The Children’s Online Privacy Protection Action (COPPA) was passed to protect children’s online privacy. The Federal Trade Commission (FTC) recently finalized extensive amendments to its COPPA rule to keep up with changing technology, especially with respect to mobile applications. Stated very simply, the COPPA Rule is directed at websites and apps that are designed for children thirteen years old and younger. If those kid-directed sites or apps collect, either directly or through third parties, personal information about the children who use them, then they must provide notice to parents and receive consent from parents. The COPPA Rule prescribes acceptable methods of providing notice and receiving consent. They include electronic scans of signed parental consent forms; video-conferencing; use of government-issued identification; and alternative payment systems, such as debit cards and electronic payment systems, provided they meet certain criteria. The COPPA Rule also allows kid-directed sites and apps to comply by participating in certain self-regulatory “safe harbor programs.”
Many safe harbor programs host mediation programs to resolve disputes between users and providers. Some sites and apps also have their own user agreements that include ADR provisions. The question now is whether those ADR programs and provisions apply to the COPPA Rule. Could a website provider or app creator defend itself against an alleged violation of the COPPA Rule by stating that the user did not first go through an ADR program provided for in a safe harbor program or user agreement?
On one hand, public policy favors both the freedom to contract and the resolution of disputes without judicial intervention. On the other hand, this situation raises several new issues. If a child clicks to “accept” a user agreement that contains an ADR provision, that contract is invalid because the minor is not competent to enter into it. Site providers or app creators could put ADR provisions into the notices they send parents, but the COPPA Rule states that those notices should be limited to COPPA issues. The safe harbor programs create a reliable program for providers to comply with regulations. They also offer ADR services, but they probably cannot force users into mediation or arbitration because the safe harbor programs do not have a direct relationship with the users themselves.
This instance is another example of the law lagging behind technology. For now, there is no clear answer to how ADR provisions might apply in context of COPPA Rule violations. Entities that create or operate kid-directed websites or mobile applications should not rely on ADR provisions to protect them. Instead, they should work to strictly comply with the new amendments to the COPPA Rule. Those new amendments go into effect on July 1, 2013.