|Children's Online Privacy Protection Act|
Who Must Comply
What is Required
Giving Away Stuff
Congressional concern over children’s privacy led it to passage in 1998 of the Children’s Online Privacy Protection Act (COPPA). [16 CFR Part 312]. [See Privacy Introduction for background] More information can be found online at the FTC’s Children’s Privacy website.
Who Must Comply With COPPA?
One falls under the requirements of COPPA if you
- are the operator [COPPA Sec. 1302(2)] [16 CFR 312.2 Definitions] of a
- commercial website or
- online service
(Note that the term "online service" is not defined by the statute. At a July 2010 Hearing, panelists struggled with whether American Idol voting might be an "online service")
- is Directed at Children, or [COPPA Sec. 1303(1)(a)] Appeals generally to the public but has a subsection dedicated and focused on little ones. [COPPA Sec. 1303(1)(a)] [COPPA Sec. 1302(10)], or
For example, many professional sports pages will have a kid's area with kids activities, kids booster clubs, trading cards, games, and other specialties. If a professional sports team has a kids club where children can sign up for the club online and gain the special bobble head freebies, then would probably fall under COPPA.
- Has actual knowledge that it is collecting information from children [COPPA Sec. 1303(1)(a)] [16 CFR 312.2 Definitions]
How does the FTC determine that a website targets children? The FTC has indicated that it will look at the following factors when making this determination:
- "visual or audio content;
- the age of models on the site;
- whether advertising one the Web site is directed at children;
- information regarding the age of the actual or intended audience; and
- whether a site uses animated characters or other child-oriented features."
If a service does not target children, then actual knowledge means actual knowledge. Some websites gather statistical information on visitors without any thought that some visitors may be children or intention to market or serve those visitors - if a site asks and knows, then it is under COPPA. Once the site has actual knowledge, then it is stuck with it. Conversely, what about lying kids. According to COPPA, if the kid visits a site and lies about his age, then the kid is not that site's problem. If nothing about a visitor’s presence informs a website that the visitor is a child, then the site lack s actual knowledge.
One area of concern is monitored online communities such as email groups or chat rooms. If the community targets children or if the visitor reveals that the visitor is a child, then the operators of the community must comply with COPPA. One action the community monitor can take is to strip out all personal information from the messages prior to permitting them to be posted. This is sufficient and does not require further parental consent. Operators may elect, instead of stripping out such material, to gain the consent of parents for their children’s participation. These rules do not apply to unmonitored communities. This is likely to pose a significant challenge to monitored communities that do not target children and are not accustomed to COPPA who are suddenly confronted with a message that states, "Hi, my name is Tommy, I’m in the 6th grade and I am doing a research project..."
Child mean an individual under the age of 13;
- 16 CFR 312.2 Definitions
- [COPPA Sec. 1302(1) ("The term "child" means an individual under the age of 13")]
- [FTC July 2010 Hearing (Panel 2: testimony that requirement has taught and led children to lie)]
- "In enacting the statute, Congress determined to apply COPPA's protections only to children under 13. Congress and industry self-regulatory bodies have traditionally distinguished children aged 12 and under, who are particularly vulnerable to overreaching by marketers, from children over the age of 12, for whom strong, but more flexible protections may be appropriate. In addition, distinguishing adolescents from younger children may be warranted where younger children may not understand the safety and privacy issues created by the online collection of personal information.
"Given the risks inherent in the disclosure of personal information for all ages, the FTC encourages website operators to offer teenagers privacy protections as well. Moreover, websites' information practices regarding teens and adults are subject to Section 5 of the FTC Act, which prohibits unfair or deceptive acts and practices. See Staff Opinion Letter to Center for Media Education (July 15, 1997) for guidance on how Section 5 applies to information practices involving teens. In addition, recent concern about the risks of child participation on social networking websites led the FTC to issue a set of safety tips for social networking. See "Social Networking Sites: A Parents' Guide" (September 2007), available at ; see also OnGuard Online." - FTC COPPA FAQs
|Note: Pursuant to Executive Memo M-00-13, all Federal agencies and their contractors must comply with COPPA.|
WHAT DOES COPPA REQUIRE?
