Children's Online Privacy Protection Act of 1998 - What Parents and Online Business Owners should know about COPPA

Children's Online Privacy Protection Act of 1998 - What Parents and Online Business Owners should know about COPPA
Page content

What Parents Should Know About the Children’s Online Privacy Protection Act of 1998

The general rule of COPPA is that children’s information has to be protected online. It has two sides of protection.

If a website plans to gather information from children under the age of 13, they must secure verifiable consent from a parent and publicly state how the information will be collected, used and disclosed somewhere on the website. Protected information includes their name, address, e-mail address, telephone number and their Social Security Number.

Parents have a right to secure parental access to their child’s account, as long as they confirm their identity with the website owner. They then have a right to know the website’s policy for privacy, and they may demand that the website stops collecting information from their child and they may request that any existing information be deleted.

Note that the website must verify the parent’s identity. Possible options include a toll-free hotline, a signed postcard, a digital signature in an e-mail or a verified credit card number.

If you’d like more tips for keeping your child safe online, read more in the linked article.

What Business Owners Should Know About the Children’s Online Privacy Protection Act of 1998

Business owners need to understand COPPA if they wish to stay legal and deal primarily with children. If your website is aimed primarily at a demographic under the age of 13 (as judged by FTC standards, language and graphics), then you need to take the appropriate steps if you plan to gather any information.

There has to be a reasonable attempt to gain parental consent beforehand, a full privacy policy notice (written in plain English, in plain sight) and you must be ready to handle the methods discussed above if a parent wishes to learn more about what information their child has disclosed, or wishes to terminate the account.

Reasonable efforts to gain consent are somewhat debatable, and it seems to fall to common sense. A generally accepted method appears to be a delayed e-mail sent to the parent’s address, or a telephone number. Obviously any business that plans to handle children’s information should seek out a professional legal consultant to see if their methods of consent are up to snuff and current case law.

COPPA - Examples

A very quick example should help make the issue clear. There have been 17 cases brought against firms for the Children’s Online Privacy Protection Act of 1998. Let’s look at the case brought against Hershey.

The chocolate and candy producer had several sections of their website explicitly aimed toward young children, with colorful graphics and a specific “Kidztown” area. They offered a sweepstakes which was available to children under 13, if they had their parents fill in a consent form which popped up.

The problem was that the consent form wasn’t enough to comply with COPPA. It could easily be ignored, and the site would still accept the child’s information. There were no safeguards for filling out the form with a stated age of less than 13, and by popping up instantly, it was seen as likely that many would lie or have another non-parent fill it out.

These issues led to a charge against the company. The violation of the Children’s Online Privacy Protection Act cost Hershey a $85,000 settlement with the Federal Trade Commission (FTC).

COPPA - Exemptions

Both webmasters and parents should understand the exemptions that exist according to the the Children’s Online Privacy Protection Act:

Website operators do not have to obtain consent if the request for information is just a one-time event (or one request that requires multiple contacts). If the personal information will not be stored or used in the future, after the request is fulfilled, then it is exempt.

All contact information gained simply to maintain the security of the site or the account, or stay in compliance with legal requests and acts is also exempt.

Safe harbor organizations, such as TRUSTe and CARU (Children’s Advertising Review Unit), can provide approved self regulation under the act once they have been approved.

Closing Notes

The Children’s Online Privacy Protection Act of 1998 not only applies to business owners in the strict sense but also to web site owners, commonly known as webmasters, if their web site collects children’s demographic data according to COPPA.

Disclaimer: The information in this article was not written or reviewed by a lawyer. If you wish to ensure compliance with the act, or wish to file a complaint, please consult a legal practitioner.