• By: Staff Editor
• Date: July 08, 2009

Protecting Children's Privacy under Children's Online Privacy Protection Act (COPPA)

The Children's Online Privacy Protection Act of 1998 (COPPA) is a United States federal law that applies to the online collection of personal information by persons or entities under U.S. jurisdiction from children under 13 years of age. It details what a website operator must include in a privacy policy, when and how to seek verifiable consent from a parent or guardian, and what responsibilities an operator has to protect children's privacy and safety online including restrictions on marketing to those under 13. While children under 13 can legally give out personal information with their parents' permission, many websites altogether disallow underage children from using their services due to the amount of paper-work involved.

Background
The Federal Trade Commission has the authority to issue regulations and enforce COPPA. Also under the terms of COPPA, the FTC designated ‘safe harbor’ provision is designed to encourage increased industry self-regulation. Under this provision, industry groups and others may request Commission approval of self-regulatory guidelines to govern participants’ compliance, such that Web site operators in Commis-sion-approved programs would first be subject to the disciplinary procedures of the safe harbor program in lieu of FTC enforcement. To date, the FTC has granted safe harbor to four companies, namely, TRUSTe, ESRB, CARU and Privo.

Key Features

• The Act applies to websites and online services operated for commercial purposes that are ei-ther directed to children under 13 or have actual knowledge that children under 13 are provid-ing information online.
• Most recognized non-profit organizations are exempt from most of the requirements of COPPA.
• However, non-profit organizations operated for the benefit of their members' commercial ac-tivities are subject to FTC regulation and consequently, COPPA.
• The type of "verifiable parental consent" that is required before collecting and using information provided by children under 13 is based upon a "sliding scale" set forth in a Federal Trade Com-mission regulation that takes into account the manner in which the information is being col-lected and the uses to which the information will be put.

Compliance
Website operators must use reasonable procedures to ensure they are dealing with the child's parent. These procedures may include:
 

• Obtaining a signed form from the parent via postal mail or facsimile.
• Accepting and verifying a credit card number;
• Taking calls from parents on a toll-free telephone number staffed by trained personnel;
• Obtaining emails accompanied by digital signature;
• Obtaining emails accompanied by a PIN or password obtained through one of the verification methods above.

Requirements of COPPA
 

Revoking & Deleting

• At any time, a parent may revoke his/her consent, refuse to allow an operator to further use or collect their child's personal information, and direct the operator to delete the information. In turn, the operator may terminate any service provided to the child, but only if the information at issue is reasonably necessary for the child's participation in that activity.
• If, after giving consent, a parent asks the operator to delete the child's information, the operator may refuse to allow the child to participate in the chat room in the future.
• If other activities on the Web site do not require the child's email address, the operator must al-low the child access to those activities.

Enforcement
The Commission may bring enforcement actions and impose civil penalties for violations of the Rule in the same manner as for other Rules under the FTC Act. The Commission also retains authority under Section 5 of the FTC Act to examine information practices for deception and unfairness, including those in use before the Rule's effective date. In interpreting Section 5 of the FTC Act, the Commission has de-termined that a representation, omission or practice is deceptive if it is likely to:

• Mislead consumers; and
• Affect consumers' behavior or decisions about the product or service.

Exceptions
The regulations include several exceptions that allow operators to collect a child's email address without getting the parent's consent in advance. These exceptions cover many popular online activities for kids, including contests, online newsletters, homework help and electronic postcards.

Prior parental consent is not required when an operator collects:

• a child's or parent's email address to provide notice and seek consent,
• an email address to respond to a one-time request from a child and then deletes it,
• an email address to respond more than once to a specific request -- say, for a subscription to a newsletter,
• a child's name or online contact information to protect the safety of a child who is participating on the site,
• a child's name or online contact information to protect the security or liability of the site or to respond to law enforcement, if necessary, and does not use it for any other purpose.

Source:

1. http://www.coppa.org/comply.htm
2. http://www.informationshield.com/coppaoverview.htm
3. http://www.ftc.gov/os/2002/04/coppasurvey.pdf
4. http://en.wikipedia.org/wiki/Children's_Online_Privacy_Protection_Act