On July 16, 2014, the Federal Trade Commission (FTC) issued guidance clarifying compliance issues relating to the Children’s Online Privacy Protection Act (COPPA). COPPA regulates the collection of personal information from children less than 13 years of age online and carries stiff penalties for online service operators who do so without “verifiable parental consent.”
In recent years, the costs and risks of COPPA compliance have soared for startups as the app and mobile economies have developed. The agency has also amended its rules dramatically by limiting the types of information that may be collected or making it harder to collect such information. This latest guidance appears to be a practical response by the agency to some concerns.
In its updated Frequently Asked Questions the agency:
- softened its position on the requirement that an actual credit card transaction must occur in order for an online service operator to rely upon collection of a credit card number as a method to obtain verifiable parental consent (FAQ H.5);
- modified the ability of operators to rely upon and use consent obtained with the help of app stores (FAQ H.10); and
- clarified that app stores are not “operators” subject to COPPA if they are simply making someone else’s child-directed app available to the public (FAQ H.16).
Reliance on Credit Card for Consent
The FTC softened its longstanding position that collection of a parent’s credit or debit card number without execution of a monetary transaction cannot constitute verifiable parental consent. Now, their stance is that it can be. The agency explains:
Although collecting a 16-digit credit or debit card number alone would not satisfy [the verifiable parental consent] standard, there may be circumstances in which collection of the card number — in conjunction with implementing other safeguards — would suffice. For example, you could supplement the request for credit card information with special questions to which only parents would know the answer and find supplemental ways to contact the parent.
Reliance on App Store Account for Consent
The prior version of the FTC FAQs advised developers of children’s apps that they could not rely solely on a parent’s app store account to serve as verifiable consent. Now, app developers CAN use a third party — such as an app store — to get parental consent on the developer’s behalf, so long as the developer confirms that the method is reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent. The agency notes:
The mere entry of an app store account number or password, without other indicia of reliability (e.g., knowledge-based authentication questions or verification of government identification), does not provide sufficient assurance that the person entering the account or password information is the parent, and not the child. You must also provide parents with a direct notice outlining your information collection practices before the parent provides his or her consent.
App Stores Not “Operators” If Only Providing Content Access
App stores or platforms that want to help app developers who operate on their platform by providing a verifiable consent mechanism for developers to use will not be held liable for COPPA violations for failing to investigate an app developer’s privacy practices. In that circumstance, a platform is not an “operator” under COPPA since it is merely offering the public access to someone else’s child-directed content. The agency cautions that platforms should be careful not to misrepresent the level of oversight they provide for a child-directed app or they could face potential liability for deceptive trade practices under Section 5 of the FTC Act.
Implications
This new guidance may make it easier for some organizations and platforms to develop products for children or that may be used by children, although it is too early to tell. Critics of the FTC have maintained for years that the practical costs of COPPA compliance have stifled innovation online for children in part because the fines and costs of missteps can be so high. COPPA penalties (up to $16,000 per violation) and the costs of defending an investigation and related fines often run into the hundreds of thousands of dollars even with a successful outcome.