Web Security, Privacy and Commerce, 2nd Edition

2017-07-07 02:10:07

only for RuBoard - do not distribute or recompile

24.2 Children's Online Privacy Protection Act

Passed by the U.S. Congress in 1998, the Children's Online Privacy Protection Act (COPPA) seeks to give parents control over how their children's personal information is collected and used on the Internet. Although limited in scope and somewhat awkward to implement, COPPA has had a dramatic impact on both the online community and the children's software industry in general.

24.2.1 Prelude to Regulation

Since the early 1970s, the U.S. database industry has consistently argued against government regulation, saying that "voluntary compliance" was cheaper, more flexible, more effective, and ultimately more in the interest of the American public. These arguments, combined with ample campaign contributions, have largely prevented the U.S. Congress from adopting legislation that would afford wholesale protections to the personal information of most Americans. Fortunately, the same is not true when it comes to protecting the personal information of America's children.

With the birth of the consumer Internet in the mid-1990s, many businesses and marketing firms decided to use the technology as a way to bypass parents and reach out directly to the children of America. In some cases, web sites were created directly for the purpose of extracting personal information from children information that would later be used to solicit the children to make purchases. In other cases, children were used as an intermediary for gathering financial or demographic information about their parents.

For example, in 1996, the U.S. Federal Trade Commission began an investigation into the web site KidsCom. The site, peppered with cool graphics and free games, required that kids register to play. And registering was no small matter: kids had to fill out elaborate forms reporting age, birth date, sex, size of their family, favorite TV show, favorite TV commercial, favorite musical group, hobbies, how they accessed the Internet, correct email address, email address of their parent or guardian, mailing address, speed of their Internet connection, and career plans. The situation generated a lot of attention in the press: consumer advocates said that KidsCom was targeting children who couldn't make informed decisions about the release of personal information. The site's owners maintained that they asked these questions so they could match up kids in an electronic pen pal program and provide customized content. After a year of investigation, KidsCom voluntarily changed its practices, set up a parent's advisory panel, and adopted a privacy code.

At roughly the same time as the KidsCom investigation, The Walt Disney Company launched its own multimillion-dollar web site whose sole purpose was to promote Disney products and collect marketing information. Unlike KidsCom, Disney did not adopt a strict policy against releasing the names and identities of children. Indeed, the "privacy policy" at the company's web site in 1996 said exactly the reverse: "Information submitted at the time of registration or submission may be used for marketing and promotional purposes by The Walt Disney Company and may be shared with companies that have been pre-screened by The Walt Disney Company."

Congress began a series of hearings on the subject of children's online privacy. As a result of those hearings, in October 1998 Congress passed and President Clinton signed into law the Children's Online Privacy Protection Act. Under the Act, the Federal Trade Commission was charged to write a Rule that would enforce the Act. The FTC's COPPA Rule became effective on April 21, 2000.

24.2.2 COPPA Requirements

In the minds of many lawmakers, marketers had stepped over the line when they directly approached America's children. COPPA was designed to restore the position of parents as the guardians of their children by putting parents in control of the collection and use of their children's personal information.

24.2.2.1 Who must follow the COPPA Rule?

COPPA applies to operators of commercial web sites and online services that are directed at children under the age of 13, and to operators of general audience sites who discover that they are collecting information from children under the age of 13. Thus, you might have a web site with a mature theme, such as wine tasting, but if you ask people to register with their age, and a subscriber says that he is under 13, COPPA applies to that subscriber.

According to the FTC's How to Comply With the Children's Online Privacy Protection Rule, "to determine whether a web site is directed to children, the FTC considers several factors, including the subject matter; visual or audio content; the age of models on the site; language; whether advertising on the web site is directed to children; information regarding the age of the actual or intended audience; and whether a site uses animated characters or other child-oriented features." ^[7]

^[7] http://www.ftc.gov/bcp/conline/pubs/buspubs/coppa.htm

24.2.2.2 Basic provisions of COPPA

COPPA applies to all personally identifiable information that might be collected from children online, including:

Full name

Home address

Email address

Telephone number

Any information that would allow someone to identify or contact the child

All information collected from the child, if that information can be tied back to the child's name or identity

Under the terms of COPPA, web site operators must create a privacy policy that clearly states what kind of information is collected and what is done with it. Specifically, the notice must clearly state:

The name and contact information for all operators collecting or maintaining children's personal information throughout the web site.

