Earlier this month, updates to the Children’s Online Privacy Protection Act went into effect, and with it came some significant changes for parents and childrens, website administrators, and internet advertisers. The updates to the the COPPA rules that were originally passed in 1998 seek to make the law more relevant for modern technology and social media. The most important change is that the laws makes some of the metadata that is normally generated in online sessions protected identifiable information (PII) under COPPA. Sites that are covered by COPPA (sites with a certain amount of traffic from visitors under the age of 13) now have to get parental permission if they user persistent identifiers like screen names or website cookies. In this post, we’ll cover what the changes in COPPA mean for parents, website administrators and internet advertisers.
Parents and Children
COPPA is designed to give parents more control over the child’s personal information. So parents can expect to receive notifications from sites or apps their children use online. The letter should explain in plain language what information would be collected and how it would be used. Parents would then have to send back verifiable consent before the child could use the app or website. Verifiable consent means a signed formed that can be faxed, mailed, or scanned into an email; using a credit/debit card, calling a toll-free number or connecting to a video conference, or by providing a copy of a government ID.
Parents are not limited to a simple yes or no answer. They have options for how much consent they want to give. To illustrate, parents can allow companies to collect information, but deny them the right to share that information with others. Parents can review the information collected on their children (though they would have to verify who they are again before any data was sent to them). Parents also have the right to retract their consent at any time and have any information about their child deleted.
Website Owners and Advertisers
The updated COPPA provides parents with greater control over the personal information of children under 13, and it requires businesses to take several actions to ensure they are in compliance with law. As with any law, the actual rules and requirements vary from case to case and some businesses may have to do a lot more to be in compliance than others. However, website owners are responsible for their advertising partners’ behavior, so businesses must be doubly vigilant. And since violations carry the possibility of law enforcement action and civil penalties, it’s important to be sure that an organization has it right. There are six simple steps a business should follow to ensure they are in compliance.
Determine if the website or online service is covered by COPPA – COPPA doesn’t apply to all site, but it applies to more than many would initially suspect. If a website or online service (including games and apps) is directed at children under 13 and information is collected, whether by the company or a third-party, the site is covered by COPPA regulations. If a website or online service is directed at a general audience, but the organization knows they also collect information on children under 13, these sites are also covered by COPPA. And advertising services that collected information from those under 13 are also included.
Post a Privacy Policy that Complies with COPPA – An organization that is covered by COPPA must have a privacy policy posted on their website that is clear and easy to understand that explains how information is gathered and how it will be used. A link to the privacy policy has to be posted on the company’s home page. The policy must include a list of all operators collecting personal information; a description of the information collected and how it will be used; and a description of the parents rights.
Notify Parents Directly Before Collecting Information on Children Under 13 – COPPA requires that businesses give parents direct notice before collecting any information (as well as send updates whenever they intend to change their collection practices). There are specific requirements of what the letter must include. According to the Federal Trade Commission, the notice must tell parents that the organization collected their online contact information for the purpose of getting their consent; that the organization wants to collect personal information from their child; that their consent is required for the collection, use, and disclosure of the information; the specific personal information the organization wants to collect and how it might be disclosed to others; a link to the online privacy policy; how the parent can give their consent; and that if the parent doesn’t consent within a reasonable time, the organization will delete the parent’s online contact information from the records.
Get Verifiable Consent from Parents – As was mentioned above, there are multiple ways a company can choose to get verifiable consent. There are some narrow exceptions to the general rule of requiring parental consent, and even then, there may still be some notification requirements.
Honor the Ongoing Rights of Parents Regarding the Information Collected – As was also mentioned in the parent’s section of the post, parents have the right to ask for the information collected, to retract their consent, and to have information collected destroyed. And since they have the right to do this, businesses are required to respond to their requests.
Take Reasonable Actions to Protect Information – As with all private information collected online, businesses have to be sure that their policies protect the confidentiality,, security, and integrity of the information collected on children under the age of 13. This includes vetting the vendors they use to handle information, collecting only the information that is necessary, and properly disposing of the information after their is no further use for it.
How the changes in COPPA will affect advertising revenue and online participation has yet to be seen. For example, Facebook is exempt from COPPA because they don’t allow users under 13, though many children under the age of 13 use the service by lying about their age. Other services may begin making 13 years old the cutoff point for users of their services to avoid the additional regulation. Parents may get a lot of e-mails asking for consent, or parents will start getting charged for services for children under 13 (since it would satisfy the verification requirement and make up some of the lost advertising revenue). Conversely, to make up for their inability to use a targeted advertisements, internet marketers may just increase the number of general advertisements. In these first few months of the new implementation, there will be a lot of child rights and consumer advocacy groups looking out for businesses that aren’t in compliance, so make sure you understand where your organization stands in regards to COPPA.