News

Compliance with the Children’s Online Privacy Protection Act

by Ashish Mahendru, Esq

Congress enacted the Children’s Online Privacy Protection Act (“COPPA”) in response to mounting pressure to regulate the growing practice of e-commerce companies to procure “vital statistics” from children for advertising and marketing purposes. COPPA was signed into law on October 21, 1998, and went into effect on April 21, 2000. Currently, COPPA is the only comprehensive legislation targeting the use of the Internet by children. COPPA is a marriage between government regulation and the Internet industry’s desire to prove its ability to self-regulate. For companies doing business on the World Wide Web (known in the statute as “website operators”) compliance with COPPA is critical, because COPPA is at the vanguard governmental efforts to regulate privacy within the Internet industry as a whole. This article is designed to provide e-commerce companies with a basic roadmap to achieve compliance with COPPA’s requirements.

COPPA’s Application

COPPA applies to commercial website operators that “collect” or “maintain” “personal information” from children under the age of 13. Although the definition of “operator” is not clear, a web hosting company, for example, will not likely be considered an “operator.” A company serving as more than just a pass through entity, however, will probably be within the reach of the statute.

COPPA is focused on websites directed at, or patronized by, children. For a general audience website, the website operator must have actual knowledge that it is collecting personal information from children under 13 years of age. Even if only a portion of a general audience website is directed at children, then COPPA is applicable.

The Federal Trade Commission (“FTC”) is the regulatory body authorized to enforce COPPA. The FTC will consider a website’s subject matter, visual or audio content, age of models, language or other characteristics of the website content and whether advertising is directed to children when deciding whether a website is “directed at children” within the meaning of COPPA. The FTC will also consider competent and reliable empirical evidence regarding actual audience composition, the intended audience, and whether a site uses animated characters and/or child-oriented activities and incentives in making its determination about the applicability of COPPA.

COPPA does not fully define what it means to “collect” information, although the regulations state that a website operator “collects” personal information if: (1) the website operator requests the child to submit personal information; (2) the website operator enables the child to make personal information publicly available through a chat room, message board, or other means, except where the operator deletes all individually identifiable information from postings by children before they are made public, and also deletes such information from the operator’s records; or (3) the website operator incorporates the passive tracking or use of any identifying code linked to an individual, such as a cookie in the web site. According to the regulations, however, these three methods are just illustrative, and are not the only means by which a website operator could “collect” personal information.

The scope of “personal information” is more fully defined, and it includes the collection or maintenance of: a first and last name; a home or other physical address including street name and name of a city or town; an e-mail address; a telephone number; a Social Security number; a persistent identifier, such as a customer number held in a cookie or a processor serial number, where such identifier is associated with individually identifiable information; a combination of a last name or photograph of the individual with other information such that the combination permits physical or online contacting; or information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above.

Compliance with COPPA

Once COPPA applies, then the website operator must take certain steps to ensure that information is gathered, maintained and used consistently with COPPA’s requirements. There are four major prongs of COPPA: (1) providing appropriate notice to the audience; (2) obtaining verifiable parental consent prior to any use or disclosure of personal information; (3) providing reasonable access by parents to personal information actually collected; and (4) implementing reasonable measures to protect the confidentiality, security, and integrity of the personal information collected.

Notice. Notice is one of the most important aspects of COPPA, requiring that users of the website be informed about personal information that may be collected about them, to enable them to make an informed choice regarding their use of and participation in the site. Specifically, a site’s notice provision should be designed to apprise the user of the company’s policies with regard to collection, use and dissemination of personal information. According to the regulations, the notice link or provision should be clearly labeled and prominently displayed on the website’s home page. In addition, the notice link or provision must also be prominently placed on each page where personal information is collected. For example, it is not sufficient for a website operator to place a notice provision on the home page but not place a notice provision or link on a page where the child actually inputs the data.

The contents of the notice should be designed to apprise the user about the nature of the information being collected, how the information will be used, and the operator’s disclosure practices with respect to the collected personal information. The company may designate one person to respond to all inquiries about the privacy policy of the company. If it does so, it must disclose the name, address, phone number, and e-mail address of that one person. If multiple operators collect and maintain personal information about children, the names, addresses, phone numbers, and e-mail addresses of all the operators collecting or maintaining such information must be listed in the notice. If, however, multiple operators collect and maintain the information, but the company designates one person to respond to inquiries, then only the names of the other operators must be disclosed.

The notice must also indicate whether the information is collected directly or passively. Information is collected passively if the child user’s identity and movements are tracked by identifying code embedded in the web site itself, or through cookies. This is important, because absent a notice, passive collection techniques effectively allow information to be gathered without a user’s knowledge.

