COPPA, friend or foe?
-
By: Chris Greacen - 03/19/2008
My first exposure to coppa was an amazing sandwich from Molinari's in San Francisco's North Beach. My second introduction came in 1998 while working for DoughNet a startup that provided financial services for kids. The federal government enacted the Children's Online Privacy Protection Act (COPPA) 15 U.S.C. § 6501-6506 during the boom years to assert some controls on the way the new crop of dotcoms collect and handle data from minors. The ftc didn't want to let the DoughNETs prey on kids.What is COPPA?
COPPA requires that web site operators offer the following provisions to its members:- Post a privacy policy on the homepage of the Web site and link to the privacy policy on every page where personal information is collected.
- Provide notice about the site's information collection practices to parents and obtain verifiable parental consent before collecting personal information from children.
- Give parents a choice as to whether their child's personal information will be disclosed to third parties.
- Provide parents access to their child's personal information and the opportunity to delete the child's personal information and opt-out of future collection or use of the information.
- Not condition a child's participation in a game, contest or other activity on the child's disclosing more personal information than is reasonably necessary to participate in that activity.
- Maintain the confidentiality, security and integrity of personal information collected from children.
The laws describe specific measures and remedies in order to comply. Even with the FTC-provided how-to guide they're not entirely black and white. There's a 'sliding-scale' for determining appropriate parental consent related to the type of engagement on the site. This grey-area, introduced in 2002, allows a less-thorough check for parental consent based on how the site operators want to use the user's private information.
Nick & COPPA
Nickelodeon describes in detail how they use this sliding scale to gain consent appropriate with their site: watching vids, interacting with Nick. characters, and playing games. For example, Nick wants to offer "points" or incentives to kids for playing games, this requires an account with a login, which can be created without any personally-identifiable information.Additionally, Nick employs two "email exceptions" which say prior parental consent is not required when:
- an operator collects an e-mail address to respond to a one-time request from a child and then deletes it; and
- an operator collects an e-mail address to respond more than once to a specific request. In this case, the operator must notify the parent that it is communicating regularly with the child and give the parent the opportunity to stop the communication before sending or delivering a second communication to the child.
More information like the comment from Nick is collected on the ftc website, worth a peek.
Further reading...
- Wikipedia mentions a few companies who have been fined by the ftc for failure to comply.
- More detail on the ftc site.
- A site the text of the law and tips on complying.
- The text of the law on law.cornell.edu:
I'll write more about COPPA in future posts and how it relates to specific features common to popular websites.