COPPA compliance is a necessity for any online service provider that collects information from children under 13. The FTC takes the position the service provider is even responsible for making sure third-parties collecting data through the platform are also compliant with one exemption – where those third parties provide “support for internal operations.” Let’s take a look at what precisely this means.
Most online service providers use third party vendors for services such as analytics and server operations. It just makes financial sense. From a COPPA perspective, the use of such third parties raises a rather fundamental question. Must the provider of a site or app directed at children under 13 disclose such third parties to parents and get consent to share information with those parties?
Google Analytics is the foremost free analytics program on the web, so let’s use it as our example. If you run a website directed at children under 13 and use Google Analytics to analyze traffic, what are the COPPA implications? The answer is found, oddly, not in the COPPA text, but in the definitions detailed in the revised COPPA Rule.
16 CFR 312.2 details the definitions used in the COPPA Rule. The relevant entry reads:
“Disclosure” means, with respect to personal information:
(a) The release of personal information collected from a child in identifiable form by an operator for any purpose, except where an operator provides such information to a person who provides support for the internal operations of the website or online service and who does not disclose or use that information for any other purpose. For purposes of this definition:
(1) Release of personal information means the sharing, selling, renting, or any other means of providing personal information to any third party, and
(2) Support for the internal operations of the website or online service means those activities necessary to maintain the technical functioning of the website or online service…
Based on this definition, it is clear disclosures to parents about the use of a critical third-party infrastructure provider, such as a stand-alone hosting company, are not necessary under the COPPA Rule. Can the same be said for Google Analytics?
At first glance, third party analytics programs appear to be a problem area. Do analytics programs provide “support for the internal operations” particularly where subsection (2) of the definition focusses on “those activities necessary to maintain the technical functioning of the website or online service…”?
While analytics programs provide valuable information, such programs can hardly be said to be necessary for the technical functioning of a website. I use Google Analytics on this site. The site will still function without any noticeable difference if I remove it, and I can also look directly at my server logs to view the traffic information for the website.
Google, do we have a problem?
FTC To The Rescue
In an interesting interpretation, the FTC takes the following position:
Where you, a service provider, or a third party collects persistent identifier information from users of your child-directed site to perform analytics encompassed by the Rule’s “support for internal operations” definition, and the information is not used for any other purposes not covered by the support for internal operations definition, then you can rely upon the Rule’s exemption from parental consent.
The FTC can be a bit hostile to businesses, but this broad interpretation of the “internal operations” definition is very business-friendly. Whether it is the correct interpretation is another matter, but no online service provider is going to object to the FTC position given the escape from potential COPPA penalties.
COPPA Internal Operations Exemption
Cutting to the chase, does an online property directed at children under 13 need to worry about COPPA compliance for third parties it uses to support the internal operations of the website or app? The answer is no so long as those third parties fall within the internal operations’ definition.