About COPPA and GDPR-K
The USA’s Children’s Online Privacy Protection Act (COPPA) and certain provisions of the EU’s General Data Protection Regulation (GDPR-K) were created to protect the privacy of kids online. Both laws have an extraterritorial scope, which means they are enforceable against companies based anywhere in the world that have users in the USA or EU, respectively.
COPPA is administered by the USA Federal Trade Commission (FTC). It defines ‘children’ as users of any digital service who are below the age of 13.
The GDPR is law across the EU and has been in force since May 25, 2018. It is administered by each EU member state’s data protection authority (DPA). It defines ‘children’ as under 16; however, members states can choose to set an age threshold as low as 13. The GDPR requires companies to ensure they have a lawful basis for processing personal data.
GDPR-K has been implemented in the UK via the Data Protection Act 2018.
Do COPPA and/or GDPR-K apply to your app or website?
COPPA applies to commercial websites and online services (including mobile apps, talking toys, and virtual assistants) directed to children under 13 that collect, use, or disclose personal information, including persistent identifiers (e.g. cookies, IP addresses, device identifiers), geolocation, voice recordings, images or videos of children.
Non-USA based websites and online services must comply with COPPA if they are directed to children in the USA, or if they knowingly collect personal information from children in the USA. Likewise, USA based sites and services that collect information from children outside the USA are also subject to COPPA.
Find out more about compliance with COPPA here.
GDPR applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. This means it applies to organisations located within the EU, but also to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. Find out more here.
The importance of COPPA/GDPR-K compliance
Both the Federal Trade Commission (FTC) and US state attorneys general can bring COPPA enforcement actions, levying civil penalties of up to $40,654 per violation, e.g. a single user. Fines in recent years have ranged from $100,000 to $170,000,000.
For more information about the FTC’s COPPA enforcement actions, see Case Highlights in the FTC’s Business Center.
In the US, in particular, there is a further risk of civil lawsuits for infringement of privacy which may cite COPPA, as seen in recent cases. We should also expect to see a fresh wave of personal liability actions against company officers who fail to comply with their COPPA obligations in their businesses.
Under the GDPR, organisations can be fined up to 4% of annual global turnover or €20 million (whichever is greater). It is important to note that these rules apply to both controllers and processors; this means ‘clouds’ are not exempt from GDPR enforcement. For more information, see the GDPR’s Chapter 4 – Controller and processor obligations.
GDPR-K in light of BREXIT
At the time of writing, when the UK leaves the European Union it will become a ‘third country’ under GDPR in the absence of an ‘adequacy decision’ in its favour from the European Commission. This means that EU controllers in charge of personal data are likely to face some challenges when transferring that data to the UK as a matter of law. It is expected that the UK government will still seek to apply GDPR to UK companies. Find out more here.