Coping with COPPA

Children's Privacy in an Online Jungle

By Robert Cannon

By and large, when it comes to protecting consumer privacy, the mantra in Washington has been self-regulation. Privacy gaffes by online companies are characterized as merely the normal growing pains of the new online economy. In addressing them, government has generally opted to negotiate resolutions with industry and consumer groups, rather than apply new regulations.

As with many issues, however, when it comes to children, industry blunders have swiftly been greeted by the sound of the gavel coming down. This April marked the first anniversary of the Children's Online Privacy Protection Act (COPPA), the first online privacy law to come out of Washington. Since its inception, COPPA has accounted for $100,000 in civil penalties levied against Web businesses. Compliance with new Federal regulations, in which the details are still fuzzy, can be a challenge. As always, if you find that your business plan includes areas under COPPA's jurisdiction, investment in good legal advice might be a sound decision. A working understanding of the law can also help you identify potential trouble areas, and set your site along the path to COPPA compliance.

Damning Evidence

The story of COPPA began in the mid-1990s. A 1996 report by the Center for Media Education (CME), which documented how online services handled children's information, gave the first indication that self-regulation alone wasn't enough when it came to kids' privacy. The behavior it described was atrocious. The report found that numerous Web sites targeting children either had no privacy policies posted at all, or else failed to adhere to their own policies. Worse, deceptive data-gathering tactics targeting children were commonplace. For example, an online service might set up games in which children could earn points toward winning prizes. Play a few games and win a few points. Provide your parents' salaries, along with information about their employers, and win lots of points.

CME's report persuaded the Federal Trade Commission to conduct its own study. The results, published in "Privacy Online: A Report to Congress", revealed that while 89 percent of sites surveyed collected information from children, only 24 percent had posted privacy policies, and only 1 percent required prior parental consent.

The FTC report led to an unusual break by Congress from the mantra of self-regulation, and the swift passage of COPPA in 1998. By April 21, 2000, FTC regulations implementing the bill had been promulgated, and compliance with COPPA was mandatory.

COPPA in a Nutshell

COPPA is the first online privacy law to come out of Washington. (For clarification, see " The COPPA vs. COPA Confusion"). You must comply with COPPA's regulations if you are the operator of an online service that either (a) specifically targets children under the age of 13, or (b) has "actual knowledge" that it is collecting information from children under the age of 13—more on this later. Nonprofits are exempt from COPPA. Otherwise, if you meet either of these criteria, then your site is subject. To comply, you must:

1. Conspicuously post a privacy policy indicating what data you collect, and what you do with it.
2. Obtain verifiable consent from the child's parent before you collect any data. Importantly, once a parent agrees to your privacy policy, those terms are as good as set in stone. If you make a material change to your privacy policy, you must get consent from all of the parents all over again.
3. Give parents the option to consent to your information gathering, yet still forbid disclosure of the data to third parties.
4. Provide parents the opportunity to review the data collected.
5. Give parents the option to revoke their consent. If they do so, they are in effect telling you that you may no longer use, and must delete, information about their kids.
6. Institute a program to ensure the security and integrity of the data you collect.

How much will it hurt if you're caught violating COPPA? You can be fined up to $11,000 per child per incident; and the grace period for enforcement is over.

Is My Site Subject?

The FTC has indicated that it will determine whether a Web site targets children based on: "visual or audio content; the age of models on the site; language; whether advertising on the Web site is directed at children; information regarding the age of the actual or intended audience; and whether a site uses animated characters or other child- oriented features."

Even if your service doesn't explicitly target children, you may yet be subject to COPPA. You still fall under its provisions if you have what is called "actual knowledge" that some of your visitors are children.

Some Web sites gather statistical information on visitors without any thought that some may be children, and without the specific intention to market or serve underage visitors. However, as soon as you ask your visitors' ages and they tell you that they are under 13, you have actual knowledge. And once you have actual knowledge, you're stuck with it. If you ask and you know, COPPA applies.

But what happens when kids lie about their ages—doesn't this mean that any data gathering could potentially put your company at risk? No. According to COPPA, this is not your problem. If nothing about a visitor's presence informs you that the visitor is a child, then you lack actual knowledge.

What Is Personal Information?

Personal information, where COPPA is concerned, means individually identifiable information. Examples include:

• a first and last name,
• a physical address,
• an email address, screen name, or other online identifier,
• a telephone number,
• a social security number,
• a cookie or other persistent identifier.

It also means any additional information collected from the child in combination with any of the above items. So once you've collected personal information from a child, all additional information collected is similarly infected.

Note that if the information you want to collect is not on the above list (and your Web site does not target children), then you can collect it without falling under the restrictions of COPPA. It is, for example, possible for you to conduct surveys of visitors to your site and not fall under COPPA, so long as no part of your survey asks for personally identifiable information. You can even ask a visitor's age, so long as you do not, for example, ask for the visitor's name or set a cookie.

This is because age is not itself defined by COPPA as personally identifiable information. Thus, you can ask the age of the visitor without having to comply with COPPA further. If the visitor is under the age of 13, a viable option is to refuse to collect any personally identifiable information. If such information is necessary to provide your online service, you may opt not to offer your services to that visitor at all.

Finally, note that to fall under COPPA, information must be collected online. Suppose, for example, the visitor prints out a form and then mails in the information. Even though that form may have been printed from a Web page, the information gathering does not fall under COPPA.

Getting the Go-Ahead

FTC rules set forth specific requirements for compliance with COPPA, including what constitutes parental consent. You can obtain parental consent through several methods, including digital signatures, a signed form that's returned by mail or fax, the use of a credit card, or by having a parent telephone in to a properly trained staff member.

To make things a bit more complicated, the FTC is phasing in its requirements. Until April 2002, you can also seek consent from the parent via email, so long as you take steps to ensure that the consent was authentic (such as a delayed letter or phone call to the parent for confirmation).

This is only allowable in situations in which the information is gathered exclusively for internal use, however—such as marketing to the child based on his or her preferences. If you plan to disclose the information to third parties, you must use the most reliable means of gaining consent, such as those listed previously. Consent via email in these cases is not allowed.

One further area of caution applies to monitored online communities, such as message groups or chat rooms. If a given community targets children, or if a visitor reveals that he or she is a child, then the operators of the community must comply with COPPA.

The community monitor could strip all personal information from the messages prior to posting them. In such cases, the community wouldn't need to obtain further parental consent. The only other option is for you to gain parental consent before children participate.

This is likely to pose a significant challenge to monitored communities that don't target children and aren't accustomed to COPPA. If such a community is suddenly confronted with a message that states, "Hi, my name is Tommy, I'm in the 6th grade, and I'm doing a research project," community monitors must be trained to take immediate action to comply with COPPA. Note, however, that these rules do not apply to

Exceptions to the Rule

COPPA permits online businesses to interact with visitors without parental consent in a few distinct situations. Web sites may:

• gather personal information for the purpose of contacting the child?s parents to gain consent.
• respond on a one-time basis to a child's inquiry if they don't use that personal information for any further purposes and delete it from their databases.
• collect personal information for the purpose of protecting the child's safety if that information isn't used for any other purpose including contacting the child, and that information is not disclosed anywhere on the online service.
• collect information solely for the purpose of maintaining the security or integrity of the system, or as required by law or judicial process.

Also, COPPA provides for what are called Safe Harbors. These are industry self-regulation programs that are submitted to the FTC for approval. If a program is approved, then sites that are certified as complying with that program are deemed to be in compliance with COPPA. Of course, entities seeking FTC approval of such self-regulation programs must provide assurances that the integrity of their programs will be maintained. So far, only three applications for Safe Harbor status have been approved: those of the Children's Advertising Review Unit, the Entertainment Software Rating Board, and of TRUSTe.

In the area of online contests, there is actually a more specific rule, as this was one of the areas of greatest abuse. Specifically, an operator of an online contest targeted at children is permitted to gather from the visitor only such information as is reasonably necessary for the visitor to participate in the activity. In other words, no asking for mommy and daddy's salary to win a free T-shirt.

Survey Says...

CME, authors of the original study that highlighted the problem of children's privacy, conducted a follow-up survey one year following the enactment of COPPA. CME surveyed 153 commercial Web sites directed at children under the age of 13, including current children's Web sites and those used in the FTC study. CME's survey found that COPPA has had a significant impact on Web site operator behavior.

