The intersection between COPPA and HIPAA

COPPA aims to give parents control over what information websites and online services can collect from their children. It ensures that children's personal information is handled with care and privacy protections.

What is COPPA?

COPPA, the Children's Online Privacy Protection Act, is a federal law established in 1998 to protect the privacy of children under the age of 13 while they are online. The law applies to operators of websites and online services and requires them to obtain verifiable parental consent before collecting personal information from children. The Federal Trade Commission (FTC) oversees and enforces COPPA, taking action against non-compliant operators.

FTC and COPPA regulation

On May 19, 2022, the Federal Trade Commission (FTC) took significant actions related to COPPA and Endorsement Guides. Regarding COPPA, the FTC released a new policy statement emphasizing its intention to prioritize enforcement of COPPA's substantive provisions, with a particular focus on EdTech providers. The agency will scrutinize companies that collect, use, and retain children's personal data, ensuring they adhere to the law's requirements.

The proposed amendments to the Endorsement Guides by the Federal Trade Commission (FTC) have several notable takeaways. Firstly, the amendments serve as a warning to social media platforms that some of the tools they offer to facilitate disclosures of material connections by endorsers may be insufficient, potentially exposing both platforms and endorsers to liability. 

The amendments further clarify that fake reviews are explicitly prohibited under the Endorsement Guides, along with practices that distort consumer reviews, such as review suppression. The proposed changes stipulate that tags in social media posts can be considered "endorsements," and even virtual influencers, which are computer-generated fictional characters, can be regarded as "endorsers" under the guides.

See also: Stephen Kaplan: Paubox Zoom social mixer (July 2023)

Intersection between COPPA and HIPAA

HIPAA and COPPA compliance would be necessary when a website or online service handles both protected health information (PHI) and personal information of children under 13. This scenario may arise in the context of healthcare platforms or educational websites that provide health-related content or services tailored to children.

For instance, consider a health and wellness platform designed for children that offers interactive tools for tracking exercise, dietary habits, and mental health. The platform may require users, including children under 13, to input personal health-related data, which would be considered PHI under HIPAA. The platform may also collect personal information from children, such as names and ages, which falls under COPPA's purview.

In this scenario, the website or online service would need to comply with HIPAA and COPPA requirements simultaneously, ensuring the protection of both PHI and children's personal information. Compliance would involve:

• Obtaining verifiable parental consent for data collection from children
• Implementing data security measures for both types of information
• Adhering to the "minimum necessary" principle for PHI under HIPAA
• Ensuring appropriate use limitations for both data types

See also: How to separate work and personal data when using your own devices

COPPA requirements

1. Verifiable parental consent: Before collecting personal information from children, operators must obtain verifiable parental consent. This consent is necessary to ensure that parents are aware of the data collection and have the opportunity to control the information shared by their children.
2. Notice of information practices: Operators must provide clear and comprehensive notice to parents about their data collection, use, and disclosure practices concerning children's personal information. The notice must include the types of information collected, how it will be used, and any third parties who may have access to the information.
3. Limited collection of information: Operators can only collect the minimum necessary personal information to enable a child's participation in the online activity. They must avoid collecting excessive or unnecessary data beyond what is needed for the intended purpose.
4. Parental access and control: Parents have the right to review, delete, and refuse further use or collection of their child's personal information. Operators must provide a reasonable means for parents to access and control the information collected from their children.
5. Data security: Operators must implement reasonable data security practices to safeguard children's personal information's confidentiality, integrity, and security. Measures must be in place to prevent unauthorized access or data breaches.
6. Prohibition of conditioned participation: Operators cannot condition a child's participation in an online activity on the disclosure of more personal information than is reasonably necessary for that activity.

See also: HIPAA Compliant Email: The Definitive Guide