Compliance with FTC COPPA Requirements: A Guide for Children's Content Creators
by Mitchol Dunham and Will Hanisch
This article will address another topic that content creators must focus on: protecting children’s privacy by complying with the Children’s Online Privacy Protection Act (COPPA).
Protecting children’s online privacy is primarily accomplished through the COPPA rule (the “Rule”). The Rule was created in response to a Congressional requirement that the FTC pass administrative rules that will help protect children online. The Rule outlines five requirements for websites, and digital content creators, to abide by if the creator or website is collecting any data about its users: Creators and website owners must: (1) disclose to parents the website’s data collection practices regarding children under 13; (2) provide notice to parents about those practices; (3) obtain consent from the parent to use his or her child’s data; (4) give the parent full control over his or her child’s data; and (5) not require more personal information than is reasonably necessary to allow a child to use the website. The Rule applies to a wide range of websites from forum websites, like Reddit, to more traditional social networking sites, like YouTube, Facebook, and Twitter. It also applies to applications with an internet backend, such as Discord and mobile phone applications.
Step 1 is to determine if the channel, app or website is collecting data from users. Data is an inclusive category that includes all tangible forms of information that can be tied to an individual user. This category includes things like comments associated with a username, behavioral advertising tied to a persistent identifier, registration information for a user in a fan Discord, and so on. If a content creator is not collecting data, (e.g., the creator has comments, notifications, and inbox messages turned off, the creator is not obtaining or monetizing any user specific data like IP addresses or other computer-related identifiers, and the creator is exclusively using contextual advertising), then the content creator does not need to comply with the Rule. Otherwise, if the content creator is collecting any kind of data (which most content creators are), then he or she must move on to the next step in the analysis.
Step 2 is to determine if the content of the channel requires the creator to comply with COPPA. This article is directed to children’s content creators, which likely means that the answer to this question is yes. However, if a creator is not sure if their channel is directed at children, specifically children under the age of 13, then the creator must consider a long list of factors, including: (1) the subject matter of the content, (2) the actors used in creating the content, (3) the general fanbase of the channel, (4) whether the content involves animations or shows the actors engaging in child-oriented activities, (5) whether the channel is described as being “for kids” or “for children”, (6)the use of animated characters or other child-oriented activities and incentives, (7) the age of models, (8) the presence of child celebrities or celebrities who appeal to kids, (9) the presence of ads on the site or service that are directed to children, and (10) other reliable evidence about the age of the actual or intended audience.
If the answer to one or two of the above is “no”, that may not be enough to avoid compliance. This is a balancing test, and a content creator must be very careful in determining that their channel does not target children under the age of 13. If the channel is intentionally targeting children under the age of 13, or if the channel has knowledge that its fanbase primarily consists of children under the age of 13, compliance is mandatory.
Compliance with the Rule
If compliance with the Rule is required, the creator must meet the five requirements listed in the second paragraph of this article. To summarize, they include: (1) disclosure of practices, (2) providing direct notice, (3) consent of the parent, (4) assigning control, and (5) data minimization. A well-designed privacy policy takes care of the first requirement. This policy must include clear descriptions of who is collecting the data, what data is being collected and how it is going to be used. The key is honesty and transparency with the user. Specifically, the creator must list all individuals, including any advertising network or social network plug-in, that collects personal information on the creator’s website, platform, or app. The creator must also list all personal information that is being collected and how that information is used. Finally, the creator must disclose the rights of parents, namely, the right to data minimization, the right to review the child’s data, assignment of full control over the data to the parent, and so on.
To satisfy the direct notice requirement, the creator may collect limited data to be able to contact the parent. In this notice, the creator must tell parents: (1) that the creator has collected their online contact information for the purpose of getting their consent; (2) that the creator wants to collect personal information from their child; (3) that the parent’s consent is required for the collection, use, and disclosure of the information; (4) the specific personal information that the creator wants to collect and how it might be disclosed to others; (5) a link to the creator’s online privacy policy; (6) how the parent can give their consent; and (7) that if the parent doesn’t consent within a reasonable time, the creator will delete the parent’s online contact information from its records. This sounds like a lot (and it is) but those who find a way to comply with certainly have an advantage over their competition.
