Get the most out of your Inc. online experience by registering and joining the Inc. community today. Get access to all Inc.com content and priority invites to free Inc. networking events in your area.

Login using:


Or login directly through Inc.com

Children'S Online Privacy Protection Act (COPPA)

 

The Children's Online Privacy Protection Act (COPPA) is a U.S. federal law designed to limit the collection and use of personal information about children by the operators of Internet services and Web sites. Passed by the U.S. Congress in 1998, the law took effect in April 2000. It is administered and enforced by the Federal Trade Commission (FTC). COPPA is "the first U.S. privacy law written for the Internet," Melissa Campanelli wrote in Entrepreneur. "It was written specifically for Internet marketers that operate Web sites visited by children under the age of 13 and collect personal information from those kids. Its purpose is to regulate that collection."

The FTC conducted a survey of 212 Web sites in 1998 and found that 89 percent of them collected personal information from children. Of those that collected data from children, 46 percent did not disclose this fact or explain how the information was used. The law was intended to address this potential problem by requiring Web sites and other online services directed toward children under the age of 13—as well as general audience sites that collect personal information from children—to obtain verifiable consent from the children's parents. "Its stated purpose is to protect children from micro-targeting by advertisers and to minimize the potential for contact with dangerous individuals through chat rooms, e-mail, and bulletin boards by involving parents in kids' online activities," Monica Rogers explained in Crain's Chicago Business.

REQUIREMENTS OF COPPA

COPPA applies to a variety of Web sites and services with content that may appeal to children. "In determining whether a Web site is directed toward children, the FTC will consider, among other things, the site's content, language, advertising and intended audience, as well as the use of child-oriented graphics or features," Antony Marks and Keith Klein noted in the Los Angeles Business Journal.

But the law also affects general interest sites that collect information from children, whether the site's operators intend to do so or not. "The arm of COPPA is very long because it also applies to general audience Web sites that have actual knowledge that they are collecting personal information from children," Robert Carson Godbey wrote in Hawaii Business. "You can easily, and inadvertently, fall into this category. If you invite browsers of your Web site to submit individually identifiable information—which can include name, address, e-mail address, hobbies, interests, information collected through cookies, basically anything that can be individually identified to the person responding, for a variety of reasons, and that information includes age—then you may have 'actual knowledge' that you have collected personal information from children if anyone under 13 responds to your invitation."

COPPA requires the operators of these types of Web sites to include a clearly written privacy notice on their home page and anywhere on their site where user data are collected. The privacy policy must reveal who is collecting and maintaining the information children supply to the Web site and provide information about how to contact them; explain how the children's personal information will be used; and state whether it will be made available to third parties. In addition, COPPA requires Web site operators to obtain "verifiable parental consent" in advance of collecting or using personal information from children. Even when parental consent has been granted once, the site operators must seek consent again any time they make changes in their privacy policies. Exceptions to COPPA's parental consent requirements are allowed for the collection of e-mail addresses in order to seek consent, protect the safety of a child, or respond to a child's one-time request (provided that the e-mail address is deleted immediately afterwards).

The FTC rules cite several acceptable methods for Web site operators to verify parental consent, including a signed form sent via fax or regular mail, a credit card number provided online, calls made on a toll-free telephone staffed by trained personnel, and e-mail accompanied by a digital signature or password. The method used by a certain Web site depends on the type of information collected from children and the way it is used. For example, e-mail consent is acceptable for Web sites that collect personal information only for internal purposes, like marketing to a child based on his or her preferences. Stricter methods are required when the information is made available to third parties.

COPPA COMPLIANCE

The FTC applies penalties for noncompliance ranging up to $11,000 per incident. Although the financial penalty is stiff, a business that failed to comply with the law would likely suffer even worse consequences as a result of negative publicity. After all, who would want their Web site to be known as one that put children at risk? Unfortunately, COPPA compliance can be complicated. "The goals of COPPA are no doubt admirable. The implementation, however, can be daunting," Godbey noted. "The difficulty comes from the requirement of 'verifiable consent' from a parent '¦ How do you obtain verifiable parental consent? How do you verify parental consent in an online environment where the children probably know more about the family computer than their parents do?"

 1 | 2  NEXT