Protecting Children's Privacy Online
by Tim Bohlman
The Children's Online Privacy Protection Act (COPPA) was passed by Congress in October 1998, with a requirement that the Federal Trade Commission (FTC) issue and enforce rules concerning children's online privacy. The primary goal of the Act and the Rule is to place parents in control over what information is collected from their children online. The Rule was designed to be strong, yet flexible, to protect children while recognizing the dynamic nature of the Internet.
The COPPA Rule applies to operators of commercial Web sites and online services directed to children under 13 that collect personal information from children, and operators of general audience sites with actual knowledge that they are collecting information from children under 13.
What determines if a site targets children?
The Rule sets out a number of factors in determining whether a Web site is targeted to children, such as its subject matter, language, whether it uses animated characters, and whether advertising appearing on the site is directed to children. The Commission will also consider empirical evidence regarding the ages of the site's visitors. These standards are very similar to those previously established for TV, radio, and print advertising. Those operators must:
1. Post clear and comprehensive Privacy Policies on the Web site describing their information practices for children's personal information;
2. Provide notice to parents, and with limited exceptions, obtain verifiable parental consent before collecting personal information from children;
3. Give parents the choice to consent to the operator's collection and use of a child's information while prohibiting the operator from disclosing that information to third parties;
4. Provide parents access to their child's personal information to review and/or have it deleted;
5. Give parents the opportunity to prevent further collection or use of the information; and
6. Maintain the confidentiality, security, and integrity of information they collect from children.
In addition, the Rule prohibits operators from conditioning a child's participation in an online activity on the child's providing more information than is reasonably necessary to participate in that activity.
Are Web sites run by nonprofit entities subject to the Rule?
The Act and the Rule expressly state that they apply to commercial Web sites and not to nonprofits that would otherwise be exempt from coverage under Section 5 of the FTC Act. Thus, in general, most nonprofits are not subject to the Rule. However, nonprofits that operate for the profit of their for-profit members may be subject to the Rule. See FTC v. California Dental Association 526 U.S. 756 (1999), for additional guidance on when nonprofits are subject to FTC jurisdiction. Although true nonprofits are not subject to COPPA, we encourage them to set an example by posting privacy policies and providing the protections set forth in COPPA to children providing personal information at their sites.
What do I do if my site isn't in compliance with the Rule?
If you are not collecting any personal information from children, then you are not subject to the Rule. So the quickest thing to do until you can get your site into compliance is to stop collecting personal information from children under 13. In fact, many sites that we have talked to realize that collection of such information is not necessary.
Then, review your Web site, your privacy policy, and the Rule carefully. The materials on the Commission's Web site can provide you with helpful guidance. Take a close look at: what information you collect; how you collect it; how you use it; whether the information you seek to collect is necessary for the activities on your site; whether you have adequate mechanisms for providing parents with notice and obtaining consent; and whether you have adequate methods for parents to review their children's information and for verifying that the people requesting access to kids' information really are their parents.
I operate a general audience site and don't ask visitors to reveal their ages. I do have a button that users can click to send feedback, comments, or questions by email. What are my responsibilities if I get an email that says, "Hi, I am Steve, age 10, and I really like your site. When do you think you will add some more games? "
Under the Rule's one-time contact exception, you can reply to the child (once) without sending notice to the parent or obtaining prior parental consent as long as you do not re-contact the child and you delete the personal information from your records.
