COPPA at 16

June 25, 2013

By John R. Fleder

The Children’s Online Privacy Protection Act (“COPPA”) will celebrate its super, sweet 16 next year.  The FTC handles most COPPA enforcement and will no doubt mark the occasion with not-so-super or sweet enforcement.  The FTC has issued an amended COPPA rule, which will take effect on July 1, 2013.  Once the rule goes online, so will the FTC – in search of enforcement opportunities. 

Here, we provide a brief primer on COPPA and when a food, drug, or device company might be at risk of enforcement.  In general, food companies engaged in online marketing that is directed to children, or likely to appeal to children, are at the greatest risk. 

COPPA governs companies’ collection, use, or disclosure of personal information ("PI") provided by a child through a website, app, or other online program.  COPPA and the FTC’s COPPA rule, in short, seek to place a parent or legal guardian between the PI that a child might provide and the companies seeking to collect, use, or disclose PI. 

For the purposes of COPPA, the FTC has defined PI to include information such as a first and last name, telephone numbers, electronic files containing a child’s image or voice, and “persistent identifiers” that can be used to recognize a user over time and across different online programs.  According to the FTC, COPPA applies to three types of entities that might come into contact with this type of PI:

  • Operators of commercial websites or online programs (including mobile apps) that are directed to children under 13 and collect, use, or disclose PI provided by children under 13;
  • Operators of commercial websites or online programs that are directed to a general audience if the operator has “actual knowledge” that it is collecting, using, or disclosing PI provided by children under 13; and
  • Companies that have actual knowledge that they are collecting PI via another company’s website or online service that is directed to children. 

If a company is covered by COPPA, the FTC expects that it will

  • Post a clear and comprehensive privacy policy describing its practices for PI collected from children;
  • Provide a parent or legal guardian with prior “direct notice” of the collection of PI from children;
  • Obtain a parent or legal guardian’s prior “verifiable consent” for any collection (subject to some limited exceptions);
  • Provide the parent or legal guardian access to their child’s PI to review and/or delete;
  • Maintain the confidentiality, security, and integrity of PI collected from children;
  • Retain PI collected from children for only as long as is necessary to fulfill the purpose for which it was collected; and
  • Delete PI collected from children using reasonable measures to protect against unauthorized access or use.

Food companies, including those with well-known, national brands, have faced COPPA enforcement in the past over child-directed web programs promoting candy, cookies, and popcorn.  The FTC’s new round of enforcement will likely include at least one or two food companies that use websites, apps, or other online programs that collect, use, or disclose PI from children. 

Drug and device companies are probably less likely to be at risk of enforcement, given that they are less likely to employ online programs that children might use.  There have been no enforcement actions to our knowledge against a drug or device company.  Nevertheless, in developing online programs or services for children’s drug or device products, COPPA could come into play.  For example, a child-directed app intended to assist parents in training a child about proper use of a product, like an inhaler, could fall under COPPA.