Digital Business Lawyer Publishes Article by Andrew Lustigman on the FTC’s COPPA Compliance Update
Chair of Olshan’s Advertising, Marketing & Promotions practice group Andrew Lustigman published an article in Digital Business Lawyer entitled “The FTC’s COPPA Compliance Update.” The Children’s Online Privacy Protection Act (COPPA) is designed to track and regulate the online personal information of children under the age of 13, and as Mr. Lustigman makes clear, “The FTC has been aggressive in enforcing COPPA against online businesses, obtaining large penalties and issuing press releases that are widely picked up by news agencies.” Personal information can include “individually identifiable information about a child, such as first and last name, address or geolocation information, online contact information (email address, video chat identifier, IM identifier), a screen name, telephone number, social security number, persistent online identifiers that can be used to recognize a user over time and across different sites (such as cookies), and visual or audio recordings of a child’s voice or image.” Under the FTC’s Children’s Online Privacy Protection Rule, the agency has laid out a six step compliance plan for businesses subject to COPPA. “There are three key updates to the six step plan,” Mr. Lustigman explains. “First, the updated compliance plan addresses the advancing ways in which companies are collecting personal information from children. …Second, the updated compliance plan expands its definition of what technology is covered by COPPA. …Third, the FTC has updated the methods by which businesses may obtain the requisite parental consent prior to collecting personal information from their children under the age of 13.” He concludes the article by succinctly recapitulating the six step compliance plan:
Step one: Is the technology your business uses subject to COPPA?
Step two: How is your business disclosing to the FTC the personal information it collects?
Step three: Is your business properly notifying parents of its data collection practices before collecting COPPA-covered personal information, informing them of what information will be collected and how they can grant consent to collect the information?
Step four: Has your business obtained verifiable parental consent to collect, use, or disclose a child’s personal information?
Step five: Is your business honoring parental data collection rights, including providing parents with the ability to review, revoke, or delete the information collected about their children?
Step six: Does your business meet COPPA’s standards for reasonable data security, so that children’s information is securely collected, stored, and deleted?