Understanding COPPA

This module needs authorization from Twitter. Please see the module admin panel.

Follow Parry

Parry's Twitter Feed

Understanding COPPA

"What you don't know about children's privacy regulations and your online information collection practices can hurt you", says Parry Aftab.

By Parry Aftab,  InformationWeek
Jan. 19, 2004
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=17300841

Every business has a Web site these days. And many of those companies and commercial entities have sites with chat rooms, discussion boards, instant-messaging capability, profiles and forms or technology that collect registration and other information from site visitors. Sometimes, they direct parts of their sites at children, either to develop brand recognition or loyalty or to reach the children's market. Other times, children visit their sites without being targeted by the site.

There are two legal issues you must understand when children are involved online. One is privacy, the other is safety. (Marketing to children online is a third concern which will be discussed in future columns.) Both privacy and safety are regulated in the United States by the Federal Trade Commission, although states are permitted to enforce consistent local laws as well. In brief, privacy relates to the collection, maintenance, or use of personally identifiable information from children under the age of 13 (12-years-old and under). Safety is affected, legally, when a child under the age of 13 is able to share personally identifiable information with others online (such as in a chat, on discussion boards, or via E-mail or instant messaging). The safety concern is that someone such as a pedophile may be able to contact the child either online or offline because the child has shared such contact information, whether intentionally or not. If you keep these two concerns in mind, the regulations make sense. If you don't, you're in serious trouble when it comes to spotting instances when the law is implicated.

Most laws, and their application to a particular company or line of business, are clear-cut. But kids' privacy laws in the United States can be tricky. That's why you need to keep these concerns in mind. Companies that don't believe their sites would come under the regulations for protecting children online often find that they do. Hopefully, the companies find out before the FTC does.

A federal law, The Children's Online Privacy Protection Act (known as COPPA), applies to commercial Web sites, online services "targeted at children," and any online service operators with actual knowledge that they "collect" personal information from a child. (Actual knowledge can be as simple as a child sharing their grade or age in a monitored general audience chat room on your client's site, or can be supplied by an E-mail or phone call from concerned parents who object to the collection practices on behalf of their child.) Personal information includes such items as full name, home address, E-mail address, telephone number, Social Security number, or any other information that the FTC determines "permits the physical or online contacting of a specific individual." While the regulations are aimed principally at the children's Internet industry, they're fully effective against general-interest sites with actual knowledge that a child is using their services.

Broad Application

Unfortunately, many companies (and their legal counsel) are under the mistaken belief that COPPA only applies to those sites which directly and intentionally market to children. But they're mistaken. While there are rules that relate to how children are contacted and those relating to properly identifying promotional materials online, COPPA's main thrust is far broader. "Collection" as defined by COPPA includes allowing children to use any interactive communication tools, such as allowing the children to use chat, E-mail, fill out any forms, or post on a discussion board. While the site itself may not be collecting any information from the children, their ability to share that information online with anyone is considered "collection" by the site. Got an "E-mail us" link? That's enough to trigger the law. (Lawyers are famous for their small print and hiding substance in definition sections.)

The FTC adopted regulations under COPPA which require covered Web-site "operators" to:

1. Provide notice on the Web site of what information is collected from children as well as how information is used and the Web-site operator's disclosure practices for such information (this applies to all information, not just "personal information");
2. Obtain verifiable parental consent (which requires more than a mere E-mail consent from the parent) to collect, use, or disclose children's personal information before it is collected from the child, with certain exceptions and special rules for newsletters and internally used information;
3. Upon request, provide parents with a description of the types of information collected from their child, or the actual information obtained from their child, and the opportunity to refuse to permit the further use, maintenance, or future collection of the child's personal information. Thus, in addition to having to obtain initial consent from the parents, if a parent withdraws consent at any time, the operator must remove that child's personal information from the system;
4. Cease basing the child's participation in games, contests, or any other activity upon the disclosure of more information than is reasonably necessary to participate, including permitting parents to allow the site to collect personal information but refusing to let the site share the information with third parties; and
5. Maintain reasonable procedures "to protect the confidentiality, security, and integrity of personal information collected from children."

If you run a Web site that's directed at children either in whole or in part, you need to find an attorney who knows the intricate details of the COPPA regulations.

Among those details are the comprehensive rules for the various types of notices required under the statute, which cover everything from the content of those rules to the look and placement of the link to the privacy policy displayed at the site, as well as the technical requirements for obtaining "verifiable" parental consent.

Set Clear Collection Practices

If you run a commercial entity with a general-audience Web site, you need to debrief all involved on their collection practices. Even if COPPA doesn't apply to the site, you may still run afoul of the consumer-protection laws if your privacy policy doesn't accurately and completely disclose what personal information you collect from Web-site visitors and what you do with that information.

It's interesting to note that the law in the United States doesn't require that most sites have a privacy policy at all. Yet, those who voluntarily post one face liability for any misrepresentations or inaccuracies. So while it is certainly best practices and responsible consumer protection to post one, you may find yourself facing greater legal liability than if you don't post one at all. (All children's sites, under COPPA, are one of those exceptions and are required to have accurate privacy policies posted throughout the site.)

If you collect a Web-site visitor's age or grade or similar information online (offline collection has different rules), you may have actual knowledge that you're collecting personal information from a "child" and need to comply with the full panoply of COPPA regulations. Even if you don't overtly request that information, you may still be found to have that knowledge if you have monitored chat rooms or discussion boards at which a user may disclose that information. If the site collects any personally identifiable information from its users or provides any means of public disclosure of such information (such as through an E-mail service, chat room, discussion boards, or instant-messenger service), and the site is alerted that a particular user is a statutory "child," then the site must comply with COPPA.

Think you're off the hook, since you're simply an Internet advertiser? Think again! Banner advertisers and network advertising companies are covered by COPPA and its regulations if they advertise at children's sites and collect personal information from children who click through from such sites. They're also covered if they have ownership or control over such information collected directly at the children's sites. Database-management companies have special treatment under the law, but are covered by COPPA and its broad reach as well. Advertisers at general-audience sites may also be covered by COPPA if they collect personal information from people who click through, and that information discloses that the visitor is a child.

Consider What Info You Collect

Many companies are collecting data from their Web-site visitors without knowing why they're collecting it or if they're using it properly. Unless companies are under investigation or have heard of another company under investigation, their legal departments rarely communicate with Web masters. It's a good idea to check and see what you're collecting and how, as part of a regular internal audit. Think carefully about why you're collecting certain information and whether you're really using it. Collecting and storing data when insecure practices subject you to serious legal liability and even more dire public relations, especially when you aren't using it, is costly. Think before you collect. And think again before you store it for any length of time. And make sure the lawyers, the marketing people, the PR crew, and the business and IT group are involved in this decision. Human resources should be included as well, especially if it involves any employee-interfaced collection practices.

Few lawyers, even among experienced cyberspace law practitioners, understand the children's Internet industry and the regulations and safety concerns that apply to it. But the failure to understand what information can be collected from children, how it can be used, and what needs to be accurately disclosed to parents, has cost many companies dearly. With this tough child-protection law on the books, all commercial Web sites must be vigilant in ensuring that the rights of parents to notice and consent are honored. If companies ignore parents' concerns regarding privacy and advertising, they will have to face tough enforcement of government regulations aimed at U.S. advertisers' marketing to children online and child protection, and the even tougher scrutiny of disgruntled parents.