It is increasingly important for publishers to be aware of the legal implications of failing to comply with the Children’s Online Privacy Protection Act (COPPA). In recent years, the Federal Trade Commission (FTC) has become more assertive in addressing violations of children’s online privacy, especially for mixed audience platforms. 

But the kids’ digital privacy landscape is complex and constantly evolving; it can be challenging to understand when COPPA applies and how to be compliant. Below, we’ve rounded up some of the most frequently asked questions by publishers to help you better navigate COPPA and the kids digital landscape. 

What is the purpose of COPPA?

COPPA is a privacy law in the United States that regulates the collection of personal data from children under 13 by online services including websites, advertising, and mobile apps. The primary purpose of COPPA is to put parents in control over what personal information is collected from their children online. Under COPPA, personal information includes contact information, such as  first and last name, address, telephone number, in addition to technical identifiers, such as device ID, IP address, or geolocation.

My website or app is not child-directed. Do I need to care about COPPA?

Regardless of your intended audience, if your app or website is appealing to kids it will be considered primarily child-directed under COPPA. For example, a game that includes animated characters, child-friendly graphics, or sound effects may be considered primarily child-directed under COPPA, even if it has a large adult audience. 

When in doubt, treat your site or app as primarily child-directed to avoid being penalized. If your website or app is genuinely mixed-audience, apply an age gate or alternative method to segregate your audience so that you can protect kids in accordance with COPPA.

Am I responsible if children lie about their age on my website or app?

In short, no. COPPA does not require you to investigate the age of your users. You can rely on age screen so long as it has been designed to be neutral, i.e. it does not nudge the child to declare an age over 13. 

However, if you later obtain knowledge that a visitor to your website or app is under 13, COPPA must be enforced and you must delete any personal data that has been collected from that user. This is called ‘actual knowledge’, which is gained when a user under the age of 13 is visible on your platform (for example, posting photos or videos that indicate they are a child) or telling you his or her age directly in writing, for example in a support request.

What steps should I take if a child comments on my website or app, which is not child-directed?

Under COPPA’s one-time response exception, you may send a response to the child without obtaining parental consent. But you may not use their contact information for anything else and you must delete it and any other personal data collected after you have responded.

How can I prevent third-party plug-ins from collecting personal data on my child-directed website or app?

Most social media plug-ins, such as Facebook ‘like’ buttons, cannot be configured to stop collecting personal data. Unless you are able to obtain written confirmation from the provider, in which they acknowledge that children are an audience for your website or app and confirm that they are not collecting any personal data, you should not use these plug-ins.

Is it safe to embed YouTube videos on my child-directed website or app?

The embedded YouTube video player always collects personal data from your users, even when the “enable privacy-enhanced mode” is selected. At this time, we are not aware of any method for making the YouTube embedded video player compliant with COPPA or GDPR-K.

Can I use Google Analytics and other tools that collect data on my child-directed website or app?

Yes – but your analytics tools must be carefully configured, making sure that any user or device identifiers are used solely to support your internal operations. This must be clearly explained in your privacy policy. For other hosted services that connect to your website or app, we recommend obtaining contractual guarantees that the provider is aware your service is child-directed and that they know how to comply with the provisions of COPPA. 

For more details on how to set up Google Analytics on your child-directed website or app, check out our guide.

If I am compliant with COPPA does it mean that my website or app is safe for kids?

Compliance and safety are not one and the same. As a publisher, you have other obligations towards children, such as designing your service responsibly, moderating your content, and fostering a healthy social community.  A good set of guiding principles is the Kidtech Standard.

Are you interested in learning more about how to ensure that your app or website is safe for kids and compliant with COPPA? Our KidAware training program offers a variety of resources to help publishers stay up to date with the changing rules and regulations. Visit the link below to enroll today.