The Federal Trade Commission (FTC) announced last week that Yelp – the online service through which consumers can read and write reviews about local businesses – has agreed to pay $450,000 to settle the FTC’s charges that Yelp knowingly and without verifiable parental consent (VPC), collected personal information from children under the age of 13 through its mobile app in violation of the federal law, the Children’s Online Privacy Protection Act (COPPA).
COPPA was enacted in 1998. The FTC, which is responsible for enforcing COPPA, implemented regulations in April 2000 that are known as the COPPA Rule. The FTC issued an amended COPPA Rule in December 2012, which became effective July 1, 2013.
In general, COPPA and the COPPA Rule prohibit operators of websites, mobile applications or other digital services (collectively, “digital services”) from knowingly collecting personal information from children under age 13 unless and until the digital service operator has VPC.
Under the amended COPPA Rule, COPPA has a broader scope than digital service operators may realize. COPPA applies not only to digital services that are directed to children, but also to any general-audience digital service when the operator of the digital service has “actual knowledge” that the digital services is collecting personal information from children under age 13 without VPC.
COPPA does not require operators of general-audience digital services to ask users for age or date of birth information but, under the actual knowledge test, if the digital service collects information that establishes that a user is under 13, the digital service must be COPPA compliant, which means (among other requirements) obtaining VPC before collecting personal information from the under-age-13 user.
The FTC concluded that Yelp had “actual knowledge” that it was collecting personal information from children under age 13 because the registration page on Yelp’s app asked users to enter their date of birth but did not block access to the app for users who were too young (i.e., under age 13).
Key Takeaway: If your general-audience digital service asks a user for his or her birth date, make sure that a user who is under age 13 is blocked from using the digital service. Also, to help prevent users who are too young from circumventing the block, consider one or all of the following techniques:
- Request birth date in a neutral manner, i.e., no prompt is given to the age of eligibility, such as “You must be age 13 or older to register.”
- Present a neutral on-screen error message when a user is under age 13, such as “Sorry, you’re not eligible,” rather than “Sorry, you are under age 13.”
- Deploy a cookie or other functionality to prevent an under-age user whose access was blocked from using the back button (or similar technique) to re-enter an old-enough birth date.