Under the Children’s Online Privacy Protection Act of 1998 (COPPA), you need parental permission to receive or gather individually identifying information from anyone online under the age of 13 if you operate a site that is directed to kids or knowingly collects information from kids. Individually identifying information includes pictures.
To be clear, as a legal matter (as opposed to best practices), you are not required to get permission before taking pictures of children in a public place.
- Am I an operator?
- How do I comply with COPPA?
- How is COPPA enforced?
- Do I need additional permission to post pictures?
Am I an operator?
Under COPPA, an operator is someone who runs a website or online service and collects personal information about users and visitors to the site, e.g. address or geolocation. An operator is also someone on whose behalf personal information is collected from a website or online service that has commercial purposes or involves commerce, for instance an ad plug-in. COPPA applies to any operator with content or services directed to children, or who has actual knowledge that the website collects information from children.
While most cases have involved operator companies that sell candy or toys, the operator status also extends to entities that publish information children are likely to search for. Artist Arena, for example, ran teen celebrity fan sites and incurred a $1,000,000 fine.
How do I comply with COPPA?
Operators covered by COPPA must have reasonable procedures to protect the confidentiality, security, and integrity of information collected from children.
Operators also need verifiable parental consent in order to collect, use, or disclose any information received from children. Verifiable consent includes: getting the parent’s email address, sending a direct notification to the parent, describing the information that has been and will be collected, as well as providing a way for the parent to give verifiable consent. This also involves enabling parents to refuse permission, obtain the information that has been collected, and require an operator to delete information.
Operators cannot disclose information to third parties unless disclosure is necessary to run the website and parents have notice that it is necessary. This will generally not include the disclosure of kids’ photographs.
How is COPPA enforced?
New Jersey has actively pursued protection of children’s online privacy. Although the bills died in committee, both the Senate and General Assembly introduced the “Adolescents’ Online Privacy Protection Act” in recent years. The state has also brought two suits against app developers for COPPA violations in the past five years. Both cases reached a settlement agreement involving compliance requirements.
The United States has brought several COPPA violation complaints against companies including Lisa Frank, Inc., American Pop Corn Company, Mrs. Fields, and Hershey Foods Corporation. A consent decree tends to resolve this type of complaint, enjoining the prohibited conduct, ordering COPPA compliance, and requiring on-demand proof of compliance for a set number of years, as well as a civil penalty.
Do I need additional permission to post pictures?
If you want to post pictures that you obtained from children under 13, you need verifiable parental permission before you can post them.
Under the Children’s Online Privacy Protection Act of 1998 (COPPA), the operator of a website or online service directed to children, or having actual knowledge that the website collects children’s information, must obtain permission for all collection and uses of personal information from children. This means you need verifiable permission to collect, and also to post, a child’s picture.
Verifiable permission entails getting the parent’s email address, sending a direct notification to the parent, describing the information that has been collected and how it will be used, as well as providing a way for the parent to give verifiable consent. You must also enable parents to refuse permission, obtain the information that has been collected, and require an operator to delete information.
Alternatively, you can blur the facial features of a child in a photo and post it without parental consent. You must ensure that you remove geolocation metadata and other persistent identifiers from the file.