Question:
What are the Children’s Online Privacy Protection Act and the Children’s Internet Protection Act and how might they relate to the work of bloggers, citizen journalists, educational organizations and other online publishers whose subjects, audience and/or participants may include children? What bright line rules and best practices can help ensure compliance?
Response By → Levine Sullivan Koch & Schulz:
(Posted on March 19, 2009)
The Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501-6508; 16 C.F.R. Part 312, is designed to place parents in control of personal information collected from young children. The statute applies to commercial Web sites that either are directed to children or knowingly collect personal information from pre-teens. Under the law, such Web sites must post privacy policies and obtain parental consent before collecting personal information from children under the age of 13.
The FTC determines whether a Web site (or section thereof) is “directed to children” using a number of factors, including whether its subject matter and language are child-oriented, whether it uses animated characters, and whether advertising on the site is targeted toward children. The FTC may also consider statistics on the actual ages of a Web site’s users.
A Web site won’t violate COPPA if it blocks children under 13 from participating. However, those wishing to qualify for this exception should be careful that their age input screens are not designed in a way that would encourage children to respond falsely. For example, an age input screen should not state that a participant must be 13 alongside the request for the would-be participant’s age.
“Personal information” means individually identifiable information, such as name, address, email address, gender and hobbies, and includes any persistent identifier that is tied to such information if it can be used to identify, contact, or locate the individual. COPPA also covers personal information collected from children about their parents, friends or other persons. The rules apply whether the information collection is voluntary, such as for a social networking site, or mandatory, such as to participate in a contest. If a Web site isn’t collecting personal information from children, COPPA really isn’t a concern. However, even for Web sites that do not collect children’s information, a posted privacy policy can reassure visitors about the Web site’s information practices.
Foreign-based Web site must comply with COPPA if they are directed to, or if they knowingly collect personal information from, children in the United States. COPPA generally does not apply to noncommercial, nonprofit entities.
The FTC monitors the Internet for compliance with COPPA and the public may also submit complaints to the FTC regarding alleged violations. Violations of the COPPA regulations may subject a Web site operator to civil penalties of up to $11,000 per violation. If you think that your Web site may not be in compliance with COPPA, you should immediately stop collecting, disclosing or using personal information from children until you are certain you are in compliance.
If your Web site or online service falls within the COPPA regulations, before collecting any information from children under 13, you must:
1. Draft a clear and comprehensive privacy policy describing your information practices.
Your privacy policy should inform people about the types of information your Web site collects and how that information is used. It must include: (1) the name, address, telephone number, and email address of each operator that collects or maintains personal information from children through your site; (2) what information is collected from children and whether it is collected actively or passively (for example, you must disclose that your site uses “cookies” or other passive information collection technologies if you intend to combine such passively collected non-personal information with personal information); (3) how the information is or may be used; (4) whether the information is disclosed to third parties, details about the disclosure(s), and that the parent may deny consent to the disclosure(s); (5) that the child’s participation in an activity cannot be conditioned on the disclosure of more information than is reasonably necessary to participate; and (6) that the parent can review the child’s personal information and refuse to permit the further collection or use thereof. The policy should be written in plain language and you should avoid contradictory or ambiguous statements.
If your Web site has multiple operators that collect information through the site, you may list the contact information for one operator who will respond to all inquiries from parents, but you must also list the names of all the other operators. To keep your privacy policy simple, you can include a clear and prominent link to this complete list of operators, provided you ensure that parents may easily access this list.
2. Prominently post the privacy policy on your home page, and provide a link to the policy on every page where personal information is collected.
COPPA requires that you post a link to the privacy policy clearly and prominently on your home page and also on other places from which personal information is collected. The links must stand out and be noticeable to visitors by using, for example, a larger font size in a different color on a contrasting background. A link is not clear and prominent if it is in small print at the bottom of the page, or is indistinguishable from a number of other adjacent links. If your site includes both sections targeted to a general audience and sections targeted specifically to children, you may use a single privacy policy that includes the information required under COPPA. However, links for the children’s policy (which must be prominently displayed on each children’s page) should take visitors directly to the relevant section where policies related to children’s information are discussed.
3. Provide notice to parents about the site’s information collection practices and obtain verifiable parental consent before collecting personal information from children under 13.
