Should Your Company Worry About COPPA Compliance Even if it is Not Geared Toward Kids?


The Children’s Online Privacy Protection Act (COPPA) is meant to empower parents to protect their children’s online privacy. The law applies to websites, mobile apps, plug-ins and other software components, online gaming applications, online advertising networks, internet-enabled location-based services, and voice-over internet protocol services, to name just a few.

In general, COPPA is meant to prohibit online services from collecting, using, or disclosing the personal information of children under 13 years of age without their parents’ approval. COPPA’s compliance requirements include, among other things, additional privacy policy disclosures, notice to parents about information being collected, and verifiable parental consent prior to information collection.

While it may be tempting for companies that do not direct their marketing to young children to disregard COPPA’s compliance requirements, a recent Federal Trade Commission action shows why that could be a mistake.

Yelp, Inc. (NYSE: YELP) operates an online and mobile local guide and business review service. Yelp offers various features that either require or allow the collection of a user’s personal information, including his or her name, address, geolocation information, Mobile Device ID, photos, and more.

To be clear, Yelp’s online and mobile services are not directed towards young children. However, the company still found itself on the business end of an FTC complaint alleging that it had violated the requirements of COPPA. That is because COPPA also covers services directed towards a general audience when the company has actual knowledge that it is collecting, using, or disclosing personal information from children under the age of 13.

In Yelp’s case, the company utilized an age-screening feature in its mobile app, asking a user to input his or her date of birth. Therefore, Yelp had actual knowledge of the age of its mobile app users. The problem? The data collection functions of the app worked the same for users ages 13 and older as it did for users younger than 13. Obviously, this design flaw (which the FTC noted should have been corrected through standard software testing procedures) resulted in Yelp having actual knowledge of the user’s age whose personal information was being collected without the required disclosures, notices and consents—i.e. a violation of COPPA.

Ultimately, Yelp consented to a settlement with the FTC that included the imposition of a $450,000 civil penalty, it agreed to delete the subject personal information, and it agreed to certain oversight and compliance reporting procedures.

While an effective COPPA compliance review must include a detailed analysis of the specific design and function of a company’s online and mobile services, it is important to first understand that any business may make itself subject to the requirements of COPPA, not just those geared toward young children. Yelp’s experience presents a great reminder for businesses with an online or mobile app presence to review their services to ensure that they are either not subject to COPPA or are in compliance with its requirements.