If you’re an app or website owner whose service is knowingly collecting, using, or disclosing personal information from children under 13, then there are some special regulations that you are legally required to follow under the vast majority of legislations. “Personal information” within this context refers to the child’s name, location, any contact information, identification information (eg. social security number), device identifiers, IP address, photo, video or audio containing the child’s image or voice.
While this guide will separate US and EU law for your convenience, it should be noted that both cases the regulatory bodies have made it clear that the requirements of these laws will apply as long as you have or target users located in the region that these regulations are from. This means that it doesn’t matter if your business or servers are located in the region or not, the laws will still apply to you.
Children’s Online Privacy Protection Act (COPPA) is a United States federal law which was put in place to better protect the personal data and rights of children under 13 years of age. Under COPPA, operators of websites or online services that are either directed to children under 13, or which have actual knowledge that they are collecting personal information from children under 13 must give notice to parents and get their verifiable consent before collecting, using, or disclosing such personal information and must keep secure the information they collect from children.
“Verifiable” here means using a method of attaining consent that is not easily faked by a child and that is demonstrably likely to be given by an adult (eg. control questions). Even after consenting, parents must also have the option to disallow disclosure to third parties if so desired, unless such disclosures are part of the service (for example, social networking).
Under EU GDPR regulations, consent is one of the Lawful Reasons for processing the data of children. If using this basis for processing the data of children under 13, you must get verifiable consent from a parent or guardian unless the service you offer is a preventative or counseling service. You must make reasonable efforts (using available technology) to verify that the person giving consent actually holds parental responsibility for the child.
If using another lawful reason as the basis for processing a child’s data, you must consider factors such as the child’s competence to understand and agree to the processing, and the interests and fundamental rights of the child. Furthermore, if you target children over the age of 13, you must write clear and age-appropriate privacy notices for them so that they understand what they’re consenting to.
The right to erasure is particularly relevant in cases where a person gave consent to processing when they were a child. When processing the data of children, the law requires that you take appropriate measures to ensure that their data is safeguarded.
Failure to comply with the COPPA regulations can result in heavy fines.
In one case the owners of the Xanga website were fined US$1 million in 2006 for COPPA violations of repeatedly allowing children under 13 to sign up for the service without getting their parent’s consent.
Similarly, failure to comply with EU GDPR regulations can result in fines of up to EUR 20 million (€20m) or 4% annual worldwide turnover (whichever is greater).
Describe the types of personal information processed online from children, the purpose and the way it’s handled.
List all operators processing personal information. Name each third party operator involved in the processing including social plugins, widgets, and ad networks.
Describe parental rights in relation to their child’s data and the procedures to follow to exercise these rights.
Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children.
Provide parents access to their child’s personal information to review and/or have the information deleted.
Give parents the opportunity to withdraw consent and prevent further processing of a child’s personal information.
Maintain the confidentiality, security, and integrity of data collected from children. This includes taking reasonable steps to ensure that such data is only released to third-parties capable of maintaining its confidentiality and security.
Ensure that you keep personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected. When no longer necessary, be sure to delete the information using secure measures to protect against its unauthorized access or use.
Do not make a child’s ability to access an online activity dependent on the child providing more information than what is reasonably necessary for the activity.
The process is straightforward and intuitive, simply click to add your services > fill out your web/app owner and contact details > embed.
Congratulations! Your policy has been created. Simply check that all the details are correct, then: