You probably think your site is safe by simply posting a privacy policy in your site’s footer. Still, these days, that’s not enough: one of the most pressing security issues for website operators to emerge is the Children’s Online Privacy Protection Act (COPPA), a security measure that Congress enacted in 1998 to protect children’s privacy under the age of 13.
Since its inception, the law has become a more robust regulation. Within the last six years, the Federal Trade Commission (FTC)—the federal branch that enforces the act—has begun targeting app developers, website owners, digital security companies, and even third-party ad networks that violate the COPPA Rule.
What is the COPPA Rule?
The COPPA Rule determines what website operators and app owners protect children’s privacy and safety online. Of course, this only pertains to you if your website collects personal information from children under 13.
Under the FTC’s terms, personal information includes usernames, email addresses, street addresses, geolocations, phone numbers, photos, videos, audio files, and other persistent identifiers that could be used to identify a child.
By prompting users 13 and under to disclose information or passively tracking their information via cookies or other means, you are collecting their data according to the COPPA Rule.
What are the consequences of a COPPA violation?
Sites guilty of a violation are charged with civil penalties ranging between $16,000 and $40,000 per violation. So, if your online business collected personal information from 100 children 13 and under, you could be liable for up to $1,600,000–or more!
How do you know if your site is at risk of a COPPA Rule violation?
COPPA compliance can get a bit complicated. To give you a clear picture of its compliance, we’ve compiled 7 case studies of Fortune 500 companies caught violating the Children’s Online Privacy Protection Act. You can learn from their mistake and ensure your website or mobile app isn’t doing the same:
1. TinyCo
TincyCo is a San Francisco-based video game studio that creates gaming apps for children. Their most famous games include titles like Tiny Pets, Tiny Zoo, Tiny Castle, and Mermaid Resort, which are free to download and play. TinyCo markets its products for children, which they cover in their privacy policy.
So why did the FTC go after TinyCo?
TinyCo offered users in-game currency and items in exchange for their email addresses. As a result, the company collected thousands of emails from its user base. Of course, the FTC saw this as bypassing parental consent, leaving TinyCo with a $300,000 civil penalty and a mandate to destroy all information collected from users 13 and under.
2. Yelp
If you think apps that typically attract an adult audience and are safe from COPPA, think again. Yelp, a crowd-sourced business review and social networking site, is a prime example of an app that appeals to a vast general audience, yet it still violates the COPPA Rule.
Between 2009 and 2013, Yelp collected personal information from several thousand underage users who signed up for its mobile app. For some reason, the company included an age-screening function on its website but not its mobile app.
This inconsistency ultimately got the company in trouble with the FTC, which claimed that Yelp did not “adequately test its apps to ensure that users under the age of 13 were prohibited from registering.”
The company’s violation of the COPPA Rule required them to pay a $450,000 civil penalty. During that time, they also had to delete information on users 13 or under, except when Yelp could prove the user was older.
3. Viacom, Mattel, JumpStart, Hasbro
New York Attorney General Eric Schneiderman targeted these companies to allow third-party companies to track users 13 and under on their websites geared towards children. The result was a collective settlement fee of $835,000.
In 2012, the FTC amended the COPPA Rule to prohibit websites from implementing behavioral targeting techniques on users 13 and under. This type of technology, known as “passive tracking technology,” uses persistent cookies and mobile identifiers to establish users’ behavioral profiles.
Many sites allow ad networks to use passive tracking to understand their target markets better; however, under the COPPA Rule, gathering information about children without parental consent is now illegal.
4. Disney’s Playdom
The Disney-owned gaming studio Playdom produced multiplayer online games and virtual world websites for children. Between 2006 and 2010, around 400,000 kids registered to play one of the more popular titles, Pony Stars, requiring users to submit their age and email address upon registering. Once signed up, users were prompted to create a player profile, which allowed them to post their full name, age, Instant Messenger ID, and location.
Here is where Playdom went wrong: they didn’t notify parents that they would be collecting their children’s data and failed to obtain parental consent. In addition, they misrepresented their privacy policy terms, which claimed that Playdom banned children 13 and under from posting personal information. As a result, Playdom paid a $3 million civil penalty, and in September 2016, Disney shuttered the gaming studio for good.
5. InMobi
InMobi, a Singapore-based mobile app advertising company, provides geo-targeted advertising by collecting user data through apps, many of which appeal to children. The FTC went after InMobi because of their duplicitous information tracking policy.
According to the FTC, InMobi collected hundreds of millions of users’ personal information, even after users denied the company permission. Consequently, InMobi was initially charged a $4 million settlement fee, which was reduced to $950,000 based on the company’s financial state. They were also required to draft their comprehensive privacy program detailing what changes they would make to their privacy practices.
6. LAI Systems, LLC & Retro Systems
LAI Systems, a children’s app-game developer, found themselves in the crosshairs of the FTC because they allowed third-party advertisers to collect tracking information from their users. By using persistent identifiers (digital data tied to a specific user), these advertisers could collect valuable personal details about users by observing the information they provided. Of course, LAI did not notify parents or gain their consent, which cost them $60,000.
Retro Systems also allowed third-party advertisers to collect personal information from their user base, mainly children. However, Retro Systems had to pay a steeper fine of $300,000 because they did not cease collecting personal information from underage users even after an advertising affiliate warned them of their COPPA Rule violation.
7. TRUSTe
This San Francisco-based technology security company helps corporations keep their software and websites updated and compliant with government law. As an organization that claims to maintain high digital security standards, it’s baffling that Attorney General Eric T. Schneiderman found TRUSTe at fault for violating the COPPA Rule.
Nevertheless, TRUSTe breached the COPPA Rule by failing to keep two primary children’s websites–Roblox and Hasbro– free of information tracking technology.
The company recently reached a settlement requiring TRUSTe to pay a $100,000 civil penalty and to take on higher security standards in the future. Interestingly, this is the first case of a privacy certification program targeted by state or federal law enforcement.
My site collects children’s information. What should I do?
If your site collects information from children or allows a third-party ad network or plug-in to collect trackable information from underage users. In that case, you need to comply with the COPPA Rule.
Here’s a quick checklist list of what you can do:
- Create a privacy policy that clearly states your information practices.
- Directly inform parents about what information you collect and how you will use it.
- Notify parents and obtain parental consent before collecting a child’s information.
Regarding internet security, you must stay updated with current privacy standards. The digital sea is constantly shifting, and the only way to stay afloat is to ensure your site complies with federal and state privacy laws.
Share this article
About the Author
Rebecca James is an IT consultant with forward thinking approach toward developing IT infrastructures of SMEs. She writes to engage with individuals and raise awareness of digital security, privacy, and better IT infrastructure.
More from Rebecca JamesRelated Posts
How to Avoid Gambling Restrictions in 2024
KEY TAKEAWAYS Gambling is prohibited in multiple countries as it is addictive, and many people go ba...
20 Best Penetration Testing Tools For Security Professionals
KEY TAKEAWAYS If you’re in a hurry, then have a look at the list of 20 best penetration testin...
The Role of Developer Security in Software Development
KEY TAKEAWAYS The revolution of DevOps has reduced the SLDC and resulted in the creation of many sof...
How To Detect Hidden Cameras And Listening Devices? A Complete Guide
Many people feel like someone is watching them or listening to their conversations. They may be righ...
What is Virtual Firewall and How it Helps Us in 2024?
Scientists and technicians are trying to invent the latest technology protection to create barriers ...
7 Ways to Fight Against Ransomware Attacks
KEY TAKEAWAYS Ransomware attacks are growing frequently and affecting every sector of the business i...