Disclaimer: We’re not your lawyers, and the info presented here is not legal advice. We provide it for informational purposes, and suggest that you seek advice in your jurisdiction for further information relating to children’s privacy laws.
COPPA and GDPR-K overview
The USA’s Children’s Online Privacy Protection Act (COPPA) and certain provisions of the EU and UK’s General Data Protection Regulation (GDPR-K) were created to protect kids’ privacy online. Both laws have an extraterritorial scope, which means they are enforceable against companies based anywhere in the world that have users in the USA, EU or UK respectively.
What are the requirements of COPPA?
COPPA is a US federal law enforced by the Federal Trade Commission (FTC) that regulates the online collection and use of personal information from children under the age of 13. It imposes certain requirements on online operators who direct their websites, apps, or online services to children under the age of 13 and requires them to obtain verifiable consent from the children’s parents before collecting, using, or disclosing children’s information (subject to certain limited exceptions). Both the FTC and US state attorneys general can bring COPPA enforcement actions, which allow for civil penalties of up to $40,654 per violation, e.g. a single user. Fines in recent years have ranged from $100,000 to $170,000,000.
To learn more about COPPA, you may consult the FTC’s COPPA FAQs page.
As at the date of publication of this note, COPPA is currently being reviewed by the FTC to determine if the rule should be updated to reflect changes in the industry.
What are the requirements of GDPR-K?
The GDPR is an EU and UK regulation on data protection and privacy. It is administered by the UK’s/each EU member state’s data protection authority. GDPR-K refers to the special protections within the GDPR for children’s data. Under GDPR-K, when online operators are relying on consent as the basis for processing a child’s data, they must obtain this consent from a parent and make reasonable efforts to verify that parent. The GDPR sets the age of digital consent at 16, but individual member states may lower this as far as 13. The UK has in fact lowered the age of consent to 13. Under the GDPR, organisations can be fined up to 4% of annual global turnover or €20 million (whichever is greater) for violations.
Public relations damages
The financial repercussions from an enforcement action can be burdensome; however, the greatest impact to a company’s bottom line is often the negative PR and reputational damage that follows these lawsuits, which can result in loss of consumer trust and loss of future revenue.
Advertising standards (CAP & CARU)
SuperAwesome requires that ad content that runs through our platform is compliant with applicable laws. This includes self-regulatory guidance issued by bodies such as the Children’s Advertising Review Unit (CARU) for US-directed content and the Committee of Advertising Practice (CAP) Code for UK-directed content.
More information
If you wish to learn more about the kids digital landscape and what it means for you as a kids’ publisher, sign up for SuperAwesome’s KidAware learning modules or keep an eye on our #ResourceHub.