What kind of personal information is collected, and how it is collected.

How the personal information is used.

Whether or not information collected from children is disclosed to third parties. If information is disclosed, the notice must describe the general businesses of the third parties, what they do with the information, and whether or not the third parties have agreed to maintain the information's confidentiality and security.

Finally, a link to the privacy notice must be clearly and prominently placed on the home page of the web site.

The FTC's Rule specifies certain minimum standards that privacy policies must follow, including:

The operator's privacy policy must give parents the ability to "opt out" of third-party disclosure. That is, it must be possible for children to use the web site without having their information disclosed to others.

Operators may not require children to "disclose more information than is reasonably necessary to participate in an activity as a condition of participation."

Parents must have the ability to review a child's personal information, to refuse to have any more information on their children collected or used, and to have the information deleted. The notice must clearly state the procedures that a parent would need to follow.

Before any information on a child is collected, used, or disclosed, the web site must obtain "verifiable parental consent."

Parents must have the option of revoking their consent and having the web site operator delete all of their child's personal information at any time.

24.2.2.3 Verifiable parental consent

Both COPPA and the FTC's COPPA Rule require that web operators obtain consent from the child's parent before any personal information about the child can be collected. This provision is problematic not because it is hard to verify that a person is giving consent, but because it is difficult (if not impossible) to verify that one online person is the parent of another.

In its initial rule the FTC admitted the difficulty of what Congress had asked it to do. The initial rule adopted a sliding scale that specified different levels of consent for different levels of personal information use. The sliding scale is in effect until April 2002; a formal review was planned for October 2001, as this book was going to press.

Under the sliding scale, an email from a parent is sufficient to allow internal uses of a child's personal information within a web site, provided that the web site operator "take additional steps to increase the likelihood that the parent has, in fact, provided consent." Additional steps that the FTC notes would be acceptable include:

Delayed confirmatory email

A letter from the parent

A phone call from the parent

If the child's personal information is going to be publicly disclosed such as being displayed as a name in a chat room or on a message board then the FTC requires that the web site operator use "a more reliable method of consent." Typical methods that the FTC notes as acceptable include:

Getting a signed form from the parent by email or fax

Having the parent provide a credit card number in connection with a transaction, and having that credit card number verified

Having a parent call a toll-free number and speak with "trained personnel"

Receiving an "email accompanied by digital signature"

24.2.2.4 COPPA exceptions

The FTC's Rule allows several exceptions. These exceptions were designed to cover "many popular online activities for kids, including contests, online newsletters, homework help, and electronic postcards."

Under the FTC's exceptions, parental consent is not required when:

An email address is collected specifically to provide notice and seek consent.

An email address is collected to respond to a one-time request from a child, provided that the child's email address is not retained by the web site operator.

An email address is collected to answer multiple requests or otherwise communicate with the child for example, for a magazine subscription. However, in these cases, the web site operator must notify the parent about the nature of the communications and give the parent an opportunity to have the communications stop.

An operator can collect a child's name or contact information "to protect the safety of a child who is participating on the site." However, in these cases, the web site operator must notify the parent to allow the parent "the opportunity to prevent further use of the information."

An operator can collect a child's name or contact information "to protect the security or liability of the site or to respond to law enforcement."

24.2.2.5 Enforcement

The Children's Online Privacy Protection Act is enforced by the FTC. In most cases, violations of the Act that are pursued by the FTC will result in a consent agreement between the FTC and the web site in question. In some cases the FTC may prosecute web site operators who violate their written privacy policies under Section 5 of the FTC Act, as a unfair and deceptive trade practice.