In 1998, the United States enacted the Children's Online Privacy Protection Act, better known as "COPPA." As the Internet is a worldwide medium, the question many businesses face is whether they should comply with COPPA if the company is not located in the United States?
COPPA is a federal law designed to give parents control over the collection of personal information regarding their children (under 13 years old) by online companies. If a website, app or another online property seeks to collect such information, the business must first obtain verified parental consent through a complex compliance process detailed in the law. Companies ranging from Sony to Yelp have run into conflict with the law, and paid fines in the six to seven figure range to resolve the investigations.
While COPPA is a law of the United States, the important thing for international companies to understand is it applies to the collection of information from children in the United States. A company located in London, for example, must still comply with the law if it targets the US market and is collecting information from children under 13. This distinction can be a significant issue for app companies, in particular, that target the lucrative US consumer market through Apple and Android app stores.
In 2014, the Chinese company responsible for an app known as BabyBus was issued a COPPA warning letter by the FTC, the government agency in the United States responsible for enforcing the law. The FTC accused BabyBus of collecting information from kids under 13 without first obtaining parental consent. The company responded by quickly investigating the claim and resolving the COPPA problems.
Many commentators pondered why a Chinese company would act so quickly, but the answer is readily apparent. The BabyBus app was sold primarily through the Apple and Android app stores in the US market. While COPPA did not apply to a Chinese company per se, the law certainly applied to Apple and Google. BabyBus risked being removed from the stores if it failed to address the COPPA issues, a result that would have seriously hampered revenues. Any company targeting the US market faces the same practical, if not legal, outcome.
On 11 May 2015, the United States Federal Trade Commission entered into an agreement to pursue COPPA enforcement actions with 27 member countries of the Global Privacy Enforcement Network ["GPEN"], an organisation that includes all EU countries. Although the initiative has not been fully detailed as of yet, what is clear is the countries will be seeking cross-border enforcement actions with an emphasis on mobile apps. This initiative should act as motivation for app companies across the world to make sure they are in compliance with the relevant laws in their target market.
The FTC investigates and enforces COPPA through litigation in the United States court system. The Commission claims penalties of up to $16,000 per COPPA violation per child. For example, a social media website found to have 500 children under 13 as members in violation of COPPA will face penalties of up to $8 million dollars. [$16,000 x 500 children.] The potential size of such penalties should act as motivation for any business management team to understand the law in general, as well as the company's specific COPPA compliance obligations.
The application of the laws of a particular country to the Internet has always been problematic given the global reach of the web. For companies running online properties tailored towards children under 13, it is critical that COPPA be taken into account if individuals in the United States comprise any part of the target market for the online properties.
Author: Richard A. Chapo, Esq is a COPPA lawyer with COPPALawAttorney.com
Published on 13th May 2015
(Last updated 14th May 2015)