Privacy Advisor

It's Time to Comply with COPPA

October 1, 2006

Denise Tayloe

The Children's Online Privacy Protection Act (COPPA), which became effective April 21, 2000, was designed to introduce parents into the decision-making equation and place them in control over what information is collected online from their children. Parents were to be given the final say on which sites their children would be allowed to personally interact with, and what information they could disclose.

Judging from recent Federal Trade Commission (FTC) action for COPPA violations, regulators are unforgiving when it comes to commercial Web sites that ignore or fail to fulfill the law's requirements to protect children online. The FTC sent that message clearly last month when it fined Xanga, a social networking site, $1 million - the largest fine ever under COPPA - for allegedly violating the law. According to the FTC, Xanga.com collected, used and disclosed personal information from approximately 1.7 million children under the age of 13 without first notifying parents and obtaining their consent.

"Protecting kids' privacy online is a top priority for America's parents, and for the FTC," FTC Chairman Deborah Platt Majoras said in a statement. "COPPA requires all commercial Web sites, including operators of social networking sites like Xanga, to give parents notice and obtain their consent before collecting personal information from kids they know are under 13. A million-dollar penalty should make that obligation crystal clear."

History of COPPA

In the late 1990s, it became clear that children were actively, as well as passively, disclosing personal information online, without their parents' permission. The growth of online services and content aimed at children younger than 13 resulted in a wide range of significant problems, including

  • Invasion of children's privacy through solicitation of personal information granted unknowingly by child participants;
  • The growing popularity of forums such as chat rooms, email, pen pals, IM and bulletin boards (and more recently, social networking sites) potentially exposes children to the lures and exploitation of online pedophiles, making them targets for malicious adult behavior;
  • An imbalance of power between vulnerable, young computer users and sophisticated new forms of advertising; and
  • Omission of a parent's guardianship and consent in a child's online experience.

COPPA was adopted in order to protect children from commercial Web sites or online services directed at children that collect personal information or allow personal information to be made publicly available. It also applies to sites that attract a general audience, when those sites have actual knowledge that they are collecting personal information from children.

Industry Reaction

Since its inception, COPPA created headaches for online content providers seeking to collect children's personal information for marketing and other purposes. Within many companies, legal departments routinely battle marketing departments that seek to collect information from children under 13 years of age.

Children and tween Web sites have been slow to embrace interactive solutions that trigger COPPA's guidelines. Many sites have responded to the law by erecting age-gate restrictions. "Oops due to COPPA, we cannot allow you to join our site" has become a common message to children under 13.

Children quickly learned to lie about their age in order to gain access to the interactive features on their favorite sites. As a result, databases have become tainted with inaccurate information and chaos seems to be king where COPPA is concerned.

Recently Robin Raskin, Yahoo's Technology expert, reported on her blog that these practices are creating a generation of fakers. According to Raskin, "there is no sane reason for children to tell the truth on the Web."

The recent stampede of minors to join social networking sites has dramatically increased the public's awareness to create safeguards where adults and minors are commingling online. Aged-based credentials for the purpose of separating adults from minors in open community areas where children may be exposed are being called for by state legislators.

Despite the confusion in the industry, the FTC reported to Congress in March 2006 that COPPA was working well. As a result of the FTC's study, COPPA has been extended for the next 10 years. The industry appeared to be waiting for COPPA to go away. The law's extension has been a signal to the kids' industry that it is time to take the law seriously, and apply methods that legally (and responsibly) allow children under 13 the opportunity to join in the activities of their favorite sites with parental consent.

It's Time to Comply with COPPA

There are few places for online companies to turn to for COPPA solutions. To date, companies have used print and fax forms with parental signatures, a cumbersome process at best; a subscription model requiring credit card payment, which could pose an economic barrier to participation; the email plus method which utilizes a sliding scale under COPPA for internal use of data, and any available online infomediary services

In its March 2006 report to Congress, the FTC named Privo, Inc. (www.privo.com), a recently approved safe harbor, as the only known infomediary service processing online parental permission in full compliance with COPPA. Privo created PrivoLock, a proprietary software solution, that provides multiple online methods to parents to allow them to verify their identity and create an online credential for multiple use in granting permission to their child for access to Web sites.

To view the complete report on COPPA guidelines, visit www.ftc.gov/bcp/conline/pubs/buspubs/coppa.html.


Denise Tayloe - Founder, President and Chief Executive Officer
Denise Tayloe co-founded Privo in early 2001 shortly after COPPA was passed. Her vision was to create a software solution that would help companies effectively interact with children while in compliance with the federal law. She has become a recognized leader and authority in permission and identity management, and has been an invited speaker on the subject at conferences related to marketing as well as at Trans Atlantic dialogues regarding children's privacy issues across the globe. Tayloe has also conducted private workshops to help companies understand the intricacies of COPPA and how to maintain customer relationships within legal boundaries. Tayloe has more than 14 years experience in business development, sales, finance and the development of companies innovating and providing business and technology related services.

Sidebar:

COPPA Compliance Guidelines

Whatever methods a company chooses, the following guidelines should be followed to comply and employ best practices:

  • Make the decision about whether or not your brand is marketing to children under 13 and if so, provide them the tools to get their parent's permission to interact with your site. Remember, children, if given no other choice, will lie.
  • An operator must post a clear and prominent link to a notice of its information practice on the home page of its Web site, and at each section where personal information is collected from children.
  • Before collecting, using or disclosing a child's personal information, an operator must take reasonable steps to obtain verifiable parental consent from the child's parent. There are varying degrees of acceptable methods of consent depending upon the intended use of the child's personal information.
  • Most importantly, however, when a Web site intends to disclose the child's information to a third party operator, or make the information publicly available (i.e., chat room, bulletin boards, multi-player games), the law requires that more reliable methods must be used to identify the parent.