[codev]

That isn't how it works. COPPA is pretty narrowly defined.

You only have to take action to get parent's permission if:

a) Your site or app is very specifically targeting children (LEGO or Disney for example)

b) You have asked for some information from the user that positively identifies them as a child - birthdate is the main one

Path were fined because they asked for birthdate during the signup process and then allowed registration even if the user was under 13.

[citricsquid]

Do you have a citation for that? The legislation doesn't seem to make the distinction[1]. If you can provide evidence for the 2 points you made that would be awesome. Thanks!

[1] http://www.law.cornell.edu/uscode/text/15/6501

[codev]

It's right there at the start of the law you cite in A.1.:

  It is unlawful for an operator of a website or
  *online service directed to children*, or any operator
  that has *actual knowledge that it is collecting
  personal information from a child*, to collect personal
  information from a child in a manner that violates the
  regulations prescribed under subsection (b) of this section.

So either:

* service directed to children (LEGO, Disney etc) * actual knowledge that it is collecting information from a child (birthdate, age etc)

My understanding was from internal legal guidance at a previous company I consulted for but I haven't worked on COPPA projects for a few years so I don't know if there have been any major cases.

In any event Path specifically asked for birthdates and then allowed children to carry on and use the service with no changes which is a violation that should have been spotted by anyone with some understanding of COPPA.

[citricsquid]

I completely missed that paragraph, thank you! That solves my questions regarding COPPA.