To comply with the third requirement the content creator must maintain a database linking the identifier of the child to the consent of that child’s parent. Evidence of parental consent includes: (1) a signed consent form sent back to the creator via fax, mail, or electronic scan; (2) use of a credit card, debit card, or other online payment system that provides notification of each separate transaction to the account holder; (3) a call to a toll-free number staffed by trained personnel; (4) connection to trained personnel via a video conference; (5) a copy of a form of government issued ID that the creator checks against a database, as long as the creator deletes the identification from his or her records after verification; (6) answer a series of knowledge-based challenge questions that would be difficult for someone other than the parent to answer; or (7) verifying a picture of a driver's license of other photo ID submitted by the parent and then comparing that photo to a second photo submitted by the parent, using facial recognition technology. Some of these methods are easier than others to achieve, and the best method depends upon the technological capabilities of the creator.
Under the fourth requirement, the creator has a continuing obligation to respond to the requests of the parent. Thus, if a parent requests: (1) a method to review the personal information collected from their child; (2) a method to revoke their consent and refuse the further use or collection of personal information from their child; or (3) to delete their child’s personal information, the content creator must comply with these requests.
Finally, requirement (5) involves minimizing and protecting the data that the creator collects. The creator must take reasonable steps to protect the confidentiality, security, and integrity of personal information collected from children. The first step in this process is analyzing what kind of data the creator collects in the first place and minimizing that collection to only the data that is necessary to provide the services of the platform. The creator must work with his or her service providers and third parties, to whom the collected data is being transferred, and obtain assurances that those third parties are capable of maintaining the confidentiality, security, and integrity of the data. The data may be retained for as long as it is reasonably necessary to accomplish the purpose for which the data was collected, and when data is no longer necessary, the creator must securely dispose of the data.
Compliance with these requirements may seem daunting or even impossible for small and large creators alike, especially given the current formats of platforms like You Tube. How will a creator provide direct notice about the data collection practices to the parent of the child in its audience? How would a creator with millions of followers create a consent form database? How would a content creator maintain safe and positive engagement with its audience while complying with the data minimization requirement? These are questions that remain to be answered, but given the value of the toy and other child product industries, one would think You Tube and similar platforms as well as software compliance firms would be seeking ways to make it happen – and fast.
Compliance Alternatives
What if you want to avoid COPPA compliance altogether? A creator could pivot their content away from young children, but what if the creator is a pre-school education channel or other channel providing excellent, child-safe content? There are likely thousands of channels and scrupulous creators providing outstanding content to children. It seems extremely unfair and unrealistic to expect that all these creators should be forced to completely convert their content.
A more viable option could be to modify the channel’s data collection practices. To change a channel’s data collection practices, a creator must turn off behavioral advertising on all past and future videos and instead run contextual advertisements. The financial impact of this change is unknown, but when considering the potential liability from other courses of action, on balance, it might make the most business sense.
Another step to change a channel’s data collection practices is to turn off any free-form communication with the audience that can be associated with an audience member’s identifier. What does this mean in practice? Children’s content creators should turn off all comments on their videos. Children creators should go a step further and disable the inbox and notification features as well.
If a creator has a Discord server, they should require authentication that all users are over the age of 13 before the user can send, receive, or read messages. This is important, and willful ignorance, such as a don’t-ask-don’t-tell policy, is not enough. Content creators must take proactive steps to avoid falling under the auspices of the Rule.
This article indicates the state of the law as of the posting date; however, the interplay between the digital content creation industry and COPPA compliance may change in the near future. There is an ongoing public comment period, open until October 23, 2019, for individuals impacted by the COPPA Rule to write to the FTC with improvements to the Rule. The FTC is also hosting a workshop on COPPA on October 6, 2019, where further guidance may be revealed. Once again, the contents of this article do not constitute legal advice and are meant to act as an invitation to facilitate a discussion about your channel’s FTC compliance strategy. If you are unsure if your channel is compliant with the FTC requirements, whether for advertisements and sponsor integrations or for children’s privacy and data collection, please reach out to the GreenRoom legal team.