It's been a year since our post on the revised COPPA regulations going into effect. Are you still unsure what types of data equals “personal information” and triggers COPPA’s requirements?
On the heels of the new FTC lawsuit last week against Amazon.com regarding in-app purchases, it behooves you to ensure you’re following the requirements closely.
Here’s an overview of data treated as “personal” under COPPA, along with parameters for exactly what and you can “collect” in compliance with (or avoidance of) COPPA.
Each of these is considered personal information under COPPA:
- Full name
- Home or other physical address, including street name and city or town
- Online contact information like an email address or other identifier that permits someone to contact a person directly — for example, an IM identifier
- Screen name or user name where it functions as online contact information
- Telephone number
- Social Security number
- A persistent identifier that can be used to recognize a user over time and across different sites, including a cookie number, an IP address, a processor or device serial number, or a unique device identifier
- A photo, video, or audio file containing a child’s image or voice
- Geolocation information sufficient to identify a street name and city or town
- If another company collects personal information through your child-directed site or service — through an ad network or plug-in, for example — you’re responsible for complying with COPPA. If you have actual knowledge that you’re collecting personal information directly from users of a child-directed site or service, you’re responsible for complying with COPPA, too.
- Other information about the child or parent that is collected from the child and is combined with one of these identifiers
Under COPPA, you’re collecting information if you:
- Request, prompt, or encourage the submission of information, even if it’s optional
- Let information be made publicly available (for example, with an open chat or posting function) unless you take reasonable measures to delete all or virtually all personal information before postings are public and delete all information from your records
- Passively track a child online
Phew! Overwhelmed yet? Well, fear not. Here are some creative ways to interact with kids without triggering COPPA issues:
In-app interaction only
A child can upload photos into the app and manipulate and decorate the photos in different ways, but the app does not transmit any personal information (photos or otherwise) from the child’s device.
One-time Contact rule
A child-directed website that has an “Ask the Author” corner where children can email questions. As long as you answer the child’s question, delete their email address and do not store the child’s personal information in any form, this falls into the rule’s “one-time contact” exception and you and do not need to obtain parental consent.
School educational tools
Many school districts contract with third-party website operators to offer online programs solely for the benefit of their students and for the school system, for example, homework help lines or web-based testing services.
Where a school has contracted with an operator to collect personal information from students for the use and benefit of the school, and for no other commercial purpose, the operator is not required to obtain consent directly from parents. Under new COPPA rules, the school’s authorization for the collection of students’ personal information is based upon the school having obtained the parents’ consent.
It’s still a very challenging compliance environment. How are you faring?