The operator must also identify how the information will be used, e.g., for the purpose of completing a transaction, record keeping, marketing products or services to the child, or making the information publicly available. If the collected personal information is to be disclosed to third parties, then the operator must state the types of business in which the third parties are engaged, the general purpose for which the information will be used, whether the third parties have agreed to maintain the confidentiality, security, and integrity of the personal information collected, and the methods by which the parent of the child can prevent disclosure of personal information to third parties. The operator must also acknowledge it is prohibited from conditioning a child’s participation in an activity on the child’s disclosing more personal information than is reasonably necessary to participate in such activity.

Further, the notice must state that the parent can review and have deleted the child’s personal information and that the parent can refuse to permit further collection or use of the child’s information at any time. The procedures for the parent’s refusal must also be provided in the notice. In this instance, if the parents have refused further collection and the child continues to submit information, the regulations authorize the company to terminate any service provided to the child. It is advisable in such circumstances for the company to contact the parents and apprise them of this occurrence. In addition, if a parent refuses further collection of information, it is entirely possible that the company has already placed a cookie on the computer of the user. Since the company may not have any means of removing the cookie, the notice should state that the company places cookies on the computers, and if at any time consent is withdrawn, the parents shall be responsible for deleting the cookie from the computer of the user.

Verifiable Parental Consent. Prior to any collection, use or disclosure of personal information, the website operator must make reasonable efforts to obtain verifiable parental consent. The disclosure of personal information of children prior to obtaining verifiable parental consent can give rise to a COPPA violation. “Disclosure” of personal information means the sharing, selling, renting, or other provision of personal information to any third party. For example, if a website operator decides to sell its company, including the personal information collected from a child, then the website operator may have to obtain verifiable parental consent prior to the release of such information, because the acquiring company may be considered a third party.

Disclosure of personal information also results when an operator makes personal information collected from a child publicly available in identifiable form by any means, including a public posting through the Internet, or through a personal home page posted on a website or online service, a pen pal service, an electronic mail service, a message board, or a chat room. Therefore, a website operator can allow children to participate in online “chats” if the website operator prevents the display of personally identifiable information about the child before the chat message is posted. In addition, if the website operator does not want to fall under the provisions of COPPA, then it must also delete all personally identifiable information from its records. For example, if a child submits his or her name and email address along with a text message to be posted in a chat room, then the website operator must delete the child’s name and email address (a) from the message itself and (b) from its records before posting the message in the chat room. By doing so, the website operator avoids “collecting” “personal information,” thereby escaping the strictures of the statute.

The website operator may, however, release personal information to a person or entity who provides “support for the internal operations” of the website or online service and who does not disclose or use that information for any other purpose. “Support for internal operations” means those activities necessary to maintain the technical functioning of the website or online service. Therefore, an independent contractor hired by the company to host the website, for example, should not be considered a “third party” to whom disclosure is restricted, if that independent contractor does not collect or maintain personal information. However, if the independent contractor does have access to the personal information, then the website operator must ensure that the independent contractor complies with COPPA and with the website operator’s privacy policies.

Any method employed to obtain verifiable parental consent must be reasonably calculated to ensure that the person providing consent is actually the child’s parent or guardian. The following methods of obtaining parental consent are approved by the FTC: (1) providing a consent form to be signed by the parent and returned to the operator by postal mail or facsimile; (2) requiring a parent to use a credit card in connection with a transaction; (3) having a parent call a toll-free telephone number staffed by trained personnel; (4) using a digital certificate that uses public key technology; or (5) using e-mail accompanied by a PIN or password obtained through one of the verification methods listed in this paragraph.

Until April 21, 2002, methods to obtain verifiable parental consent may also include use of e-mail coupled with additional steps to provide assurances that the person consenting to the collection and maintenance of personal information is the child’s parent. Such additional steps may include (1) sending a confirmatory e-mail to the parent following receipt of consent; or (2) obtaining a postal address or telephone number from the parent and confirming the parent’s consent by letter or telephone call. Operators who use such methods must provide notice that the parent can revoke any consent given in response to the earlier e-mail.

There is no requirement that the website operator obtain additional consent each time it uses the information in the manner to which the parent previously consented. For example, if a parent consents that a child may be contacted without any further notice to the parent, the operator may contact the child without having to obtain additional consent. However, the website operator must obtain additional verifiable parental consent if there has been any material change in the collection, use, and/or disclosure practices to which the parent previously consented. Prudence dictates that a website operator err on the side of caution when deciding whether there has been a “material” change.

If a website operator is considering being acquired by another company, it should bear in mind that the sale or other transfer may constitute disclosure to a third party under COPPA. Although the statute or the regulations do not make it clear whether an acquiring company will be considered a “third party” for disclosure purposes, it may be advisable for the website operator to notify the parents through its initial consent that information collected from the child may be released to third parties without further notice. By factoring this contingency into the original consent, the costs and difficulties associated with trying to obtain additional consent may be avoided.

