COPPA, or the Children's Online Privacy Protection Rule, was designed to protect the privacy of children under 13 years of age by giving their parents certain tools to control how the child's information can and cannot be used. In providing parents with these tools, the Act imposes specific requirements on operators of websites or online services directed to children under the age of 13 or that knowingly collect information about children under the age of 13.

With the broad purpose of the Act, this article will address the questions that arise for those in the business community, such as:

• Do I have to comply with the requirements of COPPA?
• What are those requirements?
• Is there any way to ensure my efforts are sufficient?

Does COPPA Apply To You?

COPPA applies to those who operate websites or offer online services that collect personal information from children under the age of 13. If you are not sure whether your site or service fits into that category, consider these qualifying questions:

• Is your website or the online services you offer directed to children under 13? If so, do you:
  • Directly collect personal information from those children?
  • Allow others to collect personal information from those children?
• If your website or online services are directed to a general audience, do you know if you collect personal information from children under 13?
• If you run an ad network or a plug-in, do you collect personal information from users of a website or service directed to children under 13?
  If the answer is "yes" to any of the above questions, the next step is to determine what action or actions should be taken to adhere to COPPA.

COPPA Requirements

At a high level, COPPA requires the operator of a website or online service to:

• Notify parents of company information practices – using a privacy policy and other appropriate documentation
• Obtain verifiable parental consent for the collection, use, or disclosure of children's personal information
• Let parents prevent further maintenance or use or future collection of their child's personal information
• Provide parents access to their child's personal information
• Not require a child to provide more personal information than is reasonably necessary to participate in an activity
• Maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information

There are many ways to meet the letter of these requirements, but businesses often want assurances that their efforts will insulate them from liability imposed by COPPA. There is a safe harbor provision within the Act that allows industry groups and others to request FTC approval of self-regulatory guidelines to govern participating websites that comply with the rule.

The privacy policy must include the following:

• A list of all persons or entities collecting personal information through the site or service
• A description of the personal information collected and how it is used
• A description of parental rights -if you are going to collect information about children under 13, you must directly notify the parents before collecting such information

The parental notice should be straightforward and must specifically tell parents you collected the parent's information online for purposes of obtaining consent to collect information about their child, that you want to collect information on their child, and that their consent is required for the collection, use, and disclosure. That notice also has to identify the specific information you will collect and how you might disclose it to others, a link to your privacy policy, and how the parent can express consent. You must also tell the parent that if they do not respond to the notice, you will delete the parent's contact information from your records, and you must delete it and not collect information on the child.

Determining Whether the Parental Consent You Receive Is Verifiable

Not only does COPPA require parental consent to collect personal information about children, but it also requires consent to be verifiable or that the person providing consent is a parent or legal guardian.

Some methods determined to be verifiable include having the parent:

• Sign a consent form and send it back via fax, mail, or electronic scan
• Use a credit card, debit card, or another online payment system that provides notification of each separate transaction to the account holder
• Call a toll-free number staffed by trained personnel
• Connect to trained personnel via a video conference
• Provide a copy of a government-issued ID checked against a database, as long as the identification is deleted from your records when you finish the verification process
• Answer a series of knowledge-based challenge questions that would be difficult for someone other than the parent to answer
• Verify a picture of a driver's license or other photo ID submitted by the parent and then compare that photo to a second photo submitted by the parent using facial recognition technology.

Where can I find information about COPPA?

The FTC has a comprehensive website with public information on a variety of agency activities. The Children's Privacy section includes a variety of materials regarding COPPA, including all proposed and final rules, public comments received by the Commission in the course of its rulemakings, guides for businesses, parents, and teachers, information about the Commission-approved COPPA safe harbor programs, and FTC cases brought to enforce COPPA. Many of the educational materials on the FTC website also are available in hard copy free of charge at www.bulkorder.ftc.gov.

If your business needs assistance navigating COPPA, visit BurrCyber.com.