COPPALegal Compliance and Restrictions.
An introduction for the online marketer
Not to be considered legal advice.
Please consult your legal counsel for further details.
I ANAL
I AmNotALawyer
DefinitionsCOPPA. Child Online Privacy Protection Act
COPPR. Child Online Privacy Protection Rule
COPA. Child Online Protection Act
DefinitionsThe primary goal of COPPA and the Rule is to place parents in control over what information is collected from their young children online. The Rule was designed to protect children under age 13 while accounting for the dynamic nature of the Internet. The Rule applies to operators of commercial websites and online services directed to children under 13 that collect, use, or disclose personal information from children, and operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13.
What do we have to do?
Post a clear and comprehensive privacy policy on the website describing their information practices for children’s personal information;
1.
Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information from children;
2.
Giving parents the option to consent to the collection and internal use of their children's personal information without consenting to the disclosure of that information to third parties;
3.
Provide parents access to their child’s personal information to review and/or have the information deleted;
4.
Give parents the opportunity to prevent further use or online collection of a child’s personal information;
5.
Maintain the confidentiality, security, and integrity of information they collect from children.
6.
1. Privacy PolicyPost a privacy policy on the homepage of the website and link to the privacy policy everywhere personal information is collected.
The Rule requires that a link to the privacy policy be posted clearly and prominently on your home page and at each area where personal information is collected.
16 C.F.R. § 312.4(b).
1. Privacy PolicyInformation that counts as “personal”.
(A) a first and last name;
(B) a home or other physical address including street name and name of a city or town;
(C) an e-mail address;
(D) a telephone number;
(E) a Social Security number;s
(F) any other identifier that the Commission determines permits the physical or online contacting of a specific individual; or
(G) information concerning the child or the parents of that child that the website collects online from the child and combines with an identifier described in this paragraph.
1. Privacy PolicyThe PP must include name, address, telephone number, and email address of each operator collecting or maintaining personal information from children through your site; the types of personal information collected from children and whether it is collected actively or passively; how such personal information is or may be used; whether such personal information is disclosed to third parties.
16 C.F.R. § 312.4(b)(2).
1. Privacy Policy“Cookies,” “GUIDs,” “IP addresses,” or other passive information collection means must be included if they are tied to personally identifiable information.
16 C.F.R. § 312.2.
2. Direct NoticeWe need consent from parents of children under 13. There are two levels of consent required. One for PII that will be used with third parties or systems that make the information available to people outside of the website operators and another level for internal website operators.
2. Direct NoticeApproved methods to gain consent from parents for usage of PII with third parties:
Provide a form for the parent to print, fill out, sign, and mail or fax back to you (the “print-and-send” method);
Require the parent to use a credit card in connection with a transaction (which could consist of a membership or subscription fee, a purchase, or a charge to cover the cost of processing the credit card).
Maintain a toll-free telephone number staffed by trained personnel for parents to call in their consent;
Obtain consent through an email from the parent, if that email contains a digital signature, or other digital certificate that uses public key technology obtained through one of the above methods.
2. Direct NoticeApproved methods to gain consent from parents for usage of PII for Internal usage - “Email plus”:
Requesting in your initial email seeking consent that the parent include a phone or fax number or mailing address in the reply email, so that you can follow up to confirm consent via telephone, fax, or postal mail; or
After a reasonable time delay, sending another email to the parent to confirm consent. In this confirmatory email, you should include all the original information contained in the direct notice, inform the parent that he or she can revoke the consent, and inform the parent how to revoke the consent.
3. Scope of consentApproval for collection of PII for internal use should not automatically include or imply approval for external usage.
“An operator is prohibited from conditioning a child’s participation in a game, the offering of a prize, or another activity on the child’s disclosing more information than is reasonably necessary to participate in such activity.”. Section 312.7
4. Access of dataAccess should be on demand but the operator is not liable for keeping all records that have been created. If data has been deleted the operator is not in breach of the CFR.
The format of the data isn’t specified by the act.
5. Revocation of Permissions
Parents can revoke their children's participation and the site operator is responsible for baring the child from their site using reasonable measures.
6. Data Retention PolicyWeb site data owners must take reasonable precautions to secure the data of minors using their service.
ExceptionsThere are sui generis exceptions to the CFR requirements for site operators.
Silver bulletsWe can request an email address for notification of a competition entry or content personalization.
If contact needs to be made more than once or another piece of unique information needs to be paired with the email address standard Direct Notice procedure must be enforced.
Silver bulletsCommunication without direct notice can be conducted for the purpose of:
• Requesting direct notice
• One time support request and the email address is deleted immediately
• If the safety of the individual is at risk
• If the security of the site is at risk
Silver bulletsEmail addresses can be used anonymously for multiple communications without requiring direct notice if the addresses are converted into anonymous hashes, otherwise known as one way encryption, and cannot be retrieved from a data source.
Avoiding COPPA?Offer activities that do not require the collection or disclosure of personal information;
Use screen names or other anonymous techniques to personalize the site;
Limit the amount of personal information collected
Gotchas“Keep in mind that "COPPA compliant" does not only apply to websites that are intended for audiences under 13 years of age. All websites are required to have in place mechanisms for dealing with users who are known to be minors.”
