Link This |
Email this |
Blog This |
Comments (0)
Does your website collect information from children under the age of 13?
June 29, 2007
Perhaps you aren’t doing so deliberately. But if your website collects date of birth information as part of a user registration process or otherwise, and you don’t take affirmative steps to screen out users under the age of 13, then you are required to comply with the federal Children’s Online Privacy Protection Act (COPPA).
COPPA compliance basics
COPPA applies to operators of websites and online services that either (1) are directed to children under thirteen or (2) have actual knowledge that such children are providing information through the website. If you are collecting date of birth information, then you are considered to have the requisite actual knowledge of the age of users from whom you are collecting that information, including children.
If either of the two stated conditions is present, then the you must:
* Provide "notice" of the information collected and how it will be used;
* Provide parents access to review and change such information and the manner in which it is used; and
* With a few exceptions, obtain “verifiable parental consent” before collecting and using certain personal information.
The Federal Trade Commission enforces COPPA, and has issued implementing rules. Under those rules, the COPPA “notice” requirement is met by posting a “clear and comprehensive privacy policy on their website describing their information practices for children’s personal information.”
"Directed to children"
The FTC makes the determination of whether a website is “direct to children” on a case-by-case basis. In some cases it will be obvious that a website or online service is "directed to children," such as a website that promotes a children's book or a children's television program. The FTC, which enforces COPPA, brought an enforcement action against a record company whose artists' promotional websites included one for child rapper "Lil' Romeo," who was then only 12 himself. The website offered games and music aimed at elementary school age children. Other enforcement actions have been brought against Mrs. Field's Cookies, for a website that offered birthday clubs for children 12 or under and provided birthday greetings and coupons for free cookies or pretzels. Also, last year, the FTC, as part of a settlement, a social networking site agreed to a $1 million civil penalty after allegations that it collected, used, and disclosed personal information from children under the age of 13 without first notifying parents and obtaining their consent.
Verifiable parental consent
The type of “verifiable parental consent” required for COPPA compliance is based on a "sliding scale" according to the use to which the information will be put.
Internal Use Only - Websites that collect personal information from children under 13 and only use the information for internal purposes may obtain parental consent through e-mail; provided, the operator takes additional steps to confirm the parent’s identity. For example, this might include a delayed confirmatory e-mail to the parent, or a follow-up letter or telephone call.
Disclosure to Third Parties - For activities that will allow personal information obtained from children under 13 to appear in public areas of a website such as chat rooms and message boards, and/or where the operator will disclose such information to third parties, the following methods of obtaining parental consent are required:
* A consent form that may be printed out and returned by postal mail or fax (known as "print-and-send");
* Provision of a credit card number;
* Calling a toll-free telephone number staffed by trained personnel;
* Provision of a digital signature; or
* An e-mail accompanied by a PIN or password.
Less burdensome methods of obtaining parental notice and/or consent are provided where information collected from children will only be used for a one-time specified purpose or for a specific repeated purpose.
In addition, these site operators must provide for the secure maintenance of the collected information, and not condition a child’s participation in an activity on the child’s disclosure of more personal information than is reasonably necessary under the circumstance.
The FTC makes COPPA compliance information available on its website.
Posted by Jeff Neuburger on June 29, 2007 | Comments (0)