If your Web site collects any personal information from children under 13, you must send parents a “direct notice” that (1) informs the parent that you wish to collect personal information from the child; (2) contains all the information set forth in your online privacy policy; and (3) depending on how you intend to use the information, certain additional information, for example:
- Where you are seeking verifiable consent from the parent, your notice must state that the parent’s consent is required for the collection, use, or disclosure of information, and explain how the parent may provide consent.
- Where your collection of the child’s online contact information falls solely within the “multiple-use” exception (described below), your notice must state: that you have collected the child’s online contact information; that the parent may refuse to permit further contact with the child and direct you to delete the child’s information; how the parent can have the child’s information deleted; and that if the parent fails to respond, you may use the child’s online contact information for the stated purpose.
- Where your collection of a child’s name and online contact information falls solely within the “child safety” exception (described below), your notice must state that you have collected the child’s name and online contact information to protect the safety of the child, that the parent may refuse to permit the use of the information and require its deletion, and that if the parent fails to respond, you may use the information for the stated purpose.
The notice should not include any materials promoting products or services, or other unrelated information. You may send your direct notice to parents via email, and you may use a link to your privacy policy to inform parents of its content.
COPPA generally requires you obtain verifiable parental consent before collecting any personal information from a child, unless your collection fits into one of five “email exceptions,” under which you may collect a child’s, and sometimes a parent’s, online contact information before obtaining parental consent. These exceptions include:
1. Collecting the name and/or online contact information of a parent or child for the sole purpose of providing the required direct notice and obtaining parental consent. If consent has not been obtained after a reasonable time from the date the information was collected, you must delete the child’s personal information from your records.
2. Collecting a child’s online contact information solely to respond to a specific request from the child, as long as the information provided is not used to re-contact the child and is deleted immediately after responding to the child’s specific request.
3. Collecting a child’s and/or a parent’s online contact information in order to send periodic communications, such as online newsletters, site updates, or password reminders (the “multiple-use” exception). Immediately after the initial contact and before making any additional response to the child, you must make reasonable efforts to ensure that the parent receives notice and is informed of the opportunity to opt-out of further use of the information collected. Note that you do not have to obtain the parent’s affirmative consent, and the parent must contact you to discontinue repeated communications, however you will not have met the “reasonable efforts” requirement if you receive notification that your email notice has bounced back or delivery failed in some other manner.
4. Collecting a child’s name and online contact information where necessary to protect the safety of a child participating on the site (the “child safety” exception). You must use reasonable efforts to provide a parent with notice and you may only use the child’s information for the sole purpose of protecting the child’s safety. You cannot use the information to re-contact the child or for any other purpose, and may not disclose the child’s information on your Web site or online service.
5. Collecting a child’s name and online contact information for the sole purpose of protecting the security or integrity of your site, to take precautions against liability, to respond to judicial process, or to provide information to law enforcement agencies or for an investigation on a matter related to public safety.
If you plan to collect, maintain or disclose information for any other purpose, you must obtain verifiable parental consent. You can use any of several different methods, provided that the method you choose is reasonably calculated to ensure that the person providing consent is, in fact, the child’s parent. COPPA sets forth several alternatives. However, if you are going to disclose children’s personal information to third parties, or make it publicly available by providing an online service such as a social networking site, chat rooms, or message boards, or hosting a blog or personal home pages, etc., then you must use one of the more reliable methods to obtain consent:
- Supply a form that parents may print, fill out, sign, and mail or fax back to you;
- Require parents to use a credit card in connection with a transaction (for example, a membership or subscription fee, a purchase, or a charge to cover the cost of processing the credit card); note that it must be an actual transaction, simply collecting the number is not sufficient;
- Maintain a toll-free telephone number staffed by trained personnel for parents to call in their consent; or
- Obtain consent through an email from the parent, if that email contains a digital signature, or other digital certificate that uses public key technology obtained through one of the above methods.
If you are going to use children’s personal information only for internal purposes, that is, you will not be disclosing the information to third parties or making it publicly available, then you can use any of the above methods, or you can use an “email plus” method, under which you may request (in your direct notice to parents) that they provide consent in a return email. After receiving the parent’s email consent, you must then take steps (the “plus”) to confirm that it was, in fact, the parent who provided consent, by:
- Requesting in your initial email seeking consent that parents include a phone or fax number or mailing address in the reply email, so that you can follow up to confirm consent; or
- After a reasonable time delay, sending another email to the parent to confirm consent. Your confirmatory email should include all the same information contained in your initial direct notice, inform parents that they can revoke their consent, and inform them of how to do so.
