Simple answer: Don't get information from kids under 13 unless you have parents permission. You must also have a privacy policy.
Complex answer: How you determine if the person is under 13 and how you get the parents permission can be done a lot of different ways. Some of the most popular is doing a test charge against a credit card number, assuming kids won't have those.
Do you have a citation for that? The legislation doesn't seem to make the distinction[1]. If you can provide evidence for the 2 points you made that would be awesome. Thanks!
It's right there at the start of the law you cite in A.1.:
It is unlawful for an operator of a website or
*online service directed to children*, or any operator
that has *actual knowledge that it is collecting
personal information from a child*, to collect personal
information from a child in a manner that violates the
regulations prescribed under subsection (b) of this section.
So either:
* service directed to children (LEGO, Disney etc)
* actual knowledge that it is collecting information from a child (birthdate, age etc)
My understanding was from internal legal guidance at a previous company I consulted for but I haven't worked on COPPA projects for a few years so I don't know if there have been any major cases.
In any event Path specifically asked for birthdates and then allowed children to carry on and use the service with no changes which is a violation that should have been spotted by anyone with some understanding of COPPA.
wait wait wait, surely putting "You cannot use this website if you are under 13" in their terms of service is enough? I know COPPA is pretty ridiculous but if they require actual proactive enforcement of no under 13s they would literally break the internet.
I thought that there were 2 options with COPPA compliance: Allow <13s to register and have an email sent to their parents IF they select that they are under 13 OR disallow under 13s through a terms of service "Do not register if you are under 13" type clause. Is that not compliant?
I'm not an expert, but I imagine there's something in there about if you know people under 13 are using your product and they shouldn't be, you have to proactively do something about it. Facebook delete accounts belonging to minors, perhaps Path weren't and this played into it?
> wait wait wait, surely putting "You cannot use this website if you are under 13" in their terms of service is enough?
Absolutely categorically not.
A ToS clause alone has been tested and found not compliant.
For a while, when the ToS clause was tested and failed, the panic reaction acid test was asking for a valid CC.
Over the past decade best practice has relaxed to a gating page asking for confirmation of over age, or, for the more cautious, asking for the user to explicitly provide their birth year (not birthday).
Is the simplest answer then to have a T.o.S. that states no one under 13 is allowed to use your product until you can afford staff charged with handling security & privacy?
Complex answer: How you determine if the person is under 13 and how you get the parents permission can be done a lot of different ways. Some of the most popular is doing a test charge against a credit card number, assuming kids won't have those.