COPPA Compliance is Important for General Audience Websites, Too

Yelp’s $450,000 settlement with the FTC in September should serve as an important reminder for all owners and operators of websites or mobile apps – even if your site is not for kids, you need to know and abidge by what the Children’s Online Privacy Protection Act (COPPA), and the related COPPA Rule, requires.

Yelp allows registered users to write reviews of local businesses. A user can access Yelp through desktop and mobile websites, as well as apps on both iOS and Android. Once registered, a user can upload a profile picture and post photos to go along with reviews – pictures of food with restaurant reviews, for example. It is possible for users to “friend” one another, send messages, or receive notifications when a particular user posts a review. The mobile apps also utilize GPS features to give location-based search results. Yelp’s privacy policy notes that Yelp “is intended for general audiences and is not directed to children under 13.”

So why did the FTC file a complaint against Yelp? The answer lies in the COPPA Rule’s definition of “web site or online service directed to children,” contained in 16 C.F.R. § 312.2. A website or online service can be “directed to children” based on such factors as “use of animated characters or child-oriented activities and incentives” or “presence of child celebrities or celebrities who appeal to children.” But a site can also be “directed to children” if its operator has “actual knowledge” that it is collecting personal information from users under 13, or from another online service that does so. Importantly, a site is not considered “directed to children” if it “does not collect personal information from any visitor prior to collecting age information” and “prevents the collection, use, and disclosure of personal information from visitors who identify themselves as under age 13.” (“Personal information” has a fairly expansive definition under COPPA; for a fuller discussion, see my earlier post on COPPA).

The FTC complaint alleges that Yelp knew it was collecting information from users under 13, because users were able to register through the Yelp app even when they provided birth dates indicating they were under age 13. The FTC alleges that “several thousand” such users were able to register. Once a website or online service is “directed to children” and collects information from those users, it must follow the COPPA Rule’s requirements, such as providing notice that it collects information from children on its website, providing notice to the parents of such children, and obtaining verifiable parental consent to such collection.

The lessons here are twofold: (1) COPPA is a concern for any online service that collects personal information, even if not obviously targeted at children; and (2) age verification methods should be implemented and well-tested to make sure they prevent individuals providing ages under 13 from using a site.

One thought on “COPPA Compliance is Important for General Audience Websites, Too

  1. Pingback: The FTC, COPPA, and Riyo’s “Face Match to Verified Photo Identification” | Security, Privacy and the Law

Leave a Reply

Your email address will not be published. Required fields are marked *