FTC's Children's Privacy Enforcement Highlights COPPA Compliance Importance

Businesses across various industries must recognize the significance of complying with the Children's Online Privacy Protection Act (COPPA) in light of the Federal Trade Commission's (FTC) recent children's privacy enforcement activities.

Enacted in 2000, COPPA establishes strict guidelines that prohibit commercial websites and online services from collecting, using, or disclosing personal information of children under 13 years old without obtaining verifiable parental consent.

In a notable case, the FTC, in collaboration with the Department of Justice (DOJ), fined Microsoft $20 million for alleged COPPA violations through its Xbox video game platform. According to the agencies, between 2015 and 2020, Microsoft collected children's personal information during the account setup process without obtaining proper parental consent. Even if children did not complete the sign-up process, Microsoft retained their information for longer than necessary. Additionally, the FTC discovered that until 2019, Xbox included a pre-checked box allowing Microsoft to share children's data with advertisers.

This enforcement action against Microsoft aligns with a broader trend of increased scrutiny by the FTC regarding the collection and handling of children's data. Earlier this year, the FTC proposed a $25 million fine against Amazon, alleging that its Alexa voice assistant service retained children's voice recordings and location data despite parents' requests for deletion. The FTC has also targeted education technology providers, such as Edmodo and Chegg, for their data collection practices involving children.

Janis Kestenbaum, a partner at law firm Perkins Coie, suggests that these recent actions may signify a shift in FTC enforcement orders. The FTC is not only focused on the proper deletion of children's data but also on businesses' training and vetting of third parties involved in data processing. Compliance with COPPA requirements, including obtaining parental consent, must be consistently maintained throughout the data collection process.

Jason Williams, CEO of Kidoz, a contextual mobile advertising network that adheres to COPPA regulations, emphasizes the importance of incorporating COPPA requirements during the initial planning and design phases of a platform or company. By proactively integrating COPPA compliance into their processes, businesses can avoid costly and labor-intensive attempts to retrofit compliance measures later on.

Looking ahead, companies will face new challenges with the upcoming California Age-Appropriate Design Code Act, scheduled to take effect on July 1, 2024. This act expands online privacy protections to children under 18 years old. While transitioning from adult-oriented services to platforms that cater to both adults and children can be particularly complex, Williams views the California act as a significant step forward in safeguarding the privacy rights of children. He emphasizes that individuals under 18 should have the assurance that their online activities remain anonymous and are not commercialized.

As the FTC continues its active enforcement of COPPA, businesses must prioritize compliance efforts to effectively protect children's privacy and mitigate regulatory risks. By understanding and adhering to COPPA requirements, companies can maintain the trust of their users and avoid substantial financial penalties and reputational damage.

By fLEXI tEAM