The notice and consent cannot be restrictive; a parent must have the option of only consenting to use and collection of personal information without consenting to disclosure of that information. Therefore, some parents could consent to disclosure, others could consent to collection and use only, and others could withhold consent entirely. It would be advisable for the website operator to state these options clearly so that the parents understand the permissible scope of their consent. This obligation may be onerous for the website operator, as it requires a degree of categorization of data that the operator might otherwise find unnecessary.

There are exceptions to the requirement that an operator obtain verifiable parental consent. If the operator collects the name or contact information of a parent for the sole purpose of obtaining parental consent, then parental consent to that initial collection of information is not necessary. In other words, the statute recognizes the dilemma of the operator, because the operator must first collect some information from the child without violating COPPA. However, once this initial information is collected from the child to contact the parents, the operator must obtain parental consent within a reasonable time or delete the information from its records.

If the operator responds directly to a request from a child on a one-time basis, parental consent is also not required. In this instance, the operator is prohibited from contacting the child a second time and the information must be deleted from the operator’s records. However, the regulations do not provide any guidance as to what constitutes a “one-time request.” Could a child simply request product information? Could a child make a one-time purchase and does that constitute a request? If the operator responds to a one-time request and then deletes the child’s information from its records, how will the operator know, if the child returns to the website to request more information or purchase additional product, that the child has previously been contacted on a “one-time” basis?

Where there are repeated requests from a child, the operator must respond only to the first request, and afterwards the operator must make reasonable efforts to contact the parents and obtain consent prior to responding to additional requests from the child. But if the operator does not know that the child has previously requested information – because the website operator deleted the child’s personal information from its records after the child’s first request – how can a website operator track the child’s requests in the first place? This is a confounding aspect of the regulations, and the FTC or the courts will have to provide more guidance on this issue.

Finally, if the operator collects information for the purpose of protecting the child’s safety, then prior parental consent is not necessary. However, the operator must provide the parent with notice that information was collected. Prior parental consent is also not required in order for an operator to respond to judicial process, protect itself against liability, assist law enforcement, or protect the integrity of the website.

Parents’ Access to Personal Information. Parents have the right to require the website operator to provide the following upon request: (1) a description of the specific types of personal information collected from the child by that operator; (2) an opportunity at any time to refuse to permit the operator’s further use or maintenance in retrievable form, or future online collection, of personal information from that child; and (3) a means that is reasonable under the circumstances for the parent to obtain any personal information collected from that child. Before the parent can obtain the information, however, the operator must ensure that the person requesting the information is in fact the parent and the operator cannot employ “unduly burdensome” means for the parent to obtain this information. Consequently, the website operator must dedicate some resources to enable parents to review the information already collected.

Security. A website operator must maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children. Beyond this skeletal dictate, the statute and the regulations provide no other guidance as to what measures a website operator should take. The key term of this provision is “reasonable.” The guidelines do not require absolute protection of confidentiality, security, and integrity of personal information. A website operator may consider developing a specific policy regarding how it intends to ensure confidentiality, security, and integrity. However, because a failure to abide by the policy could undercut a claim by an operator that it exercised “reasonableness,” one should use caution in developing and adopting any such policy and should consult legal counsel.

Miscellaneous. Under the statutory guidelines, a website operator will not be subject to any liability under state or federal law for a good faith disclosure of personal information. Significantly, COPPA does not provide an individual with a private right to sue for a violation of the statute. Either the FTC or the Attorney General for a particular state must sue to enforce the provisions of the statute. The remedies available for COPPA violations include injunctive relief from the court to prevent further non-compliance with the statute and monetary damages. The regulations do not set out a basis for calculating the amount of the monetary damages. That lack of certainty has not discouraged aggressive enforcement of the statute. Earlier this year, on April 19, 2001, the FTC announced a settlement with three website operators that were violating COPPA. The website operators were collectively fined $100,000 in civil penalties.

Commercial website operators can seek the protection of “safe harbor” provisions promulgated by the FTC. Under these provisions, a website operator will be deemed in compliance with COPPA if that website operator complies with self-regulatory guidelines issued by representatives of the marketing or online industries or by other persons. These self-regulatory guidelines must be submitted to the FTC for review and approval, and the general public will have an opportunity to comment on the guidelines and propose changes. As of the writing of this article, the FTC has approved two self-regulatory guidelines.

Conclusion

Given the novelty of the statute and regulations, caution must be urged in evaluating a website operator’s approach to COPPA. The website operator should keep the four prongs of COPPA in mind at all times:

  1. provide notice to the audience;
  2. obtain verifiable parental consent prior to any use or disclosure of personal information;
  3. provide reasonable access to parents of personal information collected; and
  4. implement reasonable measure to protect the confidentiality, security, and integrity of the personal information collected.

Once the motivation behind these four aspects of COPPA are understood, technical compliance with the regulatory requirements becomes easier to implement.

Recent Posts