First, and importantly, the percentage of Web sites with posted privacy policies increased dramatically. In 1998, the FTC found that 24 percent of children's Web sites surveyed had posted privacy policies. In 2001, 76.3 percent had posted privacy policies.

Children's Web sites continue to collect personal information, but the information collected has changed: 85.6 percent of children's Web sites collected personal information in 2001, as compared to 89 percent in 1998—essentially the same number. However, only 19.8 percent of sites collected postal addresses in 2001, down dramatically from 49 percent in 1998. Likewise, the number of sites collecting phone numbers from children declined from 24 percent to 10.7 percent.

Room for Improvement

Of those Web sites surveyed, 72 percent had a link to their privacy policy on every page where data collection took place. A continuing problem, however, is that only 34 percent of sites have a link that is "clear and prominent," as required by law. Privacy policies hidden in fine print at the bottom of the page aren't enough. "Clear and prominent" links must stand out and yell, "Here I am!"

Further, while it's one thing to have a policy, it's another to follow it. While the number of Web sites with posted policies was impressive, CME's survey found 50 sites that collected data from children in a way that required prior parental consent. Only 19 of those sites in fact made an effort to obtain the required permission. Of those that did seek to obtain consent, the most popular methods were through the use of a credit card (52.6 percent of the time) and by providing a consent form to be printed out, signed, and sent back (47.4 percent of the time).

One major area of abuse involved Web sites that encouraged children to lie about their age. For example, such sites might have registration forms requesting personal information before visitors could take advantage of the site. On the form would be a request for age information along with a statement, in big bold red letters, that services were unavailable to children under the age of 13. Other sites might have pop-up windows that appear when someone enters an age younger than 13. The window would state, again, that services were unavailable to children under the age of 13.

The key is that when the pop-up window closes, the child can return to the form and change the entered age. All of this creates the incentive and the ability for children to lie about their age to gain access to the services.

Biting the Bullet

This April, on the first anniversary of COPPA, the FTC announced that it would issue its first fines, charging three Web sites with "illegally collecting personally identifying information from children under 13 years of age without parental consent, in violation of the COPPA rules." These enforcement actions were settled by having the site operators agree to pay $100,000 in civil penalties, to comply with COPPA in the future, and to delete the data in question.

Overall, the first year of COPPA saw marked overall improvement in the handling of children's data by online services. But it also saw several children's Web sites cease operations. These sites concluded that compliance with the new regulations would be too onerous and opted instead to either shut their doors completely, or else to close the doors specifically to children under the age of 13.

While some online ventures insist that COPPA compliance is too difficult for their sites to remain in business, the FTC takes these reactions with a grain of salt. FTC staff members warn that some ventures with flawed business plans have looked for regulatory scapegoats to justify their failures. (For more on this topic, see " Recent Privacy Research is Misrepresented").

COPPA supporters also argue that compliance is hardly onerous, particularly in light of the statute's focus: children under the age of 13. Any online service working with young children ought to be handling those relationships with care. These are, after all, young children. Online ventures that find the proper care of young children's data too burdensome probably shouldn't be in that line of business anyway.

Finally, it's worth noting that COPPA doesn't prohibit these Web sites from operating. It only forbids them to collect personal information. If compliance with the regulations governing data collection is too difficult, these online businesses are free to continue operations—minus data collection.

Protection for and care of young children is important to our culture. Those who profit off them, but find it too difficult to protect them, shouldn't expect to receive much public sympathy or support. Fortunately, the FTC has set forth clear guidelines as to what does and doesn't constitute acceptable behavior by children's Web sites. By understanding COPPA, your business can market its products or services to this important demographic, while remaining in full compliance with the law.

More information can be found online at the FTC's Children's Privacy Web site.

---

Robert is senior counsel for Internet issues in the FCC's Office of Plans and Policy. He is also director of the Washington Internet Project, a pro-bono project dedicated to promoting awareness of and participation in federal regulatory developments that affect the Internet. Views expressed are not necessarily those of his employer. Robert can be reached at cannon@cybertelecom.org.