COPPA, and pay a civil penalty of $250,000.
The proliferation of social media, online gaming sites, and mobile platforms, as well as mainstream businesses reaching out online, highlights a law and rule website owners might unwittingly violate. COPPA became law in 1998 and the FTC implemented the Rule in 1999. COPPA is designed to protect children under 13 years of age while online and to give parents control over the information companies collect online from their young children. COPPA applies to both sites targeted at children, such as children’s’ toy sites and online gaming sites, as well as mainstream sites. COPPA requires website owners to:
- Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information from children;
- Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties;
- Provide parents access to their child’s personal information to review and/or have the information deleted;
- Give parents the opportunity to prevent further use or online collection of a child’s personal information; and
- Maintain the confidentiality, security, and integrity of information they collect from children.
The Rule also prohibits operators from conditioning a child’s participation in an online activity (such as contests) on the child’s providing more information than is reasonably necessary to participate in that activity.
The FTC is charged with enforcing the provisions of the COPPA Rule. Since inception, the FTC has brought 21 COPPA enforcement actions to stop violations. RockYou is just the latest. If your website interacts with children and/or collects information from children, you should quickly familiarize yourself with the COPPA requirements and conduct a review of your site to ensure it is compliant.
The FTC recently proposed changes to COPPA to help the Rule keep pace with changing technology. Given the changing landscape and ever increasing use of mobile devices and apps by younger and younger children, we’re sure the FTC will step up its enforcement actions under the Rule. We will keep you posted of the final changes to the Rule and new enforcement actions by the FTC.