On July 1 the amended version of the Children’s Online Privacy Protection Act goes into effect. This update of the law that’s been on the books since 1998 affects any commercial operator of any website, mobile app, or location-based service with “actual knowledge” that they have users under 13, plus any plug-in that deals with such sites. It’s going to be bad for business and bad for kids.
The burden on companies not to collect, store, or share any personally identifiable information on children under 13 is greater than ever before, and penalties approach $16,000 per child user. You don’t have to be building an app specifically for kids in order to get slammed. In February, the social network Path after identifying a total of 3,000 child users. Ninety domestic and foreign companies received warning letters from the FTC in May that they may be out of compliance with the new rules.
The definition of “personally identifiable information” is broad. It’s not only names, home and email addresses, but has been updated to include geolocation data, photo, video, or audio of a child, and even IP addresses, which pretty much every website collects by definition.
The legal requirements for obtaining parental consent are highly involved and impractical, such as a video conference or having parents sign a form, scan and email in. Keeping kids off your site is not really practical either considering how high web and mobile use is among grade schoolers these days.
There are three likely consequences to the tightening of COPPA’s screws, none of which were intended.
“Actual knowledge” means you collect your users’ date of birth. Sites that don’t ask, or that promptly bounce everyone who states they’re under 13 may be safe. Of course, this nudge-and-wink policy gets us to a reality where 45 percent of 12 year olds are in fact using sites like Facebook, even if they have to lie to do it. Their data is being recorded and sold, with no enhanced protection of anyone’s privacy.