In an episode of HBO's sitcom Silicon Valley, the fictitious startup Piper Chat discovered that by failing to include a "terms of service" agreement for their app, they had violated a substantial privacy regulation- and this violation carried an estimated total fine of $21 billion dollars. Yes, billions. There are many heart pounding moments as an entrepreneur, but being fined billions would take heart stopping to a new level.

The law referenced on the show is Coppa - the Children's Online Privacy Protection Act. Coppa was implemented to prevent predatory behavior and protect children online, and fines for failing to comply with the law were recently increased to $40k per kid privacy violation. My company, Privo, was founded to help brands navigate the privacy regulatory landscape

while also helping them maintain a successful business model that safely engages with kids, their families and educators through a Coppa certification program and a family friendly customer identity and permission management platform.

So how do you know if Coppa affects you and your business? Simply put, if you have any children engaging with your content, even if that wasn't your initial intended audience, Coppa fines could potentially be a ticking time bomb waiting to explode on your balance sheet. Here are five tips to help avoid that:

1. Know your audience:

In the world of Coppa, child directed services come in two flavors: child directed primary audience which includes children ages 7-12 and child directed mixed audience which includes preschool audience (young children & their parents), properties engaging 7-15 year olds and the general audience online services that accommodate children. It's important to note, it's not OK to block kids 12 and under if your site looks and feels child directed or has content that appeals to them.

2. Understand what constitutes personal identifiable information (PII)

PII isn't just things like name, address and email, but can include browser cookies, IP addresses, etc. depending on how you use the data. It also includes photos, videos, voice recordings, newsletter sign-up, etc. Depending on the PII you collect and/or share, you will need to obtain the appropriate level of parental consent defined under Coppa.

3. Identify the proper level of parental consent

Coppa requires various levels of parental consent depending on usage of PII. The three main levels are notice & opt out, email plus, and full verifiable parental consent. Some activities won't require consent; other activities like newsletter sign up, sharing photos, online chat, unfiltered usernames, behavioral advertising, etc. trigger requiring consent which may involve parents taking affirmative action by verifying their email address and even proving they are an adult. In the notice that is sent to the parent, you must provide what has already been collected from their child, what you plan on doing with it, link to Privacy Policy and provide details of the other features and activities that their child will have access to.

4. Maintain an up-to-date privacy policy

Make sure your privacy policy is written appropriately for your business ('borrowing one' from a peer isn't recommended). Over time, many businesses update features and content, but fail to update their collection and use of information sections in their privacy policies. Material changes require actions beyond just changing the date of your policy. Additional features may require getting parental consent.

5. Find an expert

The best way to understand how Coppa relates to what you are doing is to find an expert who can assist you and who understands your business. A good place to start is with one of the companies that the Federal Trade Commission (FTC), the enforcer of Coppa, has deemed as a safe harbor company for Coppa.

Companies used to not think about security in their design processes. Now, they can't afford not to. The same is true with privacy - especially regarding children. With more kids online with their own devices, and Europe launching the General Data Protection Regulation (GDPR) in May 2018, the laughter from sitcom Silicon Valley may well turn into a costly grimace for businesses. A great example is the recent class action lawsuits involving Disney, Viacom, Unity, two Danish companies (Sybo and Kiloo), along with a bunch of ad companies all accused of Coppa violations. All more the reason to get your house in order sooner rather than later.

About the Author:

Denise G. Tayloe is a veteran advocate for children's online privacy and a subject matter expert in managing identity and parental consent online. She is the Co-founder and CEO of Privo, an authorized FTC approved Coppa "Safe Harbor" and spearheaded the creation of the Minors Trust Framework (MTF), an online identity trust model, helping organizations adhere to the unique requirements around minor's access and interaction with online information; as well as enable more efficient and privacy enhancing means to conduct transactions with families. Tayloe has worked directly with companies such as Mattel, PBS KIDS, A&E Networks, Toca Boca, Lego, Elf on the Shelf and NASA to name a few. www.privo.com

Published on: Sep 20, 2017