Background: The Children’s Online Privacy Protection Act of 1998 (COPPA) with its implementing regulations, the Children’s Online Privacy Protection Rule (COPPA Rule) (in effect since April 21, 2000), have served as the primary law in the U.S. for protecting personal information about children online. It’s a gross understatement to state that the Internet is a different world than what it was when COPPA and the COPPA Rule were implemented. Suffice it to say that the world of social networks combined with mobile computing has, for better or for worse, become the fabric of our children’s world – and in 1998 social networks were not even in Congress’s imagination. The Federal Trade Commission (FTC), charged with enforcement of COPPA has scheduled a COPPA Rule Review Roundtable on June 2, 2010 and is collecting comments through June with the objective of seeing whether changes to the COPPA Rule should be considered. On April 29th, Senate Commerce Chairman John (Jay) Rockefeller, D-W.Va., said that Congress may also need to consider making changes to COPPA itself. So, it’s a good time to review what COPPA requires and what might be changed.

First – A Word of Caution: COPPA enforcement is alive and well. Late last year Iconix Brand Group, Inc. agreed to pay a $250,000 civil penalty to settle FTC charges that Iconix violated COPPA by knowingly collecting, using, or disclosing personal information from children online without first obtaining their parents’ permission. The FTC order also contains standard compliance, reporting, and record-keeping provisions to help ensure that Iconix abides by its terms. Often the internal costs of complying with FTC ordered monitoring and reporting obligations can exceed the amount of the fine. Nobody wants to be caught in the FTC’s cross hairs.

Summary of COPPA:

The COPPA Rule has broader coverage than commonly thought. It applies to: (1) websites directed to children under 13 that collect personal information from children; (2) general audience websites that knowingly collect personal information from children under 13; and (3) general audience websites that have a separate children’s area and that collect personal information from children. It is important to emphasize that COPPA only applies to children under 13. No protection is extended to children 13 and above. Whether this age cut off leaves many vulnerable children still vulnerable can be debated, but does not seem to be seriously on the table for reconsideration.

Covered websites are required to: (1) post a privacy policy on the homepage of the website and link to the privacy policy everywhere personal information is collected; (2) provide notice to parents about the website’s information collection practices and, with some exceptions, get verifiable parental consent before collecting personal information from children; (3) give parents the choice to consent to the collection and use of a child’s personal information for internal use by the website, and give them the chance to choose not to have that personal information disclosed to third parties; (4) provide parents with access to their child’s information, and the opportunity to delete the information and opt out of the future collection or use of the information; (5) not condition a child’s participation in an activity on the disclosure of more personal information than is reasonably necessary for the activity; and (6) maintain the confidentiality, security and integrity of the personal information collected from children.

The most challenging parts of the COPPA Rule to comply with are the requirement to get parental consent before collecting a children’s information and the procedures for allowing a parent to review the child’s personal information, have it deleted, and refuse to allow the further collection or use of the child’s information. Privacy policies and the entire operation of covered websites must be carefully reviewed for compliance with the COPPA Rule.

For instance, how is parental consent verified? Under a 2005 Amendment to the COPPA Rule, a sliding scale mechanism was confirmed so that lower risk usage of information is subject to a lower level verification process and higher risk usage is subject to a higher level of verification. If a website collects information for its own internal use (i.e., lower risk level), then an email message to the parent, combined with additional verification steps (such as sending a delayed confirmatory email message to the parent after the original consent is received, or confirming consent via the telephone or standard mail) will be sufficient. However, where information will be disclosed to the public or to a third party (i.e., higher risk level), then higher levels of initial verification are required, such as confirmation via a signed consent form returned to the website operator, requiring the parent to use a credit card during the confirmation process, requiring the parent to call a toll-free number, among other methods listed in the Amendment.

The COPPA Rule also provides that a website’s compliance with FTC-approved self-regulatory guidelines serves as a safe harbor in any enforcement action for violations of the COPPA Rule. Several organizations have been approved by the FTC for verifying compliance to qualify for the safe harbor.

What Changes Will Likely Be Considered?: The primary issues that will be considered will involve the impact of social networks, mobile computing, interactive television and interactive gaming on the collection of personal information from children. Additionally, the “below 13” threshold might also be reconsidered in light of state law changes (like in Maine – which however subsequently repealed their new privacy law).

The whole process for verifying age is also one that might be considered. Today the primary method is by asking the user to put in a birth date. However, it does not take much sophistication for a child to realize the purpose of this data field and insert a date indicating that they are at least 13. For instance, Facebook does not allow members less than 13 years of age. However, don’t most kids know this and know how to get around it? Facebook’s Director of Public Policy, Tim Sparapani acknowledges that it is currently impossible to verify someone’s age online, but claims that Facebook has safeguards in place aimed to block children under 13 from joining. He also does not believe that Congress should get involved by amending COPPA – because this would “discourage innovative ideas aimed at enhancing teen and children safety” and might actually “undue many of our innovative privacy and safety tools.” Hmmm – probably not a disinterested perspective I would say!

Other items that might be considered:

  • Use of automated systems that filter out personally identifiable information prior to posting for children’s website submissions.
  • Whether the COPPA Rule’s definition of “personal information” should be expanded to include items such as persistent IP addresses, mobile geolocation data, or information collected in connection with behavioral advertising.
  • Whether the COPPA Rule’s process for FTC approval of self-regulatory guidelines – known as safe harbor programs – has enhanced compliance, and whether the criteria for FTC approval and oversight of the guidelines should be modified in any way.

Bottomline: Websites that are subject to COPPA should be thoroughly reviewed prior to launch. Additionally, since changes to these websites may occur frequently, periodic reviews should be performed as well to verify ongoing compliance.