On July 22, 2020, the Federal Trade Commission (“FTC”) issued revised FAQs regarding the Children’s Online Privacy Protection Act and the FTC Rule issued thereunder (together “COPPA”). The COPPA FAQs provide practical guidance to help operators of commercial websites and online services determine if COPPA applies to them and how to comply. The FTC explained that the revisions are largely consistent with and serve to consolidate and streamline the FTC’s existing COPPA-related guidance, such as that contained in its settlements and other policy documents. Although the new FAQs generally will not require companies to change their COPPA compliance efforts, they nonetheless provide some important clarifications and affirm certain existing approaches to compliance. These updated FAQs come while the FTC is in the process of reviewing comments it solicited to the COPPA Rule at the end of 2019. The FTC has not published an updated timeframe for its response to those comments or any revisions to the Rule.
Below are some key takeaways from the updated FAQs, including a note for consideration for EdTech operators:
- Not all sites and services that have child users are “mixed audience.” Online services that target several different age groups, including children under the age of 13, are considered “mixed audience” and must comply with specific provisions of COPPA. The revised FAQs, however, clarify that only services that target children are subject to the law. Merely having some users that are under the age of 13 will not, alone, subject an operator of online services to COPPA compliance. See FAQ D.3.
- Certain types of age gates, like math problems, are inadequate. Under COPPA, operators who may be considered directed to children but do not primarily target children (i.e., are mixed audience) may age screen users to ensure the operator: (a) does not collect personal information from users who self-identify as being under the age of 13; or (b) obtains verifiable parental consent to collect such information. However, the FTC’s revised guidance confirms that asking users a math problem or other questions that children would be “unlikely to be able to answer,” alone, is an insufficient means of age screening. The FTC also explained that pre-filled dates or other types of age screens that encourage users to falsify their age would not comply with COPPA. The FTC instead reiterated the importance of a neutral age screen system, such as asking the user to manually enter their month and year of birth. See FAQ D.7 and D.8.
- A site can be “child-directed” even where it prohibits children’s use in the Terms of Service. The FTC clarified that a mere statement in the Terms of Service, prohibiting children’s use, does not render a site not child-directed. Establishing whether a site is child-directed may depend on a number of factors, including potentially the nature and presentation of the content and service and the composition of the visitors. See FAQ A.12.
- Direct notice is required where consent is obtained from a school. Under COPPA, an operator that provides online services may obtain consent for collection of students’ personal information from a school (rather than a parent) where the operator collects personal information from such students for the use and benefit of the school, and for no other commercial purpose. However, the revised FAQs clarify that in order to adequately do so, the operator must give the school the same “direct notice” of its collection and use practices with regards to children’s personal information as it would have provided to a parent. See FAQ N.1.
- COPPA compliance is the operator’s responsibility—not a school’s. The revised FAQs make clear that operators are responsible for ensuring COPPA compliance and may not delegate this responsibility, whether contractually through Terms of Service or otherwise, to a school. See FAQ N.1.
A Special Note for EdTech Companies:
EdTech companies should consider reviewing their Terms of Service in light of the above clarification and review their processes for obtaining consent directly from schools. Operators that rely on parental consent obtained by a school may want to review such approach to ensure the operator is still responsible for COPPA compliance.