Children’s Online Privacy Protection Act

James Chiodo, Certified Information Privacy Professional CIPP/US

We have all heard the saying “its like taking candy from a child.” Well, if the FTC had been around when that saying was invented, they’d have passed laws regulating the collection of sugar based food products designed primarily for consumption by minors for the purpose of protecting said minors from unfair redistribution of said food items. In a nutshell, never underestimate a government agency’s ability to take a simple concept and make it suitable for use as an insomnia cure.

If you are a website owner or operator or even just provide a service online, the modern-day equivalent of regulations governing taking candy from a child is COPPA; just substitute “personal data” for “candy.” If you are not yet familiar with COPPA, it stands for the Children’s Online Privacy Protection Act, and was enacted by the U.S. Congress in 1998, authorizing the FTC (Federal Trade Commission) to make and enforce rules designed to protect children’s privacy online.

While the FTC is not granted criminal jurisdiction (they don’t get to define activities as crimes, and/or to create criminal penalties) they do get to fine you up to $16,000.00 per violation of COPPA.

Even if you think you know what COPPA regulations require, you may not be aware that the rules were revised and that as of July 2013, the rules were revised; so unless you like writing checks to the government, you are going to need to know what to do. Pay attention to this article and you will be on your way to ensuring compliance with COPPA as of its July 1, 2013 reincarnation.

In trying to make sense of COPPA, one should examine it with the lens of a 20th century lawmaker. Back in 1998 when the Internet was still a relatively new concept to some, particularly those in Congress who grew up with typewriters rather than laptops, the web was a big scary place where unsuspecting children were being preyed upon by criminals who had nothing better to do than steal personal data from minors.

As with most things, the fear of the unknown often leads to ridiculous rules, such as the Mariners’ Insurance Rule of the 14th century stating that ships were not to travel too far out to sea, lest they fall off the face of the face of an earth that was flat.

No, there was no belief in Congress that the earth was flat, but there was an equally silly belief that the Internet activities of criminals could be regulated. There was and is almost no empirical evidence that children were the victims of any invasion of or threat to their privacy on a large scale, the fear of it and thus the demand for a solution was there.

The result being that criminals still do what they do regardless of the rules, and its only mostly normal, mostly decent small-business owners who inadvertently make a $16,000.00 mistake.

The good news is that if you carefully read this article and use the suggested disclaimers and notices from this site, you will be able to comply with the somewhat murky waters of a post COPPA Internet.

COPPA regulations are specifically and explicitly directed only to minors under the age of 13. There is no clear explanation of why 13 was picked as the magic age, other than to say that children under 13 years of age are “more susceptible to marketers.”

As the father of 6 kids, none of them had my credit card info at the age of 13 or even knew their social security numbers, so I’m not sure what vulnerabilities the marketers would be able to exploit but enough critique of the rules; regardless of their efficacy, they exist and the consequences for violation of them are very real.

The rules distinguish between sites that are directed at a “general audience” and those that are “directed towards kids.” For general audience sites, COPPA only is triggered if the site owner gains actual knowledge that the user is under 13. But for the sites that are directed at children, COPPA is explicitly applicable.

Of course, every site operator would want to just say “my site is directed towards a general audience” and then just not ask for the age of the users with the hopes that COPPA would not apply. If it was that simple, then no one would ever get the $16,000 fine, and lawyers would be broke.

As the website operator, to determine whether a site is general audience or geared towards children (not just under 13 children) you will have to closely examine their contents. Supreme Court Justice Potter Stewart once said, “I can’t define pornography, but I know it when I see it”; the determination of whether your site is directed at children is just about as vague as that.

The commission states that the operators of sites must examine the content, be it auditory or visual, and make that determination. Some things, such as whether there are cartoon characters or children celebrities will be strong evidence weighing in favor of the site being geared towards children, as will statistical evidence showing an audience to be mostly children.

Also, for sites that have been existence for some time, the determination is easier than for sites that are just starting. The former has statistical evidence of the audience while the latter do not.

Likewise, you can’t just block all children from accessing your site or participating in it if you determine that it is directed at children. To be clear, if you do determine that you have a general audience site you can get away with that, but if it is a children’s site, then you may choose to grant different access to children than from adults or different activities, but you can’t block them from participating in your site.