–Sol Irvine, Partner at Yuson & Irvine
Gotchas“This isn’t don’t ask-don’t tell. If incompliant data is there: delete it”
–Anonymous
GotchasAge gates should not “lead” the user to inputting their age as older than 13. Even if they are older.
The site should provide a neutral approach where a visitor input’s their year of birth rather than hitting a check box that they are older than 13.
GotchasLook at OpenID for managed Direct Notice consent.
http://openidforkids.com/
GotchasThe IAB and DMA are lobbying for amendments of the COPPA act to allow ad servers more behavioral targeting privileges for kids thanks to Illinois’ Bobby Rush.
“[…] the requirement to obtain verifiable consent from parents may also have impacted the ability of our members to provide innovative offerings to children.”
GotchasThe IAB and DMA are lobbying for amendments of the COPPA act to allow ad servers more behavioral targeting privileges for kids thanks to Illinois’ Bobby Rush.
“[…] the requirement to obtain verifiable consent from parents may also have impacted the ability of our members to provide innovative offerings to children.”
Gotchas“These ad networks have no way of knowing whether a website is being accessed by a child under the age of 13 or an adult, since such ad networks are not the website operator. If the definition of ‘personal information’ were expanded to include anonymous data obtained through behavioral advertising, third parties would be forced to collect individually identifiable information about the user in order to effectuate the verifiable parental consent notice requirements.”
Gotchas“Unlike their predecessors from over a decade ago, today’s teenagers are what are known as “digital natives” – people for whom digital technologies such as computers, the Internet, and mobile phones have always been available.”
Michael Zaneis Vice President of Public Policy Interactive Advertising Bureau
Gotchas
CLEAR Ad Notice Technical Specifications
Gotchas
GotchasWhat’s a website?
(i) a home page of a website;
(ii) a pen pal service;
(iii) an electronic mail service;
(iv) a message board; or
(v) a chat room.
Examples of good policies
http://www.clubpenguin.com/terms.htm
http://www.nick.com/info/privacy-policy.html
http://www.neopets.com/privacy.phtml
Examples of what can go wrong
Xanga“You must check the box below to certify that you are at least 13 years old”
Other bio fields of the users profile contained birth dates younger than 13.
2006.
Lil’ RomeoDefendant has not disclosed it’s information practices including what information it has already collected from child and it’s intended uses of such information.
Automatically registered parents consent on privacy policy click through.
2002
Toysmart“Personal information, voluntarily submitted by visitors to our site, such as name, address, billing information and shopping preferences, is never shared with a third party. When you register with toysmart.com, you can rest assured that your information will never be shared with a third party.”
They sold it.
2001.
Toysmart
Children who entered dates of both indicating that they were under 13 years old were freely available to register on Sony Music’s websites; they were neither restricted from participating, nor did Sony Music use cookies to assure that any restriction persisted.
2000
Imbee“The web's first and premier social networking 'mega-platform' for kids between the ages of 8 - 14. It's a cool, safe and fun environment: […]”
The direct notice emailed to parents failed to disclose that imbee.com already had a collected a child’s full name, DOB, child's email address, gender and a username and password prior to sending the notice to parents.
2008
Hershey’s
Hershey’s Candy of the month club provided a parents consent form for participation to collect private information. At the bottom of the form there was a box labeled “Click here to consent” which took the visitor directly to the reg form.
No measures to review collected data.
2000
FTC contact1-(877) FTC-HELP - General enquires
(202) 326-3140 - Specific enquires
Appendix: Research links
http://www.ftc.gov/privacy/coppafaqs.shtm
http://business.ftc.gov/privacy-and-security/children%E2%80%99s-online-privacy
http://business.ftc.gov/documents/bus45-how-comply-childrens-online-privacy-protection-rule
http://www.philadelphiafed.org/bank-resources/publications/compliance-corner/2003/fourth-quarter/q4cc1_03.cfm
http://www.ftc.gov/privacy/coppafaqs.shtm
http://business.ftc.gov/legal-resources/30/35
http://www.zephoria.org/thoughts/archives/2010/06/10/how-coppa-fails-parents-educators-youth.html
http://www.quora.com/What-are-good-examples-of-COPPA-compliant-web-sites
http://blogs.wsj.com/digits/2010/09/17/understanding-the-childrens-online-privacy-protection-act/
http://www.ftc.gov/ogc/coppa1.htm
http://www.slideshare.net/dsims/coppa-and-you
http://www.the-dma.org/privacy/HowtoComplywithCOPPA-
PDFVersion.pdf
http://www.iab.net/wiki/index.php/COPPA
http://www.google.com/url?sa=t&source=web&cd=3&ved=0CCAQFjAC&url=http%3A%2F%2Fwww.iab.net%2Fmedia%2Ffile%2FAugust_Legislative_Update.docx&rct=j&q=iab%20coppa&ei=XrasTcT0MJCosQPo2-zJCQ&usg=AFQjCNERkcWncVC4Wv8tX4xyMOtrC77MgA&cad=rja
http://www.advertisinglawblog.com/2010/08/ftc-in-ongoing-review-of-coppa.shtml
http://www.iab.net/media/file/DC1DOCS1-%23400330-v1-Comments_-_COPPA_Rule_Review_P104503.PDF
http://www.scribd.com/doc/15610373/IAB-Document-on-Best-Practices-in-Social-Advertising
http://info.yahoo.com/privacy/us/yahoo/attandyahoo/adchoices.html
http://www.iab.net/clear