Tech & Sourcing @ Morgan Lewis


Earlier this week, the US Federal Trade Commission (FTC) settled a complaint against the operator of an online talent search company, asserting that the talent search company’s collection and disclosure of children’s personal information violated the Children’s Online Privacy Protection Act (COPPA) by failing to obtain parental consent, failing to provide adequate notices, and failing to implement the appropriate restrictions in compliance with COPPA. Under the terms of the settlement, the company agreed to pay $235,000.

The FTC’s complaint asserted that the company collected the information of more than 100,000 children under age 13, but failed to disclose to parents or the public how that data was collected, used, or disclosed. Though the website privacy policy stated that the company would not knowingly collect personal information from children under 13, according to the FTC’s complaint, the company imposed no restrictions on users who indicated they were under the age of 13 and did not take steps to verify whether legal guardians were creating the children’s accounts. According to the complaint, much of the information collected was available on publicly visible user profiles.

Managing COPPA Compliance

As we have described in a prior LawFlash on the current COPPA rules and a prior post on this blog, entities covered by COPPA must adhere to several requirements, including the following:

  • Posting a clear and comprehensive privacy policy
  • Providing direct notice to parents and obtaining verifiable parental consent before collecting personal information from children, with limited exceptions
  • Providing parents access to their children’s personal information, as well as the right to request deletion and/or opt out of further collection or use of such information
  • Limiting the disclosure of children’s information, and taking reasonable steps to release such information only to third parties capable of maintaining its confidentiality and security
  • Retaining children’s personal information only as long as necessary to fulfill the purpose for which it was collected

The recent settlement with the FTC makes it clear that it is not enough to simply post a privacy policy and state that your service does not collect personal information of children under age 13—to comply with COPPA and avoid the risk of enforcement action by the FTC, websites and online services must take meaningful policy and procedural steps to ensure compliance. Among other resources, the FTC has provided a six-step compliance plan to assist organizations as they evaluate whether they are subject to COPPA and how they can approach adopting a compliant privacy policy and adequate procedures.