What data is collected The description should be specific, such as "names, addresses, and email addresses," and not the vague "contact information." All data collection techniques must be indicated including the use of passive techniques such as cookies and other identifiers. Notice should indicate all active and passive data collected. [16 CFR 312.2 (defining "collection)]
What will be done with the data Is it for internal transaction purposes such as delivering an ordered book or toy; will it be used for marketing; will it be used for customer service analysis and improvement of the service? Will the information concerning the child be displayed publicly such as in a chat room? Will the information be disclosed [16 CFR 312.2 Definitions: disclosure] to third parties [16 CFR 312.2 Definitions: Third Parties]- if so, then the policy most provide complete information on who the third party is, what they will do with the information, and whether the third party will maintain the security and integrity of the data?.
Collection Limitations: Notice should indicate that the operator of the service cannot condition the participation of a child in an activity on the provision of any more information than necessary for that activity. 16 CFR 312.7
Parental rights: Inform parents that information cannot be collected from their child absent their consent. Inform parents how that consent shall be collected and verified. The notice should also indicate that parents have the right to review the data and the procedures for how this can be achieved.
Contact Information: The policy must include contact information for everyone involved at the site collecting information (in other words, some sites are a collaboration of multiple entities. If they are collecting information, then their contact information must be included). Contact information includes name, mailing address, telephone number, and email address. If there are multiple operators involved in the site, the website may elect to designate and list only one point of contact of the group. Nevertheless, the identification of all other operators must still be listed. [16 CFR 312.2 Definitions: Online Contact Information]
The mechanisms of parental consent can take into consideration available technology. They include digital signatures, a signed form returned by mail or fax, the use of a credit card, or having a parent telephone into a properly trained staff.
To make things a bit complicated, the FTC has a sliding scale of requirements. Temporarily, if a website is using the personal information only for internal purposes, the site can seek confirmation from the parent via e-mail - or confirm the consent by letter or phone call (the FTC is considering whether to transform this temporary rule into a permanent rule). If, however, the website desires to disclose the information to third parties, the site must use more reliable means of gaining consent, such as those listed in the previous paragraph.
One area of significant concern is monitored online communities such as email groups or chat rooms. If the community targets children or if the visitor reveals that the visitor is a child, then the operators of the community must comply with COPPA. One action the community monitor can take is to strip out all personal information from the messages prior to permitting them to be posted. This is sufficient and does not require further parental consent. Operators may elect, instead of stripping out such material, to gain the consent of parents for their children's participation. These rules do not apply to unmonitored communities. This is likely to pose a significant challenge to monitored communities that do not target children and are not accustomed to COPPA who are suddenly confronted with a message that states, "Hi, my name is Tommy, I'm in the 6th grade and I am doing a research project..."
"In conducting the Rule review, the Commission sought comment on whether the sliding scale set forth in § 312.5(b)(2) remains a viable approach to verifiable parental consent. Under the sliding scale, an operator, when collecting personal information only for its internal use, may obtain verifiable parental consent through an email from the parent, so long as the email is coupled with an additional step. Such an additional step has included obtaining a postal address or telephone number from the parent and confirming the parent's consent by letter or telephone call, or sending a delayed confirmatory email to the parent after receiving consent. The purpose of the additional step is to provide greater assurance that the person providing consent is, in fact, the parent. This consent method is often called “email plus.” 
. . . . .
"The Commission is persuaded by the weight of the comments that email plus, although imperfect, remains a valued and cost-effective consent mechanism for certain operators. Accordingly, the final Rule retains email plus as an acceptable consent method for operators collecting personal information only for internal use. Nevertheless, the Commission continues to believe that email plus is less reliable than other methods of consent, and is concerned that, twelve years after COPPA became effective, so many operators rely upon what was supposed to be a temporary option. The Commission is also concerned about perpetuating for much longer a distinction between internal and external uses of personal information that the COPPA statute does not make. Thus, the Commission strongly encourages industry to innovate to create additional useful mechanisms as quickly as possible." 78 FR 3971 (2013)
Online services must provide parents with access and the right to review information collected about their children. Parents have the right to revoke their consent and tell online services that they may no longer use and must delete information about their children. An operator's method of compliance with these requirements may not be unduly burdensome on the parents. [16 CFR § 312.6] [COPPA Sec. 1303(b)(1)(B)]
Data Security and Retention:
Online services must institute a program to ensure the security and integrity of the data that they collect. [16 CFR § 312.8] [COPPA Sec. 1303(b)(1)(D)]
16 CFR 312.10: "An operator of a Web site or online service shall retain personal information collected online from a childfor only as long as is reasonably necessary to fulfill the purpose for which the information was collected. The operator must delete such information using reasonable measures to protect against unauthorized access to, or use of, the information in connection with its deletion."
