United States: An Introduction To The Children’s Online Privacy Protection Act

Do you or your company have a web site? Is it marketed to or would it be appealing to children, i.e., individuals under the age of 13? If so, you need to be aware of the Children's Online Privacy Protection Act (COPPA). COPPA was enacted to place parents in control of what information is collected from their young children online. COPPA was designed to protect children under the age of 13 while accounting for the dynamic nature of the Internet. If you fall into either of the following two categories, then COPPA applies to you:

The first category—websites directed to children—is broader than it sounds. Some sites are obvious, e.g., games, etc. However, providers of web sites publishing educational material, cartoons, or other child-related material also need to consider COPPA's implications, because the chances are that some kids will be interested in those web sites, and there are special considerations when kids are involved.

The second category applies once a user provides information sufficient for the operator to know that the user is under 13 years old, e.g., by providing a birth date or year that indicates the user is under 13 years old.

A website operator cannot ignore the issue by stating "My site is for users 13 and older only" and expect to be immune from COPPA compliance. Whether a website is directed to children under 13 is objectively determined based on criteria such as whether its subject matter and language are child-oriented, whether it uses animated characters, or whether advertising appearing on the website is directed to children--not based on the operator's subjective intent that children be prohibited. Empirical evidence regarding the actual and intended ages of the website's visitors also may be taken into account.

Keep in mind that the triggering event for COPPA is collection of personal information from a child under 13 years old. If you do not collect personal information from anyone under 13, then COPPA does not apply to you. However, the FTC recommends that all websites post privacy policies so visitors can easily learn about the website operator's information practices. Some surveys show that parents are uncomfortable with their children giving out any personal information online, so the parents may be pleased to read your privacy policy and discover that you do not collect personally identifiable information.

If you fall within one of the above listed categories, then you must adhere to the following requirements:

• Post a clear and comprehensive privacy policy on your website describing your information practices for children's personal information;
• Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information from children;
• Give parents the choice of consenting to the operator's collection and internal use of a child's information while prohibiting the operator from disclosing that information to third parties;
• Provide parents access to their child's personal information to review and/or have the information deleted;
• Give parents the opportunity to prevent further use or online collection of a child's personal information; and
• Maintain the confidentiality, security, and integrity of information you collect from children.

COPPA also prohibits operators from conditioning a child's participation in an online activity on the child's providing more information than is reasonably necessary to participate in that activity. Many operators, when considering the measures and precautions they must adhere to in order to collect personal information from children, decide to delete information about and prohibit a user from registering for the web site once the operator learns the user is under 13 years old.

If you will be collecting information from users under 13 years old, you must comply with the above requirements, which includes posting your practices in your privacy policy. Your privacy policy should include the name, address, telephone number, and e-mail address of each operator collecting or maintaining personal information from children through your site; the types of personal information collected from children and whether it is collected actively or passively (e.g., do you use cookies, GUIDs, IP addresses?); how such personal information is or may be used; whether such personal information is disclosed to third parties, allowing parents to deny consent to disclosure of the collected information to third parties; that the operator cannot condition a child's participation in an activity on the disclosure of more information than is reasonably necessary to participate; and that the parent can review the child's personal information and refuse to permit the further collection or use of the child's information.

COPPA also requires that you place a clear and prominent link to your privacy policy on your home page and at each area where personal information is collected. Your privacy policy should be kept simple, too, because the COPPA rules require that privacy policies must be "clearly and understandably written, be complete, and contain no unrelated, confusing, or contradictory materials."

When obtaining parental consent, you can use any number of methods to obtain verifiable parental consent, as long as the method you choose is reasonably calculated to ensure that the person providing consent is, in fact, the child's parent. There are several options:

COMPLYING WITH COPPA

• Post a clear and comprehensive privacy policy on your website describing your information practices for children's personal information;
• Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information from children;
• Give parents the choice of consenting to the operator's collection and internal use of a child's information while prohibiting the operator from disclosing that information to third parties;
• Provide parents access to their child's personal information to review and/or have the information deleted;
• Give parents the opportunity to prevent further use or online collection of a child's personal information; and
• Maintain the confidentiality, security, and integrity of information you collect from children.

