Children's Online Privacy Protection Act (COPPA)
16 CFR Part 312
Since the implementation of the rule, several companies have received rather large civil fines for violations of COPPA. Most recently, UMG Recordings was fined $400,000.00 for violations. In 2003, both Mrs. Fields and Hershey Foods each received large civil penalties for violations of COPPA. In 2004, Bonzi Software was ordered to pay a fine of $75,000.00. This was the first case in which a software product, rather than an on-line service, was addressed in the rulings. As these rulings indicate, the FTC is prepared to enforce COPPA, and organizations should be mindful of the requirements of this law.
Requirements COPPA and the FTC's implementing rule generally apply to institutions that operate commercial web sites or provide online services (or portions thereof) directed to, or knowingly collect personal information from, children under the age of 13. The Rule covers all personal information collected after April 21, 2000, regardless of any prior relationship an operator has had with a child. COPPA also requires that companies establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of the personal information collected. Fortunately, the FTC provides several documents that help guide organizations in compliance with COPPA.COPPA and the FTC's rule require those institutions to:
- Provide parents notice of their information practices;
- Obtain prior verifiable parental consent for the collection, use, and/or disclosure of personal information from children (with certain limited exceptions for the collection of "online contact information," e.g., an e-mail address);
- Provide a parent, upon request, with the means to review the personal information collected from his/her child;
- Provide a parent with the opportunity to prevent the further use of personal information that has already been collected, or the future collection of personal information from that child;
- Limit collection of personal information for a child's online participation in a game, prize offer, or other activity to information that is reasonably necessary for the activity; and
- Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of the personal information collected.
Privacy Policies - Obviously, COPPA impacts the content and application of your Privacy Policies. The FTC provides detailed recommendations on what should be included in your web site privacy polices. (See You, your Privacy Polices and COPPA). According to COPPA, if you have a section of your web site specifically devoted to children, you can have separate privacy policies for compliance with COPPA.
Data Collection Policies - The proper protection and handling of personal information starts at the point of data collection. If you don't have data collection policies and procedures that describe what forms of personal information to collect for what purposes, this is the place to start. Basically, this is the first step in making your organization's insides match its outsides. It does little good to post privacy policies on an external web site, when there are no internal procedures to back them up.
A critical factor at the point of data collection for COPPA is "verifiable parental consent" before collection. COPPA is clear that organizations must receive consent before collection, except under certain limited conditions. It will be key for organizations to establish a set of procedures to establish parental consent (for example, via a series of emails - known as "email plus" verification.) Another key is to provide the parent with the opportunity to "opt out" of any further information collection from their child. According to the FTC, it is very important to design your information collection in such a way that children are not encouraged to provide a false age.
The entire set of internal procedures required by COPPA will most likely require a separate email-based account management system that allows your organization to communicate with the parents of your young customers.
Data Classification Policies - Do your data classification policies recognize and identify personal information? Even more specifically, is any of the personal information from children? Many organizations have two or three-level data classification schemes, with labels such as PUBLIC, PRIVATE (Internal Use Only) or CONFIDENTIAL. It is critical to classify customer information to determine is proper protection in the organization. If your organization markets to children, you would be advised to have a separate classification for personal information about children.
Personal Information Review Policies - Unless you are in the health care field under HIPAA requirements, chances are your organization does not have one of these. Basically, this policy states that a customer has the right to review his or her own personal information, including how this information is disclosed to third parties. (This is one of the standard "Fair Information Principles" outlined by the OECD.) In the case of COPPA, the parent has the right to request this. Once the policy is established, it requires a set of procedures that define who responds to these requests, how they are responded to, and how the request and response is recorded for audit purposes.
Notification Policies - How does your organization handle changes to your privacy polices? For example, if you modify your privacy policies and post them on your web site, do you have a mechanism for notifying your existing customers that the policy has changed? In general, it is a good idea to review your policies at least annually. In terms of data privacy, a 6-month review period would be ideal, considering the large number of regulations effecting data privacy.
Incident Response Policies and Procedures - Does your organization identify what to do with a possible violation of customer personal privacy? Have you thought about the possible risks to personal privacy (such as unauthorized disclosure to both internal and external sources) and how you would respond? It is a good idea to review your current incident response policies in light of data privacy. For example, California Senate Bill 1386 has detailed disclosure requirements for organizations who may have experiences a breach that discloses personal data of California residents.
While COPPA does not spell out this requirement, it would certainly be considered a "best practice" for organizations concerned with the privacy of children.
Does COPPA Apply to Your Business? - A quick guide to determine if the Children's Online Privacy Protection Act applies to your organization.
Information Security Policies Made Easy contains
over 1400 pre-written policies, including incident response and disclosure policies. If you have
any gaps in your data protection policies, this is the most cost-effective way to fill them.
You, your Privacy Polices and COPPA - Compliance Guidelines from the FTC.
Full regulatory text of Children's Online Privacy Protection (16 CFR Part 312) in on the FTC web site.
There are several aspects of your policy program that could be affected by COPPA. Here are some areas to review: