FTC Issues Revised FAQs for COPPA Compliance

Published On July 30, 2020 | By Stacey Brandenburg, Liz DeYoung, Nur Lalji and Kandi Parsons | FTC & State AG, Privacy
TwitterLinkedInFacebookRedditCopy LinkEmailPrint

On July 22, 2020, the Federal Trade Commission (“FTC”) issued revised FAQs regarding the Children’s Online Privacy Protection Act and the FTC Rule issued thereunder (together “COPPA”). The COPPA FAQs provide practical guidance to help operators of commercial websites and online services determine if COPPA applies to them and how to comply. The FTC explained that the revisions are largely consistent with and serve to consolidate and streamline the FTC’s existing COPPA-related guidance, such as that contained in its settlements and other policy documents. Although the new FAQs generally will not require companies to change their COPPA compliance efforts, they nonetheless provide some important clarifications and affirm certain existing approaches to compliance. These updated FAQs come while the FTC is in the process of reviewing comments it solicited to the COPPA Rule at the end of 2019. The FTC has not published an updated timeframe for its response to those comments or any revisions to the Rule.

Below are some key takeaways from the updated FAQs, including a note for consideration for EdTech operators:

  1. Not all sites and services that have child users are “mixed audience.” Online services that target several different age groups, including children under the age of 13, are considered “mixed audience” and must comply with specific provisions of COPPA. The revised FAQs, however, clarify that only services that target children are subject to the law. Merely having some users that are under the age of 13 will not, alone, subject an operator of online services to COPPA compliance. See FAQ D.3.

  2. Certain types of age gates, like math problems, are inadequate. Under COPPA, operators who may be considered directed to children but do not primarily target children (i.e., are mixed audience) may age screen users to ensure the operator: (a) does not collect personal information from users who self-identify as being under the age of 13; or (b) obtains verifiable parental consent to collect such information. However, the FTC’s revised guidance confirms that asking users a math problem or other questions that children would be “unlikely to be able to answer,” alone, is an insufficient means of age screening. The FTC also explained that pre-filled dates or other types of age screens that encourage users to falsify their age would not comply with COPPA. The FTC instead reiterated the importance of a neutral age screen system, such as asking the user to manually enter their month and year of birth. See FAQ D.7 and D.8.

  3. A site can be “child-directed” even where it prohibits children’s use in the Terms of Service. The FTC clarified that a mere statement in the Terms of Service, prohibiting children’s use, does not render a site not child-directed. Establishing whether a site is child-directed may depend on a number of factors, including potentially the nature and presentation of the content and service and the composition of the visitors. See FAQ A.12.

  4. Direct notice is required where consent is obtained from a school. Under COPPA, an operator that provides online services may obtain consent for collection of students’ personal information from a school (rather than a parent) where the operator collects personal information from such students for the use and benefit of the school, and for no other commercial purpose. However, the revised FAQs clarify that in order to adequately do so, the operator must give the school the same “direct notice” of its collection and use practices with regards to children’s personal information as it would have provided to a parent. See FAQ N.1.

  5. COPPA compliance is the operator’s responsibility—not a school’s. The revised FAQs make clear that operators are responsible for ensuring COPPA compliance and may not delegate this responsibility, whether contractually through Terms of Service or otherwise, to a school. See FAQ N.1.

A Special Note for EdTech Companies:

EdTech companies should consider reviewing their Terms of Service in light of the above clarification and review their processes for obtaining consent directly from schools. Operators that rely on parental consent obtained by a school may want to review such approach to ensure the operator is still responsible for COPPA compliance.  

About The Authors

Stacey advises clients on a wide range of privacy and data security issues. A veteran of the Federal Trade Commission’s Division of Privacy and Identity Protection, Stacey assists clients in responding to FTC investigations involving potential violations of Section 5 of the FTC Act, the FTC’s advertising guidelines, and the Children’s Online Privacy Protection Act (COPPA). She also helps clients respond to investigations by State Attorneys General. Stacey helps clients implement sound security and privacy practices and provides compliance training to employees. Stacey is on the faculty at American University’s Washington College of Law, where she teaches on technology and privacy-related issues.

Liz DeYoung has more than a decade of combined experience in private and government practice. Liz advises clients regarding demands for user data under ECPA, the CLOUD Act and data localization issues, engagement with law enforcement authorities (both within and outside of the United States), and other matters concerning cross-border access to data. She also provides a range of corporate governance, transactional, and commercial contracting advice to clients.

Prior to joining ZwillGen, Nur attended Georgetown University Law Center, where she served as a research assistant for the Georgetown Center on Privacy & Technology and as the Senior Legal News Editor for the Georgetown Law Technology Review. She also participated in the Law Center’s Federal Legislation Clinic, where she worked in conjunction with MIT students to develop novel privacy legislation.

Kandi counsels clients on privacy and data security issues, online and general advertising, and marketing practices, including COPPA compliance, student privacy, and the Internet of Things. Kandi advises companies on collecting, protecting, and using consumer data and helps them develop and implement comprehensive privacy and security programs. Drawing on her tenure at the FTC, Kandi assists clients in responding to FTC and state AG enforcement actions. Prior to joining ZwillGen, Kandi spent eight years in the FTC’s Division of Privacy and Identity Protection. While at the FTC, Kandi served on detail for six months to the United States Senate, Committee on Commerce, Science, and Transportation.