COPPA – Children’s Online Privacy Protection Act
How to comply with COPPA
The Federal Trade Commission staff prepared this guide to help you comply with the new requirements for protecting children’s privacy online and understand the FTC’s enforcement authority.
- To determine whether a Web site is directed to children, the FTC considers several factors, including the subject matter; visual or audio content; the age of models on the site; language; whether advertising on the Web site is directed to children; information regarding the age of the actual or intended audience; and whether a site uses animated characters or other child-oriented features.
- To determine whether an entity is an “operator” with respect to information collected at a site, the FTC will consider who owns and controls the information; who pays for the collection and maintenance of the information; what the pre-existing contractual relationships are in connection with the information; and what role the Web site plays in collecting or maintaining the information.
The link to the privacy notice must be clear and prominent. Operators may want to use a larger font size or a different color type on a contrasting background to make it stand out. A link in small print at the bottom of the page — or a link that is indistinguishable from other links on your site — is not considered clear and prominent.
- The name and contact information (address, telephone number and email address) of all operators collecting or maintaining children’s personal information through the Web site or online service. If more than one operator is collecting information at the site, the site may select and provide contact information for only one operator who will respond to all inquiries from parents about the site’s privacy policies. Still, the names of all the operators must be listed in the notice.
- The kinds of personal information collected from children (for example, name, address, email address, hobbies, etc.) and how the information is collected — directly from the child or passively, say, through cookies.
- How the operator uses the personal information. For example, is it for marketing back to the child? Notifying contest winners? Allowing the child to make the information publicly available through a chat room?
- Whether the operator discloses information collected from children to third parties. If so, the operator also must disclose the kinds of businesses in which the third parties are engaged; the general purposes for which the information is used; and whether the third parties have agreed to maintain the confidentiality and security of the information.
- That the parent has the option to agree to the collection and use of the child’s information without consenting to the disclosure of the information to third parties.
- That the operator may not require a child to disclose more information than is reasonably necessary to participate in an activity as a condition of participation.
- That the parent can review the child’s personal information, ask to have it deleted and refuse to allow any further collection or use of the child’s information. The notice also must state the procedures for the parent to follow.
Direct Notice to Parents
Until April 2002, the FTC will use a sliding scale approach to parental consent in which the required method of consent will vary based on how the operator uses the child’s personal information. That is, if the operator uses the information for internal purposes, a less rigorous method of consent is required. If the operator discloses the information to others , the situation presents greater dangers to children, and a more reliable method of consent is required. The sliding scale approach will sunset in April 2002 subject to a Commission review planned for October 2001.
- getting a signed form from the parent via postal mail or facsimile;
- accepting and verifying a credit card number in connection with a transaction;
- taking calls from parents, through a toll-free telephone number staffed by trained personnel;
- email accompanied by digital signature;
But in the case of a monitored chat room, if all individually identifiable information is stripped from postings before it is made public — and the information is deleted from the operator’s records — an operator does not have to get prior parental consent.
Prior parental consent is not required when:
- an operator collects a child’s or parent’s email address to provide notice and seek consent;
- an operator collects an email address to respond to a one-time request from a child and then deletes it;
- an operator collects an email address to respond more than once to a specific request — say, for a subscription to a newsletter. In this case, the operator must notify the parent that it is communicating regularly with the child and give the parent the opportunity to stop the communication before sending or delivering a second communication to a child;
- an operator collects a child’s name or online contact information to protect the safety of a child who is participating on the site. In this case, the operator must notify the parent and give him or her the opportunity to prevent further use of the information;
- an operator collects a child’s name or online contact information to protect the security or liability of the site or to respond to law enforcement, if necessary, and does not use it for any other purpose.
They can use a variety of methods to verify the parent’s identity, including:
- obtaining a signed form from the parent via postal mail or facsimile;
- accepting and verifying a credit card number;
- taking calls from parents on a toll-free telephone number staffed by trained personnel;
- email accompanied by digital signature;
- email accompanied by a PIN or password obtained through one of the verification methods above.
Operators who follow one of these procedures acting in good faith to a request for parental access are protected from liability under federal and state law for inadvertent disclosures of a child’s information to someone who purports to be a parent.
- mislead consumers; and
- affect consumers’ behavior or decisions about the product or service.
- Specifically, it is a deceptive practice under Section 5 to represent that a Web site is collecting personal identifying information from a child for one reason (say, to earn points to redeem a premium) when the information will be used for another reason that a parent would find material — and when the Web site does not disclose the other reason clearly or prominently.
In addition, an act or practice is unfair if the injury it causes, or is likely to cause, is:
- not outweighed by other benefits; and
- not reasonably avoidable.
For example, it is likely to be an unfair practice in violation of Section 5 to collect personal identifying information from a child, such as email address, home address or phone number, and disclose that information to a third party without giving parents adequate notice and a chance to control the collection and use of the information.