For example, if you have a site that’s a fan club of TeleTubbies or an “I love Barney” site, you can’t require that the users click “I am above 18” before entering your site. If instead you have a website directed at fans of Frank Sinatra or Great Retirement Places for 2013 website, you can have a simple “I am above 18” button to click on and rely upon that.

While the first prong of COPPA requires you to determine whether you have a children’s site or adult site using a somewhat subjective standard, the second prong is clearer.  Specifically, you must determine whether you are collecting, using or disclosing personal information from the children under 13. In addition, the rule further applies to websites/services that are using information from another site that collects data from another site that collects data from under 13 children.

If you have determined that you are a “general audience” site, you only have COPPA obligations should you learn that a child is under 13. For example, if you are moderating a forum on your non-children site and a user identifies him as a 12-year-old, you suddenly have COPPA obligations.

Okay, so now you have determined that you are a site directed at children, and that you are gathering data from those kids who are under 13 years of age. Do you have to flee the country and take on a new identity in a foreign land? Not quite. It turns out that the rules are not that onerous.

You need to do a few things that this site can help you with:

  1. You will need to post your privacy policy on your site and describe how you collect personal information and what personal information you collect;
  2. You will need to get consent from the parents or legal guardians of the children in some documentable, provable form (i.e. you can’t just have a “click through” notice; the best practice is to email the parents at the parents’ email address), and after you have obtained consent, you can only keep the data for as long as you need it to perform the task you have disclosed to the parent and that the parent has consented the information be used for. I.e. you can’t save the data for future use not intended in the parent’s consent.
  3. Once you obtain the required consent, you cannot disclose the collected information to third parties unless you have to do that as an integral part of your service. If it is an integral part of your business, you will also need consent from the parent to do so only after making it very clear that you will be doing so and also provide a method for them to prevent any disclosure to third parties.
  4. You will need to give the consenting parent the ability to access and review the information you have gathered from their child and also a way for them to delete it permanently.
  5. You have to make sure you safely and securely handle the collected information at all times and at all times treat it as confidential information.

But what is the Information That is Considered Private Information Under COPPA?

Well, pretty much any information you can think of under the new rules: there’s the obvious ones (social security numbers, addresses, names, photos ) and then the not so obvious ones like geolocation, a screen name, anything that has been used to identify the child anywhere, audio recordings, telephone numbers) Names (doesn’t make a difference if its first, last or both), addresses) In short, if you are getting enough information to know that a person is a child, then the chances are you are collecting data that is considered confidential and protected under COPPA.

You may have noticed a certain paradox here. Specifically, you must determine whether a visitor is a child or adult, but to do so you must collect personal data, right? And if the person identifies themselves as a child don’t you have to gather data to get parental consent??? (I.e. an email address) The commission thought of that too. They have a very, very narrow exception that allows you to collect only as much data as is necessary to attempt to get consent from the parent, and then you need to delete it.

There are a few other exceptions that are also common sense, but that can be summed up quite simply: If you need the data to get consent or to protect the child, it is permissible but only for that limited purpose and then must be deleted.

This all seems quite onerous and burdensome but by using the proper language to obtain consent and with that consent, then you can continue to run your website successfully. Just remember these steps:

  • First, determine your audience. If general audience, then do nothing UNLESS someone discloses that they are under 13. If children audience, then always get parent consent.
  • Second. When in doubt, always get parent consent.
  • Third, when obtaining parent consent make sure that you have some method of proving that you got consent and be very clear in what the parent is consenting to.
  • Finally, don’t keep the data for any longer than you need to and only for as long as you need to for the limited purpose for which it was disclosed.

That’s it. Keep up to date with the information on this site and most importantly, be honest with yourself about why you are collecting the information.

All lawyers graduation from an ABA accredited school had to take a Professional Responsibility/Ethics class, and my professor stated that there is one simple way to determine what the Rules of Professional Conduct would direct an attorney to do: He said to ask yourself the WWJD (what would Jesus do), what will make me the least amount of money, or what would I want my lawyer to do?

The same applies here. While the rules may seem quite technical, they are not. And while I may have frightened you with the $16,000 fine, the truth is that while there are people who do have to pay that fine, if you make an error that is purely technical, but you are following the spirit of the rules; you can probably make the required corrections (the first time anyway) and be okay. So go out there, do the right thing, and be successful.

New California & Nevada Privacy Laws Affect Website and Mobile App Owners ➞ Read More