shopping cartShop

Call Us: 888 641 0500

Children's Online Privacy Protection Act (COPPA)

16 CFR Part 312

Overview

The Children's Online Privacy Protection Act (COPPA) was signed into law in Oct. 21, 1998 and modified effective April 21, 2000. The rule applies to "operators of commercial web sites and online services directed to children under 13 that collect personal information from children, and operators of general audience sites with actual knowledge that they are collecting information from children under 13." COPPA prohibits unfair or deceptive acts or practices in connection with the collection, use, or disclosure of personally identifiable information from and about children on the Internet. The law spells out what a Web site operator must include in a privacy policy, when and how to seek verifiable consent from a parent and what responsibilities an operator has to protect children's privacy and safety online.

Since the implementation of the rule, several companies have received rather large civil fines for violations of COPPA. Most recently, UMG Recordings was fined $400,000.00 for violations. In 2003, both Mrs. Fields and Hershey Foods each received large civil penalties for violations of COPPA. In 2004, Bonzi Software was ordered to pay a fine of $75,000.00. This was the first case in which a software product, rather than an on-line service, was addressed in the rulings. As these rulings indicate, the FTC is prepared to enforce COPPA, and organizations should be mindful of the requirements of this law.

Requirements

COPPA and the FTC's implementing rule generally apply to institutions that operate commercial web sites or provide online services (or portions thereof) directed to, or knowingly collect personal information from, children under the age of 13. The Rule covers all personal information collected after April 21, 2000, regardless of any prior relationship an operator has had with a child. COPPA also requires that companies establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of the personal information collected. Fortunately, the FTC provides several documents that help guide organizations in compliance with COPPA.

COPPA and the FTC's rule require those institutions to:

While COPPA only applies to organizations who collect personal information from children under age 13, the FTC suggests that web sites that target teenagers and young adults should implement these "fair information principles" in consideration of the fact that they are likely to attract a subset of younger visitors that would qualify.

Policy Implications

There are several aspects of your policy program that could be affected by COPPA. Here are some areas to review:

Privacy Policies - Obviously, COPPA impacts the content and application of your Privacy Policies. The FTC provides detailed recommendations on what should be included in your web site privacy polices. (See You, your Privacy Polices and COPPA). According to COPPA, if you have a section of your web site specifically devoted to children, you can have separate privacy policies for compliance with COPPA.

Data Collection Policies - The proper protection and handling of personal information starts at the point of data collection. If you don't have data collection policies and procedures that describe what forms of personal information to collect for what purposes, this is the place to start. Basically, this is the first step in making your organization's insides match its outsides. It does little good to post privacy policies on an external web site, when there are no internal procedures to back them up.

A critical factor at the point of data collection for COPPA is "verifiable parental consent" before collection. COPPA is clear that organizations must receive consent before collection, except under certain limited conditions. It will be key for organizations to establish a set of procedures to establish parental consent (for example, via a series of emails - known as "email plus" verification.) Another key is to provide the parent with the opportunity to "opt out" of any further information collection from their child. According to the FTC, it is very important to design your information collection in such a way that children are not encouraged to provide a false age.

The entire set of internal procedures required by COPPA will most likely require a separate email-based account management system that allows your organization to communicate with the parents of your young customers.

Data Classification Policies - Do your data classification policies recognize and identify personal information? Even more specifically, is any of the personal information from children? Many organizations have two or three-level data classification schemes, with labels such as PUBLIC, PRIVATE (Internal Use Only) or CONFIDENTIAL. It is critical to classify customer information to determine is proper protection in the organization. If your organization markets to children, you would be advised to have a separate classification for personal information about children.

Personal Information Review Policies - Unless you are in the health care field under HIPAA requirements, chances are your organization does not have one of these. Basically, this policy states that a customer has the right to review his or her own personal information, including how this information is disclosed to third parties. (This is one of the standard "Fair Information Principles" outlined by the OECD.) In the case of COPPA, the parent has the right to request this. Once the policy is established, it requires a set of procedures that define who responds to these requests, how they are responded to, and how the request and response is recorded for audit purposes.

Notification Policies - How does your organization handle changes to your privacy polices? For example, if you modify your privacy policies and post them on your web site, do you have a mechanism for notifying your existing customers that the policy has changed? In general, it is a good idea to review your policies at least annually. In terms of data privacy, a 6-month review period would be ideal, considering the large number of regulations effecting data privacy.

Incident Response Policies and Procedures - Does your organization identify what to do with a possible violation of customer personal privacy? Have you thought about the possible risks to personal privacy (such as unauthorized disclosure to both internal and external sources) and how you would respond? It is a good idea to review your current incident response policies in light of data privacy. For example, California Senate Bill 1386 has detailed disclosure requirements for organizations who may have experiences a breach that discloses personal data of California residents. While COPPA does not spell out this requirement, it would certainly be considered a "best practice" for organizations concerned with the privacy of children.

Related Resources and Information

COPPA FAQ from the FTC web site, providing helpful guidance and links to other COPPA complianc resources.

Information Shield Whitepaper: Does COPPA Apply to Your Business? - A quick guide to determine if the Children's Online Privacy Protection Act applies to your organization.

Information Security Policies Made Easy contains over 1400 pre-written policies, including incident response and disclosure policies. If you have any gaps in your data protection policies, this is the most cost-effective way to fill them.

You, your Privacy Polices and COPPA - Compliance Guidelines from the FTC.

Full regulatory text of Children's Online Privacy Protection (16 CFR Part 312) in on the FTC web site.

 

Free Consultation

Talk to Us

Free 30 Minute Expert Consultation: (888) 641-0500
Purchase Online

Purchase

We Accept VISA, MC and AMEX
Free Policy Solutions Newsletter

Free News Letter

Sign up for our free &
Policy Solutions Newsletter