COPPA and Kids Internet Safety

With the recent talk of Facebook and Google's privacy-intrusive research apps, trust in our industry continues to grow tenuous for many. The relationships between website operators, children and their families are important and often a focus of proposed legislation around the world, due to the realities of endangered safety and these stoked anxieties. So what rules currently exist, how can we comply with them and what may be in store for our future?

In the late 90s, the growing popularity of the internet meant growing opportunities for website operators to market to children, as well as to profit off of this potentially vulnerable audience. Concerns from vocal parents and privacy advocates prompted the U.S. federal government to introduce the Children's Online Privacy Protection Act. Enacted in 1998 and taking effect in 2000, COPPA defined new rules for how website operators could collect information for children under 13 years of age. 

COPPA regulates the collection of information of children under 13. Without parental consent, no personally-identifying information may be collected. This is true regardless of whether it is you, the website operator or a third-party, such as an ad network, collecting the information. If you are the website operator, you are responsible for complying with COPPA. That may mean certain user analytics platforms such as Google Analytics may prevent your site from complying with COPPA (due to geolocation information being able to identify a user’s city), however many in the industry simply request that users under 13 do not use their websites via the required privacy policy statement. (Side note: I am not a lawyer and thus I cannot recommend this approach as legally valid, however I can note that it is a common practice.)

If you’re a website operator and your website is not catering to children under 13 or is not collecting any personally-identifying information (detailed in this FAQ on the FTC’s website), congrats! Your website does not need to comply with COPPA rules. That may change soon, however. Similar to efforts in the EU such as General Data Protection Regulation (GDPR) which requires website operators to remove all of a user’s data upon request, regulation in the U.S. is likely to heat up.

The Do Not Track Kids Act of 2018 (S.2932) is a Senate bill currently sponsored by Senator Richard Blumenthal of Connecticut and has many in the industry wondering where we may end up this year or in the years soon to come. The Do Not Track Kids Act is intended to update COPPA, prohibiting targeted online advertising to children under 13, requiring website operators to remove user data at the request of children and their parents and requiring website operators to disclose how personal data is collected and used. Even if the Do Not Track Kids Act does not gain traction, it’s unlikely to be the last effort in the United States to protect users’ privacy through legislation. It’s certainly a topic we at thunder::tech are watching with intent, and will continue to share our thoughts and perspectives on.