In the current pandemic era, kids are spending more time online, be it for school or entertainment. Companies are therefore gearing up for increased interaction with children online or through connected devices. As children around the globe return to school, whatever that return looks like, the FTC and the International Consumer Protection Enforcement Network (ICPEN) remind us that certain rules apply when dealing with kids online.
In the U.S., the Children’s Online Privacy Protection Act (COPPA) requires parental consent to collect personal information from kids under the age of 13. There are exceptions, like getting the parent’s information in order to seek consent, or responding one time to an inquiry from a child. There are also requirements under CCPA. Countries in the EU and countries with comprehensive privacy regimes also have laws that impact collecting information from children online. Most are not as specific as COPPA, which is where ICPEN’s guidelines can be of help. Of the myriad requirements (notice, choice, etc.), we focus our first article in this series on one that is often forgotten: the need to get parental consent.
To help companies in this virtual world, the FTC recently published a “decluttered” version of its COPPA FAQs. ICPEN similarly recently released a set of online marketing best practices. While the FTC FAQs remain the same in substance, they are now more user-friendly and streamlined. This is timely as companies gear up for increased interaction with children in an online environment. As noted, one thing that companies often forget is that if collecting information online from a child, COPPA requires prior parental consent. ICPEN similarly recommends obtaining parental consent. (Principle 3, no. 38). In this back to school series, we will look at situations where consent might not be required including potential exceptions of situations where the law does not apply.
But first, what does parental consent look like? It will require specific disclosures (COPPA has several, including explaining how the child’s information will be used, and ICPEN mirrors this). Consent can take many forms, including:
- Asking the parent to sign and return a consent form via mail, fax or electronic scan;
- Requiring payment for services by credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder; and
- Asking the parent to call a toll-free number or connect to trained personnel via video conference.
Putting it Into Practice: Businesses that collect personal information from a child online are required to obtain verifiable parental consent, and the FTC has tried to give some flexibility so that they can do so in ways that works for their product. When designing the approach, a good rule of thumb is that the chosen method must be reasonably calculated to ensure that the person providing consent is the child’s parent.