Are You In Compliance with COPPA? Part 1

The Internet can be a great resource for education and entertainment for children, but it can also expose them to exploitation based upon the nature of the personal identifying information (PII) they might provide while participating in discussion groups, chats, surveys, contests, and online gaming. Because data collection features are often designed to be entertaining, younger children in particular might not be aware of just how much of their personal information they share over the Internet. With that in mind, Congress in 1998 enacted the Children’s Online Privacy Protection Act (COPPA).

COPPA made it necessary for the Federal Trade Commission (FTC) to make and enforce regulations regarding children’s online privacy. If you own and/or operate a website and/or online service for commercial purposes that are either directed toward children under 13, or have actual knowledge that children under 13 are providing information online, COPPA applies to you.

Operators to whom the rule applies are required to:

1. Post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children;

2. Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children;

3. Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents);

4. Provide parents access to their child’s personal information to review and/or have the information deleted;

5. Give parents the opportunity to prevent further use or online collection of a child’s personal information;

6. Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; and

7. Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use.

The rule also prohibits operators from conditioning a child’s participation in an online activity on the child providing more information than is reasonably necessary to participate in that activity.

The FTC’s original COPPA Rule became effective on April 21, 2000. However, an amended Rule was issued December 19, 2012.