It is a best practice to have a readily available backup method for those parents who cannot, or will not, use your primary means of providing consent, for example, via the print-and-send form, which is easy for parents without access to email or a credit card. The FTC recommends that you provide parents with passwords or PIN numbers as a way to confirm a parent’s identity for future contacts.
4. Give parents the ability to review the personal information collected from their child, a choice regarding whether or not their child’s personal information will be disclosed to third parties, and the opportunity to delete the collected information and opt-out of future collection or use thereof.
You must provide parents with the ability to access and review the personal information you have collected from their child after taking reasonable steps to verify that the person seeking such access is indeed the child’s parent. This is why providing parents with a password or PIN number can be very helpful. Other reasonable methods for verifying the parent’s identify include: providing a method for the parent to make their request in writing, such as an email address or fax number; using a credit card transaction; using digital signatures; or asking the parent to submit a driver’s license.
Note that it is not necessary for you to keep all the information you have ever collected from the child in case the parent wants to review it.
If a parent chooses to have his/her child’s information deleted or to opt-out of future collection and use of the child’s information, you must keep in mind that a child’s participation in online activities such as games or contests cannot be conditioned on the child disclosing more personal information than is reasonably necessary to participate in that activity. Where the public disclosure of information is integral to the Web site’s operation, such as in the case of social networking sites and similar services, you are not required to give parents the option that you will collect their child’s information, but not disclose it to third parties. On the other hand, you may not be able to reasonably condition a child’s participation in a game upon their providing personal information.
5. Maintain the confidentiality, security, and integrity of information you collect from children.
It is important that you carefully review your information practices and privacy policy, looking closely at what information you collect; how you collect it; how you use it; whether the information is necessary for the activities on your site; whether you have adequate procedures for providing parents with notice and obtaining verifiable consent; and whether you have adequate means for parents to review and delete their children’s information. You can review additional educational materials on the FTC’s Web site at http://www.ftc.gov/privacy/privacyinitiatives/childrens_educ.html. The FTC also has a COPPA-compliance checklist, which is available at http://www.ftc.gov/bcp/conline/edcams/coppa/checklist.htm
The Children’s Internet Protection Act
The Children’s Internet Protection Act (CIPA), the requirements of which are generally found in 20 U.S.C. § 6777, was enacted by Congress to address concerns about children accessing offensive content over the Internet on school and library computers. CIPA applies to such institutions that receive funding for Internet access or internal connections from the E-rate program, a program that makes certain communications technology more affordable for eligible schools and libraries. CIPA does not affect E-rate funding for schools and libraries receiving discounts only for telecommunications, such as telephone service.
Schools and libraries subject to CIPA may not receive the discounts offered by the E-rate program unless they certify that they have an Internet safety policy addressing the following issues:
- Access by minors to inappropriate matter on the Internet;
- The safety and security of minors when using electronic mail, chat rooms, and other forms of direct electronic communications;
- Unauthorized access including “hacking” and other unlawful activities by minors online;
- Unauthorized disclosure, use, and dissemination of personal information regarding minors; and
- Technological measures designed to restrict minors’ access to materials harmful to minors.
They must also certify that, as part of their Internet safety policy, they are educating minors about appropriate online behavior, including cyberbullying awareness and response and interacting with other individuals on social networking sites and in chat rooms.
Schools and libraries participating in the E-rate program must also have technology protection measures in place to block or filter Internet access to materials that are: (a) are obscene, (b) child pornography, or (c) harmful to minors. “Harmful to minors” is defined as any material that (a) taken as a whole and with respect to minors, appeals to a prurient interest in nudity sex, or excretion; (b) depicts, describes or represents, in a patently offensive way with respect to what is suitable for minors, an actual or simulated sexual act or sexual contact, actual or simulated normal or perverted sexual acts, or a lewd exhibition of the genitals; or (c) taken as a whole, lacks serious literary, artistic, political, or scientific value as to minors. Schools subject to CIPA also are required to adopt and enforce a policy to monitor online activities of minors.
School and library administrators must provide reasonable public notice and hold at least one public hearing to address their proposed technology protection measure and Internet safety policy.
CIPA does not require the tracking of Internet use by minors or adults. In addition, an authorized person may disable the blocking or filtering measures during any use by an adult to enable access to blocked materials for bona fide research or other lawful purposes.
From Geanne: Thank you Levine Sullivan Koch & Schulz for this very thorough reply.