Recently, the Federal Trade Commission (FTC) announced that Yelp, Inc., the online review service, has agreed to pay a civil penalty of $450,000 for failing to comply with the Children’s Online Privacy Protection Act (COPPA). COPPA requires companies that collect information from children under 13 online to follow a number of steps to ensure that the children’s information is protected, including seeking verifiable parental consent before collecting any information from a child. COPPA applies to companies that run websites targeted at children, as well as those deemed to have “actual knowledge” that their websites collect information from children under 13. According to the FTC’s complaint, even though Yelp is intended for general audiences and its website expressly states it is not directed at children under 13, Yelp fell into the latter category.
Yelp (among other things) allows users to review restaurants and other businesses via both its website and mobile apps. The website and apps each require a user to provide his or her date of birth in order to register for the service, a mechanism commonly referred to as “age-gating.” According to the complaint, however, Yelp failed to implement a functional age gate in its apps, despite having an effective age-gating mechanism on its website. As a result, several thousand users were able to register for the service despite providing a date of birth showing that they were under 13 years old. Yelp then collected information from those apparently under-age users, including their names, e-mail addresses, locations, and information that they posted on Yelp. Because Yelp collected information from users who provided birthdays indicating that they were under 13, the FTC alleged that the company had “actual knowledge” that it was collecting information from children in violation of COPPA.
In addition to the $450,000 civil penalty, the terms of Yelp’s settlement with the FTC require it to delete information it collected from consumers who stated they were under 13 years of age at the time they registered for the service. The settlement will also require the company to comply with COPPA requirements in the future, to submit a compliance report to the FTC, and to adopt recordkeeping and compliance monitoring measures.
The lesson for companies that collect personal information online and use age gates to restrict access by children is simple – immediately destroy and delete any information inadvertently collected from children under the age of 13. You should also take steps to ensure that your age gate works properly by testing it regularly.