FTC Reviews Their Guidelines for COPPA Compliance
In previous blog posts about the Children’s Online Privacy Protection Act (COPPA), we have presented it as the FTC’s most comprehensive data privacy regulation to date. However, when it was passed in 1998, the internet was nowhere near as expansive as it is now. COPPA falls short when it comes to encompassing the sheer scope of what the term “personal data” covers today. Because of this, the FTC periodically reviews and updates sections of COPPA, to keep up with use and abuse of data in the digital era. On July 22, 2020 the FTC issued revisions to their FAQ guidelines on how to remain COPPA compliant.
Download OpenBack’s whitepaper outlining our unique approach to data privacy and regulation compliance:
What About the FTC’s COPPA Guidelines Have Changed?
Not much. However, the new FAQ does clarify certain grey areas that existed in the COPPA guidelines. It’s especially helpful in clarifying and reaffirming certain approaches to COPPA that already exist. Moreover, the FAQ encourages websites and companies to continue with their current compliance efforts.
Read below for some useful core takeaways from the COPPA guidelines FAQ.
Not all sites that have child users are “mixed audience.”
In the past, there has been some confusion with regards to COPPA’s definition of a “mixed audience.” That is, an audience comprised of both children younger than 13, and teenagers and adults who fall outside of COPPA’s purview. Does any website with content that appeals to users 13 and younger have to comply with COPPA by default, even if that content is not strictly meant for children?
For example, in January 2020 YouTube decided to be overly cautious and flag any video with content seemingly directed at children. Those videos were then subject to restrictions on data collection as specified by COPPA. Interestingly, it seemed to be a move on YouTube’s part to shift responsibility onto content creators for abiding by COPPA. However, the FTC’s new clarifications state that only services that specifically target children will be subject to COPPA.
Neutral Age Screens to Weed Out Underage Users
One way mixed-audience website operators have attempted to stay on the right side of COPPA has been age screens. In the past, they have asked users to enter their age, or fill out a math problem to prove they are old enough to enter the site. They have used these tactics as a loophole for avoiding COPPA compliance.
However, the FTC’s new compliance guidelines point out that these methods of verifying a user’s age don’t quite cut it. For example, there is no way of stopping an underage user from putting in fake birth details. Essentially, the onus should not be on the underage user to protect themselves from age-inappropriate data collection methods. The FAQ also states that they recommend:
“using technical means, such as a cookie, to prevent children from back-buttoning to enter a different age.”
Even a site that prohibits underage users in its Terms of Service can still be “child-directed”
The FTC clarified in its guidelines for COPPA that just because a site forbids underage users from accessing its site, that does not count as due diligence. That site may in fact still be “child-directed,” based on its content or the services it offers. To illustrate, a YouTube channel that reviews Marvel action figures may claim to be targeting adult users only. However, the fact that their content would appeal equally to children means that they qualify as “child-directed” and consequently fall under COPPA.
Obtaining consent from a school requires direct notification
With regards to users younger than 13 years of age, COPPA requires operators to obtain consent from their parents in order to collect personal data. However, COPPA also states that, when that data is being collected for use by a school, they can obtain the school’s consent instead. (This only qualifies when data is being collected solely to benefit the school, and with no commercial purpose otherwise.)
The new FAQ clarifies this somewhat, stating that the operator must give the school a direct notification of how and what the underage users’ data will be used for. It is then at the school’s discretion as to whether they notify the parent or not.
COPPA compliance is the website/app’s responsibility
As these other points above illustrate, ensuring COPPA compliance is the responsibility of the operator or company… not the parent, school, or underage user. Simply foisting this responsibility off to a user’s school – or by prohibiting underage users in their Terms of Service – is not sufficient. And if a company continues to collect underage users’ data, that company may be culpable for failure to prevent it.
As always, the commitment to keeping child users safe in the digital space remains the responsibility of the website – or the mobile app. As such, when choosing a mobile engagement platform for your children’s app, it’s crucial that you make sure you’re treating user data in an ethical and compliant manner.
OpenBack: COPPA Compliant by Default
OpenBack patented push notification SDK is fully compliant by default with COPPA regulations – as well as HIPAA, CCPA, and GDPR. Our hybrid mobile platform doesn’t use push tokens to send each notification. This makes it the only fully compliant platform for sending out push notifications without parental consent. Our use of edge computing and device-side data means that no user data ever has to leave the device. As such, underage users are not at risk of being targeted by third-party marketers. Nor will they have their data otherwise exploited.
With OpenBack as your data processer, compliance with privacy regulations easy. All you have to do is activate privacy compliance settings upon onboarding with our SDK. Then you can continue to communicate with users of your mobile app, without exposing their personal data to third parties.
For more information on how OpenBack is the best choice for optimizing the reach of your push notification campaign, get in touch with one of our experts.
Calculate how much your revenue would increase per month using OpenBack: