If your business operates a website that intends to or does target children as an audience, it must understand COPPA compliance! Any website that is directed toward children under the age of 13 or knowingly collects any information from children under 13 will need to comply with The Children’s Online Privacy Protection Act (COPPA). The Act requires that all such websites obtain verifiable parental consent before collecting, using, or disclosing personal information from children.
COPPA Compliance Is Required If Your Website:
- Contains content directed towards children (or partially directed to children). Even if your business’s website is not directed towards children, if the content contains items that normally would appeal to children, such as cartoons or animations, you should maintain COPPA compliance to be safe;
- Contains ads directed towards children;
- Collects any type of information from children.
If any of the above circumstances apply, the required COPPA disclosures must appear on your website as well. A checklist of these requirements can be found at www.copa.org and you need to make sure you incorporate each required disclosure.
Any webpage that has content targeted towards or that attracts children should contain a link to your business’s website information collection and privacy policy. All links must be “clear and conspicuous” as such term is used under the FTC guidelines. Your business should be sure to follow those guidelines in your placement of all links and disclaimers on the website at all times. (As a helpful suggestion, use a larger size font or different color type on a contrasting background to display the link).
In order to determine whether a website is directed towards children, the FTC considers several factors, including the subject matter; visual or audio content; the age of models on the site; language; whether advertising on the website is directed to children; information regarding the age of the actual or intended audience; and whether a website uses animated characters or other child-oriented features.
If your business’s website must be in COPPA compliance, the privacy policy must contain the following items:
- the name and address of all the operators of the site;
- the kinds of information being collected and how it is being collected;
- how the operator intends to use the information;
- whether the operator provides this information to third parties and information about those third parties and how they intend to use the information;
- a notice to parents that they have the right to allow the collection of the information by the operator but not by third parties; and a statement that the parent can review the child’s information and ask to have it deleted.
There are other provisions that must be included in the notice as well, including providing a written procedure for a notice sent directly to the parents and for the parents to actively consent, in writing, to the collection of this information prior to the information being collected. The site operator must notify a parent in the form of an email, postal mail, fax and in other similar ways set forth in the regulations and the operator must then obtain “verifiable parental consent” to the entire process.
During an interim period, there are specific regulations about how this consent is to be obtained based upon how the information is going to be used by your website. If the information will be made widely available to the public or third-party providers, the more restrictive the requirements are under COPPA. In the event the site changes how the information is collected, used or disclosed, a new, verifiable parental consent must be obtained and, of course, the written policy must be changed on your site. If you disseminate collected information to third parties, you must have a procedure for such third parties to delete any information requested to be deleted by a parent or legal guardian.
Note: Your business will have to employ a methodology of determining the age of a child under 13 prior to completion of the registration process. It is highly recommended that the methodology does not invite falsification. For example, the question “Are you 13 years of age or older?” may invite falsification, but the statement “Please enter your date of birth” would not invite falsification. If the procedure determines that a user is under 13, it should prohibit completion of the registration process and the collection of any information from the child, and it should direct the user to the privacy policy and its parental consent form.
TIP! If none of the COPPA laws apply and if your business does not market to children or collect information from children under the age of 13, you should restrict use of the website to persons at least 13 years of age or older. Depending upon your business’s customer base, you really should consider restricting use or access to anyone under the age of 18. Any restriction should be placed in the website user agreement (terms of use) and restated in the privacy policy. Also, make sure each of your affiliates and marketers agrees to comply with COPPA laws at all times during the promotion of any of your products. This should be clearly stated in any affiliate or marketing agreement you enter into.
Interactive Service Providers Note
In terms of your business’s website, if your business is an interactive computer service provider under the Communications Decency Act (47 U.S.C. Section 230 (d)), it must, “at the time of entering an agreement with a customer for the provision of interactive computer service and in a manner deemed appropriate by the provider, notify such customer that parental control protections (such as computer hardware, software, or filtering services) are commercially available that may assist the customer in limiting access to material that is harmful to minors.”
The term “interactive computer service” means any information service, system, or access software provider that provides or enables computer access by multiple users to a computer server, including specifically a service or system that provides access to the Internet and such systems operated or services offered by libraries or educational institutions. Most courts have held that through these provisions, Congress granted interactive services of all types, including blogs, forums, and listservs, immunity from tort liability so long as the information is provided by a third-party.
There have been some recent changes made to COPPA laws last year. I wrote about those changes in an earlier blog post and you will want to review it to determine if COPPA laws apply to your business’s information collection practices.