Yelp’s $450,000 settlement with the FTC in September should serve as an important reminder for all owners and operators of websites or mobile apps – even if your site is not for kids, you need to know and abidge by what the Children’s Online Privacy Protection Act (COPPA), and the related COPPA Rule, requires.
So why did the FTC file a complaint against Yelp? The answer lies in the COPPA Rule’s definition of “web site or online service directed to children,” contained in 16 C.F.R. § 312.2. A website or online service can be “directed to children” based on such factors as “use of animated characters or child-oriented activities and incentives” or “presence of child celebrities or celebrities who appeal to children.” But a site can also be “directed to children” if its operator has “actual knowledge” that it is collecting personal information from users under 13, or from another online service that does so. Importantly, a site is not considered “directed to children” if it “does not collect personal information from any visitor prior to collecting age information” and “prevents the collection, use, and disclosure of personal information from visitors who identify themselves as under age 13.” (“Personal information” has a fairly expansive definition under COPPA; for a fuller discussion, see my earlier post on COPPA).
The FTC complaint alleges that Yelp knew it was collecting information from users under 13, because users were able to register through the Yelp app even when they provided birth dates indicating they were under age 13. The FTC alleges that “several thousand” such users were able to register. Once a website or online service is “directed to children” and collects information from those users, it must follow the COPPA Rule’s requirements, such as providing notice that it collects information from children on its website, providing notice to the parents of such children, and obtaining verifiable parental consent to such collection.
The lessons here are twofold: (1) COPPA is a concern for any online service that collects personal information, even if not obviously targeted at children; and (2) age verification methods should be implemented and well-tested to make sure they prevent individuals providing ages under 13 from using a site.