WHAT IS "PERSONAL INFORMATION" (aka PII) ?
At issue with COPPA is the collection of personal information. Personal information means individually identifiable information and includes a first and last name, a physical address, an e-mail address, screen name, or other online identifier, a telephone number, a social security number, IP Number or a cookie or other persistent identifier. [COPPA Sec. 1302(8)] [16 CFR 312.2 Definitions] [See also CPNI, ECPA] It also means any additional information collected from the child in combination with any of the above items. In other words, once a firm has collected personal information from a child, all additional information collected is likewise infected. In order to fall under COPPA, this information must be collected online (if, for example, the visitor prints off a form and then mails in the information, it would not then fall under COPPA).
Note that if the information a site wants to collect is not on the above list (and a website that does not target children), then that site can collect it without falling under the restrictions of COPPA. It is, for instance, possible to conduct surveys of visitors to a site and not fall under COPPA as long as no part of the survey asks for personally identifiable information. The survey can even ask age as long as it does not ask, for example, for the visitors name or set a cookie. If a site wants to set up some silly online poll of the masses asking who should win this years academy awards or who will be elected President, the site could do this and not fall under COPPA as long as that site is not asking personal questions.
"The Commission believes the description permits operators to use anonymous screen and user names in place of individually identifiable information, including use for content personalization, filtered chat, for public display on a Web site or online service, or for operator-to-user communication via the screen or user name. " 78 FR 3971 (2013)
ARE THERE ANY EXCEPTIONS?
There are a number of exceptions to COPPA which permit online sites to interact with visitors without the consent of parents. They are as follows:
- The online service can gather personal information for the purpose of contacting the child's parents in order to gain consent. [16 CFR § 312.5(c)] [COPPA Sec. 1303(b)(2)(B)]
- The online service can respond on a one-time basis to an inquiry of the child if it does not use that personal information for any further purposes and deletes it from its databases. [COPPA Sec. 1303(b)(2)(A)&(C)]
- The online service can collect personal information for the purpose of protecting the child's safety where that information is not used for any other purpose including contacting the child and that information is not disclosed anywhere on the online service. [COPPA Sec. 1303(b)(2)(D)]
- The online service can collect information where it is collected only for the purpose of maintaining the security or integrity of the system, or as required by law or judicial process. [COPPA Sec. 1303(b)(2)(E)]
There is another interesting "exception" known as safe harbors. These are industry self regulation programs that are submitted to the FTC for approval. If approved, then those members who are certified as complying with that program are deemed to be in compliance with COPPA. The entity seeking FTC approval of their self regulation program will have to provide assurances to the FTC that the integrity of the program will be maintained. [COPPA Sec. 1304]
CAN I COLLECT INFORMATION IN ORDER TO DETERMINE THAT I AM NOT GOING TO COLLECT INFORMATION?
|Tweets about "#COPPA"|
© Cybertelecom ::
I visited a webpage recently where it asked me for personal information. My own personal privacy protection program is "garbage in, garbage out." I love filling out these forms and always fill them with all types of rubbish. Anyway, when it asked me what year I was born, I unthinkingly hit "1999." The website, citing COPPA, refused to gather any further information from me.
This is a viable option. Age information is not defined by COPPA as personally identifiable information. A site can ask the age of the visitor without having to comply with COPPA further. If the visitor is under the age of 13, a viable option is to refuse to collect any personally identifiable information. If that information is necessary in order to provide your online service, the site may decide not to offer services to children under the age of 13.
BUT I WANNA GIVE FREE STUFF AWAY?
If a site is running online contests, there is a more specific rule, as this was one of the areas of greatest abuse. An operator of an online contest targeted at children is permitted to gather only sufficient information from the visitor that is reasonably necessary for the visitor to participate in the activity. In other words, no asking for mommy and daddy's salary in order to win a free t-shirt. [16 CFR § 312.7]