THE CHILDREN’S ONLINE PRIVACY PROTECTION ACT
IVAN HOFFMAN, B.A., J.D.
NOTE: Effective July 1, 2013, the Federal Trade Commission issued new rules for COPPA compliance. This article was primarily written before those new rules but now contains some elements of the revisions. You should read all the requirements.
On April 21, 2000, the Children’s Online Privacy Protection Act (“the Act”) went into effect. Effective July 1, 2013, the Federal Trade Commission (“FTC”) issued revised and expanded rules dealing with who is covered by the Act, obligations of those covered and other matters. This article, originally published in 2000, reflects the revisions in italics. If you are a web site operator who has a site that is directed toward children covered by the Act, or if you are a web site designer building or host hosting such a site, you must be familiar with the legal provisions and ramifications of the Act.
To determine whether a web site is directed to children, defined as being 13 years old and younger, the Federal Trade Commission, the governmental body in charge of enforcement, looks at several factors as to the site, including:
The revised rules expand considerably the concept of whether a web site is directed to children to include plug-ins as well as advertising networks that have actual knowledge that they are collecting personal information through a web site or online service that is directed to children. Additionally, even if the site is not primarily directed to children, sites and services that target children only as a secondary audience or to a lesser degree may differentiate among users, those sites and services will be covered by the Act and will be required to provide appropriate notice and parental consent for those users who identify themselves as being younger than 13.
By these standards, the Act deals with sites that either actively cater to children or who have actual knowledge that children come to the site. Thus, if your site fits into these categories or others and also collects information about children, you are subject to the Act’s provisions and failure to comply with those provisions can subject you to substantial penalties. Indeed, it would be very prudent for you to comply with the applicable provisions of the Act’s requirement even if your site is even likely to attract children whether or not you actively promote the same. It would appear that if your site even features advertising that is directed toward children that the site then falls within the scope of the Act.
To determine whether you are an “operator” of the site, the FTC considers the following factors, among others:
The revisions expand the definition of an “operator” to make it clear that the Act covers not only a child-directed site or service but also one that integrates outside services such as plug-ins or advertising networks that collect personal information. Exempted are platforms such as Play or the App Store which merely provide the public access to child-directed sites.
Therefor, if your site collects information about children (see below) and you are deemed to be the “operator” of the site, you may be liable for compliance under the Act.
And while these provisions may not appear to apply directly to web designers, in the web design/client relationship there may be an implication that the designer should be held to know about such laws and failing to include the appropriate provisions to make the site comply with the Act may subject the designer to liability as to the client. The same would apply to the client/host relationship and the host should have these same kinds of legal protections from the site. Thus, designers and hosts should be examining their written contracts with their respective clients to make certain that the burden of compliance does not fall on the designer’s or host’s shoulders.
What Kind of Information Is Covered By The Act?
The Act is designed to protect children from certain personal information gathering procedures without parental consent. Thus, if your site collects information such as names, addresses, phone numbers, email addresses and other information from which a child’s identity can be determined, either online or offline, the Act applies to your site. But the Act also applies to information such as about hobbies, interests and information collected through cookies or other types of tracking mechanisms if those mechanisms can be tied to individually identifiable information.
The revision amplified “personal information” to include geolocation information as well as photographs, videos and audio files that contain a child’s image or voice. Additionally, the Act now also includes “persistent identifiers” that can be used to recognize users over time and across different web sites or online services. However, if the “persistent identifiers” are merely used by the site for internal purposes such as contextual advertising, frequency capping, legal compliance, site analysis and network communication, no parental notice and consent is necessary. (see more below) In such latter instance, such “persistent identifiers” can never be used to make direct contact with the child and can never be provided to other parties whether through behavioral advertising, to amass a provide on a specific individual or for any other purpose.
Moreover, the revision allows operators to allow children to participate in interactive communities without parental consent so long as the operators take reasonably measures to delete all or virtually all of the children’s personal information before it is made public.
What Must the Site Owner Do To Comply?
If the Act applies to your site, you must post a link to a notice of your site’s information practices on the home page of your site and at each area where the site collects the above information from children. If you run a site that is more of a general audience site but which has a separate area that targets children, you must post a link to your privacy notice on the home page of the children’s area.
The link to this notice must be “clear and prominent.” And the FTC guidelines suggest that you may want to use a larger size font or different color type on a contrasting background and it specifically states that merely having a link at the bottom of the page is not sufficient.
The notice must contain:
There are other provisions that must be included in the notice as well.
One of the key parts of the Act is that the operators must provide a written procedure for a notice sent directly to the parents and for the parents to actively consent, in writing, to the collection of this information prior to the information being collected. The site operator must notify a parent in the form of an email, postal mail, fax and in other similar ways set forth in the regulations and the operator must then get a “verifiable parental consent” to the entire process. During an interim period, there are specific regulations about how this consent is to be obtained based upon how the information is going to be used. The more public the use of the information, the more stringent are the requirements for consent. And there are regulations that specify what “verifiable” means in the context of the Act.
The revisions also allow for other methods of obtaining such parental consent such as electronic scans of signed parental consent forms, video-conferencing, use of government-issued identification as well as debit card and electronic payment systems provided these latter ones meet specified criteria.
The revisions continue to allow the so-called “sliding scale” for parental consent described above.
In the event the site changes how the information is collected, used or disclosed, a new, verifiable parental consent must be obtained and, of course, the written policy must be changed on the site.
At any time, the parent can revoke any previously granted consent either to the collection of information or to its use. Thus, if you disseminate this information to third parties, you must have a corresponding procedure to have such third parties delete any information so requested to be deleted by the parent.
The revisions require that site operators take reasonable steps to insure that the children’s personal information is released only to service providers and third parties that are capable of maintaining the confidential, security and integrity of that information and who assure the operators that they will do so. This should be embodied in a valid written agreement whereby such assurances are given by the party to whom the information is disclosed.
Additionally, the revisions require that the operator maintain the children’s personal information for only so long as is reasonably necessary and to protect it against unauthorized use while it is being used or being disposed of.
The above discussion is not intended to be exhaustive of the Act’s scope nor its requirements and you should consult with an experienced Internet law attorney to advise you about how the Act may apply to your site.
Given the potential severity of the impact on children as well as the significant legal liability to which the site may be exposed by failure to comply, you as a site owner are well advised to seek appropriate legal advice.
Copyright © 2000, 2013 Ivan Hoffman. All Rights Reserved.
This article is not legal advice and is not intended as legal advice. This article is intended to provide only general, non-specific legal information. This article is not intended to cover all the issues related to the topic discussed. The specific facts that apply to your matter may make the outcome different than would be anticipated by you. This article is based on United States law. You should consult with an attorney familiar with the issues and the laws of your country. This article does not create any attorney client relationship and is not a solicitation
No portion of this article may be copied, retransmitted, reposted, duplicated or otherwise used without the express written approval of the author.