What are the penalties for COPPA and GDPR violations?
COPPA Violations & Enforcement:
The FTC enforces the Children's Online Privacy Protection Act (COPPA). In addition, state attorneys general and certain federal agencies such as the Office of the Comptroller of the Currency and the Department of Transportation, are responsible for handling COPPA compliance for the specific industries they regulate.
Operators who violate the Rule can be held liable for civil penalties of up to $50,120 per violation by a court. The amount of civil penalties sought by the FTC or assessed by a court may depend on various factors, such as the severity of the violations, any prior breaches of the Rule by the operator, the number of children affected, the nature and quantity of collected personal information, the utilization of such information, any sharing with third parties, and the company's size. The assessment of the suitable civil penalty is subject to case-specific considerations. In certain cases, the FTC has opted not to pursue any civil penalty, whereas in other instances, the fines have amounted to millions of dollars. Click here to see COPPA enforcement cases to date.
In effect since May 25, 2018, the General Data Protection Regulation (GDPR) imposes obligations on organizations anywhere in the world if they target or collect data related to people in the EU. It also includes special protections for children’s data. Less severe infringements can result in a fine of €10 million or 2% of a firm's annual revenue from the preceding financial year, depending on which amount is higher.
Beyond the Fines
Not being compliant has many consequences. Paying the fine is just one step. Repairing brand damage is also important to business and organizational success. It takes years to build brand trust and just seconds to destroy it.
In addition to fines, companies may be required to:
- Establish a comprehensive privacy program that addresses the problems identified in the complaint
- Obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession. The reporting period for the Assessments may cover: (1) the first year after service of the Order for the initial Assessment; and (2) each two (2) year period thereafter for ten (10) or twenty (20) years after service of the order for biennial Assessments.
- Employee training and management, including training on the requirements of the Order
- Adopt strong privacy default settings
- Delete personal information previously collected
- Delete algorithms built from the collection of personal information
- Provide adequate mechanisms to give parents notice and obtaining verifiable consent if applicable
- Have adequate mechanisms for children and parents to action their rights
- Have adequate methods for parents to review and delete their children’s information
- Employ adequate data security, retention, and deletion practices.
Join a Privacy Program to be Compliant to Avoid Violations
With the evolving privacy landscape and increased regulation and scrutiny, services will need to engage neutral third parties, like PRIVO, to assess and certify privacy compliance including through data privacy impact assessments. If your service needs support, please contact PRIVO to find out more about our Kids Privacy Assured Program and our privacy technology, and let our experts support you.