In an episode of HBO's sitcom Silicon Valley, the fictitious startup Piper Chat discovered that by failing to include a "terms of service" agreement for their app, they had violated a substantial privacy regulation- and this violation carried an estimated total fine of $21 billion dollars. Yes, billions. There are many heart pounding moments as an entrepreneur, but being fined billions would take heart stopping to a new level.
The law referenced on the show is Coppa - the Children's Online Privacy Protection Act. Coppa was implemented to prevent predatory behavior and protect children online, and fines for failing to comply with the law were recently increased to $40k per kid privacy violation. My company, Privo, was founded to help brands navigate the privacy regulatory landscape
while also helping them maintain a successful business model that safely engages with kids, their families and educators through a Coppa certification program and a family friendly customer identity and permission management platform.
So how do you know if Coppa affects you and your business? Simply put, if you have any children engaging with your content, even if that wasn't your initial intended audience, Coppa fines could potentially be a ticking time bomb waiting to explode on your balance sheet. Here are five tips to help avoid that:
1. Know your audience:
In the world of Coppa, child directed services come in two flavors: child directed primary audience which includes children ages 7-12 and child directed mixed audience which includes preschool audience (young children & their parents), properties engaging 7-15 year olds and the general audience online services that accommodate children. It's important to note, it's not OK to block kids 12 and under if your site looks and feels child directed or has content that appeals to them.
2. Understand what constitutes personal identifiable information (PII)
PII isn't just things like name, address and email, but can include browser cookies, IP addresses, etc. depending on how you use the data. It also includes photos, videos, voice recordings, newsletter sign-up, etc. Depending on the PII you collect and/or share, you will need to obtain the appropriate level of parental consent defined under Coppa.
3. Identify the proper level of parental consent
5. Find an expert
The best way to understand how Coppa relates to what you are doing is to find an expert who can assist you and who understands your business. A good place to start is with one of the companies that the Federal Trade Commission (FTC), the enforcer of Coppa, has deemed as a safe harbor company for Coppa.
Companies used to not think about security in their design processes. Now, they can't afford not to. The same is true with privacy - especially regarding children. With more kids online with their own devices, and Europe launching the General Data Protection Regulation (GDPR) in May 2018, the laughter from sitcom Silicon Valley may well turn into a costly grimace for businesses. A great example is the recent class action lawsuits involving Disney, Viacom, Unity, two Danish companies (Sybo and Kiloo), along with a bunch of ad companies all accused of Coppa violations. All more the reason to get your house in order sooner rather than later.
About the Author:
Denise G. Tayloe is a veteran advocate for children's online privacy and a subject matter expert in managing identity and parental consent online. She is the Co-founder and CEO of Privo, an authorized FTC approved Coppa "Safe Harbor" and spearheaded the creation of the Minors Trust Framework (MTF), an online identity trust model, helping organizations adhere to the unique requirements around minor's access and interaction with online information; as well as enable more efficient and privacy enhancing means to conduct transactions with families. Tayloe has worked directly with companies such as Mattel, PBS KIDS, A&E Networks, Toca Boca, Lego, Elf on the Shelf and NASA to name a few. www.privo.com