Protecting Children's Privacy under Children's Online Privacy Protection Act (COPPA)

  • By: Staff Editor
  • Date: July 08, 2009
Webinar All Access Pass Subscription

Protecting Children's Privacy under Children's Online Privacy Protection Act (COPPA)

The Children's Online Privacy Protection Act of 1998 (COPPA) is a United States federal law that applies to the online collection of personal information by persons or entities under U.S. jurisdiction from children under 13 years of age. It details what a website operator must include in a privacy policy, when and how to seek verifiable consent from a parent or guardian, and what responsibilities an operator has to protect children's privacy and safety online including restrictions on marketing to those under 13. While children under 13 can legally give out personal information with their parents' permission, many websites altogether disallow underage children from using their services due to the amount of paper-work involved.

The Federal Trade Commission has the authority to issue regulations and enforce COPPA. Also under the terms of COPPA, the FTC designated ‘safe harbor’ provision is designed to encourage increased industry self-regulation. Under this provision, industry groups and others may request Commission approval of self-regulatory guidelines to govern participants’ compliance, such that Web site operators in Commis-sion-approved programs would first be subject to the disciplinary procedures of the safe harbor program in lieu of FTC enforcement. To date, the FTC has granted safe harbor to four companies, namely, TRUSTe, ESRB, CARU and Privo.

Key Features

  • The Act applies to websites and online services operated for commercial purposes that are ei-ther directed to children under 13 or have actual knowledge that children under 13 are provid-ing information online.
  • Most recognized non-profit organizations are exempt from most of the requirements of COPPA.
  • However, non-profit organizations operated for the benefit of their members' commercial ac-tivities are subject to FTC regulation and consequently, COPPA.
  • The type of "verifiable parental consent" that is required before collecting and using information provided by children under 13 is based upon a "sliding scale" set forth in a Federal Trade Com-mission regulation that takes into account the manner in which the information is being col-lected and the uses to which the information will be put.

Website operators must use reasonable procedures to ensure they are dealing with the child's parent. These procedures may include:

  • Obtaining a signed form from the parent via postal mail or facsimile.
  • Accepting and verifying a credit card number;
  • Taking calls from parents on a toll-free telephone number staffed by trained personnel;
  • Obtaining emails accompanied by digital signature;
  • Obtaining emails accompanied by a PIN or password obtained through one of the verification methods above.

Requirements of COPPA

  • An operator must post a link to a notice of its information practices on the home page of its Web site or online service and at each area where it collects personal information from children.
  • An operator of a general audience site with a separate children's area must post a link to its notice on the home page of the children's area.
  • The link to the privacy notice must be clear and prominent.
  • Operators may want to use a larger font size or a different color type on a contrasting background to make it stand out.
Content The notice must be clearly written and understandable; it should not include any unrelated or confusing materials. It must state the following information:
  • The name and contact information (address, telephone number and email address) of all operators collecting or maintaining children's personal information through the Web site or online service.
  • The kinds of personal information collected from children (for example, name, address, email address, hobbies, etc.) and how the information is collected.
  • How the operator uses the personal information. For example, is it for marketing back to the child? Notifying contest winners? Allowing the child to make the information publicly available through a chat room?
  • Whether the operator discloses information collected from children to third parties. If so, the operator also must disclose the kinds of businesses in which the third parties are engaged; the general purposes for which the information is used; and whether the third parties have agreed to maintain the confidentiality and security of the information.
  • That the parent has the option to agree to the collection and use of the child's information without consenting to the disclosure of the information to third parties.
  • That the operator may not require a child to disclose more information than is reasonably necessary to participate in an activity as a condition of participation.
  • That the parent can review the child's personal information, ask to have it deleted and refuse to allow any further collection or use of the child's information. The notice also must state the procedures for the parent to follow.
Disclosures to Third Parties An operator must give a parent the option to agree to the collection and use of the child's personal information without agreeing to the disclosure of the information to third parties. However, when a parent agrees to the collection and use of their child's personal information, the operator may release that information to others who use it solely to provide support for the internal operations of the website or service, including technical support and order fulfillment.
New Notice for Consent An operator is required to send a new notice and request for consent to parents if there are material changes in the collection, use or disclosure practices to which the parent had previously agreed.
Access Verification
  • At a parent's request, operators must disclose the general kinds of personal information they collect online from children (for example, name, address, telephone number, email address, hobbies), as well as the specific information collected from children who visit their sites.
  • Operators must use reasonable procedures to ensure they are dealing with the child's parent before they provide access to the child's specific information.
  • Operators who follow one of these procedures acting in good faith to a request for parental access are protected from liability under federal and state law for inadvertent disclosures of a child's information to someone who purports to be a parent.

Revoking & Deleting

  • At any time, a parent may revoke his/her consent, refuse to allow an operator to further use or collect their child's personal information, and direct the operator to delete the information. In turn, the operator may terminate any service provided to the child, but only if the information at issue is reasonably necessary for the child's participation in that activity.
  • If, after giving consent, a parent asks the operator to delete the child's information, the operator may refuse to allow the child to participate in the chat room in the future.
  • If other activities on the Web site do not require the child's email address, the operator must al-low the child access to those activities.

The Commission may bring enforcement actions and impose civil penalties for violations of the Rule in the same manner as for other Rules under the FTC Act. The Commission also retains authority under Section 5 of the FTC Act to examine information practices for deception and unfairness, including those in use before the Rule's effective date. In interpreting Section 5 of the FTC Act, the Commission has de-termined that a representation, omission or practice is deceptive if it is likely to:

  • Mislead consumers; and
  • Affect consumers' behavior or decisions about the product or service.

The regulations include several exceptions that allow operators to collect a child's email address without getting the parent's consent in advance. These exceptions cover many popular online activities for kids, including contests, online newsletters, homework help and electronic postcards.

Prior parental consent is not required when an operator collects:

  • a child's or parent's email address to provide notice and seek consent,
  • an email address to respond to a one-time request from a child and then deletes it,
  • an email address to respond more than once to a specific request -- say, for a subscription to a newsletter,
  • a child's name or online contact information to protect the safety of a child who is participating on the site,
  • a child's name or online contact information to protect the security or liability of the site or to respond to law enforcement, if necessary, and does not use it for any other purpose.



Best Sellers
You Recently Viewed