If you are going to disclose children's personal information to third parties, or make it publicly available through operation of an online service such as a social networking site, a blog-hosting service, personal home pages, chat rooms, message boards, pen pal services, or e-mail accounts, then you must use one of the more reliable methods to obtain verifiable parental consent enumerated in the rule:

• Provide a form for the parent to print, fill out, sign, and mail or fax back to you (the "print-and-send" method);
• Require the parent to use a credit card in connection with a transaction (which could consist of a membership or subscription fee, a purchase, or a charge to cover the cost of processing the credit card). The transaction must be completed--just performing an initial "hold" without completing the transaction is not sufficient;
• Maintain a toll-free telephone number staffed by trained personnel for parents to call in their consent; or
• Obtain consent through an e-mail from the parent, if that e-mail contains a digital signature, or other digital certificate that uses public key technology obtained through one of the above methods.

If you are going to use children's personal information only for internal purposes, that is, you will not be disclosing the information to third parties or making it publicly available, then you can use any of the above methods, or you can use what is referred to as the "e-mail plus" mechanism. The "e-mail plus" mechanism allows you to request (in the direct notice to the parent) that the parent provide consent in an e-mail message. However, this mechanism requires that you take an additional step after receiving the parent's e-mail consent to confirm that it was, in fact, the parent who provided consent (the "plus" factor). These additional steps include:

Requesting in your initial e-mail seeking consent that the parent include a phone or fax number or mailing address in the reply e-mail, so that you can follow up to confirm consent via telephone, fax, or postal mail; or

• After a reasonable time delay, sending another e-mail to the parent to confirm consent. In this confirmatory e-mail, you should include all the original information contained in the direct notice, inform the parent that he or she can revoke the consent, and inform the parent how to revoke the consent.

As mentioned above, you do have the option of restricting children under 13 from using your web site. However, be mindful not to design your age collection input screens in a manner that encourages children to provide a false age in order to gain access to your site. If you take reasonable measures to screen for age, then you are not responsible if a child misstates his or her age.

Ask age information in a neutral manner at the point where you invite visitors to provide personal information or to create their log-in user ID.

Ensure that the data entry point allows users to enter their age accurately. An example of a neutral age-screen would be a system that allows a user to freely enter month, day, and year of birth. A site that includes a drop-down menu that permits users to enter only birth years making them 13 or older, would not be considered a neutral age-screening mechanism since children cannot enter their correct age on that site.

Do not encourage children to falsify their age information, for example, by stating that visitors under 13 cannot participate on your website or should ask their parents before participating. Do not advise users of adverse consequences prior to their inputting their age, indicating they are younger than 13 years old.

A site that does not ask for neutral date of birth information but rather simply includes a check box stating "I am over 12 years old" would not be considered a neutral agescreening mechanism.

Use a temporary or a permanent cookie to prevent children from back-buttoning to enter a different age.

If you ask participants to enter age information, and then you fail to either screen out or obtain parental consent from those participants who indicate that they are under 13, you may be liable for violating COPPA. COPPA violations may result in steep fines from the United States Federal Trade Commission. For example, in 2008, Sony BMG settled a COPPA violation by agreeing to pay $1 million in civil penalties, the largest COPPA settlement ever at that time.

If all this sounds onerous, that's because it is. This is the price you have to pay if you want to market to children under 13.

TAKE NOTE!

Once you know that a user is under 13 and you have collected personal information, you have only two options:

The above information provides a basic introduction to COPPA. The actual text of COPPA is quite short, and is located at 13 U.S.C. sec. 1303. The Federal Trade Commission (FTC) rules implementing COPPA may be found at 16 C.F.R. sec. 312.1- 312.12. In addition, the FTC website contains very helpful information regarding COPPA at http://www.ftc.gov/privacy/privacyinitiatives/ childrens.html and http://www.ftc.gov/ privacy/coppafaqs.shtm . The COPPA FAQs are extremely helpful, and while they might not answer every question, they are worth reviewing. When in doubt, err on the side of protecting the under-13 user. A little common sense goes a long way, and in these cases, an ounce of prevention is certainly worth more than a pound of cure!

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.