The Children’s Online Privacy Protection Act (COPPA) came into effect on April 21, 2000, and was officially amended on July 1, 2013.
What is the Children’s’ Online Privacy Protection Act?
The purpose of COPPA is to give parents more control over what information is collected from children, and about children, under the age of 13.
COPPA applies to organizations that offer online services, including websites, apps and IoT devices (such as smart toys), which collect, use, or disclose personal information from (or about) children.
What Constitutes “Personal Information”?
Although the definition of “personal information” can vary between different data privacy regulations, the differences are usually subtle. For example, information such as names, addresses, telephone numbers and Social Security numbers are examples of personal information that are common across all data privacy laws. However, the definition is often expanded depending on the industry or user group which the regulation pertains to. For example, under COPPA, the following would also be considered “personal information”.
- A screen or user name that functions as online contact information;
- A persistent identifier that can be used to recognize a user over time and across different websites or online services;
- A photograph, video, or audio file, where such file contains a child’s image or voice;
- Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above.
How is COPPA Enforced and What are the Penalties for Failing to Comply with it?
COPPA is ultimately enforced by the Federal Trade Commission (FTC). However, parents and other relevant stakeholders have the option to report COPPA violations to the FTC, either via their website, or by calling a toll free number at (877) FTC-HELP.
An organization in violation with COPPA can be subject to fines of up to $43,792 per violation. However, the exact amount depends on a number of factors, which include; the egregiousness of the violation, the type and amount of personal information involved, how the information was used, whether it was shared with third parties, and the size of the company.
How to Comply with The Children’s Online Privacy Protection Act
Update your privacy policies & notices
If you have read this far, the chances are your organization collects personal information associated with children under the age of 13. As such, you will need to ensure that you have published a clear and comprehensive privacy notice that describes how you collect, use, share and store their personal information, and you must ensure that you have obtained the necessary consent from the children’s parents before collecting it.
Under COPPA, parents must be granted access to their child’s personal information. As such, you will need to establish a formal procedure for enabling parents to request access to their child’s information, and you must be able to fulfil the request in a timely manner.
Discover & classify personal information
As mentioned above, organizations must give parents access to their child’s personal information, which they can review, edit and delete if necessary. Many organizations store large amounts of unstructured data, and this data might exist in multiple locations/data centers.
This can make locating data in a timely manner tricky, especially if they are not even aware that the data exists. Organizations should adopt a sophisticated data classification tool which will automatically scan their repositories (both on-premise and “in the cloud”) for personal information, and classify the information accordingly.
Most proprietary solutions will provide a wide range of templates that are mapped to specific data privacy laws, such as the GDPR, HIPAA, CCPA, and of course, COPPA.
Minimize the amount of data you collect and store
Once you have classified your data, it is good practice to remove any data that is ROT (Redundant, Obsolete and Trivial). Naturally, if you only store the data you absolutely need, this will help to minimize the likelihood of a data breach.
Likewise, you will also need to ensure that you are only collecting the information you need, which requires developing a comprehensive data retention policy. A data retention policy is a set of guidelines, typically in the form of a spreadsheet, that helps organizations keep track of how long certain types of information should be retained, and how the information should be disposed of when no longer required.
When the retention period for a specific piece of information has expired, you will need to either securely/thoroughly dispose of the data or anonymize it.
Enforce “least privilege” access
Access to a child’s personal information must only be granted to those who legitimately need access to it. You will need an access control policy that describes the procedures for granting and revoking access to personal information.
It’s also worth noting that, under COPPA, parents have the right to prohibit organizations from disclosing their child’s personal information to third parties. A common approach that is used to quickly grant/revoke access to third-parties (and other users) is role-based access control (RBAC), whereby access rights are assigned to groups (or roles), and members are assigned to those groups.
For example, you could setup a group called “Business Associates”, with its own unique set of access rights. Adding/removing members from this group will be significantly easier and less error-prone than assigning specific rights to specific users, although RBAC is typically less granular.
Conduct a third-party risk assessment
You must ensure that you have taken reasonable steps to ensure that the third-parties you share personal information with are able to maintain the confidentiality, security, and integrity of the data. You will need to get them to sign some form of agreement to ensure that they are able to satisfy the COPPA compliance requirements, and you will need to periodically review the security controls they have in place to ensure they are still relevant.
Monitor access to personal information
Although not directly relevant to complying with COPPA, if you do not have visibility into who has access to your data, you will find it hard to demonstrate compliance to the supervisory authorities.
Most Data Security Platforms can aggregate and correlate event data from multiple repositories and display a summary of this information via a centralized dashboard. From there, you can simply select the relevant regulation (in this case COPPA) and generate a customized report at the click of a button.
These reports can be used as evidence to show that you know when a child’s personal information has been accessed, shared, moved, modified or removed, and by whom.
A real-time auditing solution will also help to identify anomalous user behaviour, either based on a single event of pre-defined threshold condition. If, for example, a child’s information is accessed outside of office hours, an alert will be sent to the administrator, which they can follow up to ensure that the data is being accessed for legitimate reasons.
If you’d like to see how the Lepide Data Security Platform can help give you more visibility over your sensitive data and help you be compliant with COPPA, schedule a demo with one of our engineers or start your free trial today.