The Federal Trade Commission (FTC) is increasing oversight and enforcement against companies processing children’s data. Dating back to Q422, the agency issued close to half a billion dollars in fines against companies for noncompliance with children’s privacy laws.

In December 2022, the FTC announced that “the action against Epic Games involves two separate record-breaking settlements. As part of a proposed federal court order, Epic will pay a $275 million monetary penalty for violating The Children’s Online Privacy Protection Act (COPPA) Rule—the largest penalty ever obtained for violating an FTC rule. Additionally, Epic will be required to adopt strong privacy default settings for children and teens, ensuring that voice and text communications are turned off by default. Under a separate proposed administrative order, Epic will pay $245 million to refund consumers for its dark patterns and billing practices.”

Organizations that collect personal information online from children under the age of 13 in the U.S. must meet the requirements of COPPA. Industries with increased regulatory spotlight include EdTech, social media, and online gaming.

Below is a checklist of key COPPA requirements to begin the compliance journey:

Key COPPA RequirementQuick Tips to Meet Requirements
Website or online service operators must:

(a) Provide notice on the website or online service of what information it collects from children, how it uses such information, and its disclosure practices for such information (§ 312.4(b);
Review the Privacy Notice and confirm all collection, use, and disclosure of children’s personal information is accurately described.
(b) Obtain verifiable parental consent prior to any collection, use, and disclosure of personal information from children (§ 312.5);Ensure Privacy Notice describes the process for collecting verifiable parental consent, and that it follows the described process.

Obtaining verifiable consent means “making any reasonable effort (taking into consideration available technology) to ensure that before personal information is collected from a child, a parent of the child 1) receives notice of the operator’s personal information collection, use, and disclosure practices; and 2) authorizes any collection, use, and/or disclosure of personal information.”

Maintain a mechanism for parents to opt-out at any time. Opt-out should be available through the same means by which the opt-in was provided.
(c) Provide a reasonable means for a parent to review the personal information collected from a child and to refuse to permit its further use or maintenance (§ 312.6);Maintain a mechanism (such as a data inventory) that can be referenced to fulfill parent’s access and deletion requests.
(d) Not condition a child’s participation in a game, the offering of a prize, or another activity on the child disclosing more personal information than is reasonably necessary to participate in such activity (§ 312.7); and Implement the principle of data minimization throughout the organization’s website or online service to limit the collection of personal information to what is reasonably necessary to participate.
(e) Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children (§ 312.8). Implement security protocols throughout the organization to safeguard children’s personal information throughout the data lifecycle.

Reference industry documentation like the NIST Cybersecurity Framework to identify, assess, and manage organizational risk and enhance data security.

Consider engaging a third party to independently assess compliance.

Expert Regulatory Support

For in-depth guidance on meeting regulatory requirements in the U.S., check out U.S. Privacy Compliance Checklist: What to Know for 2023.

Additionally, the California Age-Appropriate Design Code Act (AADC) effective date is July 1, 2024, placing new obligations on companies offering online products and services that are likely to be accessed by children under the age of 18.

CrossCountry Consulting’s robust privacy and data protection team is actively involved in the industry, holds leadership roles within IAPP, and is passionate about data protection and the evolution of the field. Contact CrossCountry Consulting today with questions or to discuss how we to achieve compliance goals.