If your business operates a website that intends to or does target children as an audience, it must understand COPPA compliance! Any website that is directed toward children under the age of 13 or knowingly collects any information from children under 13 will need to comply with The Children’s Online Privacy Protection Act (COPPA). The Act requires that all such websites obtain verifiable parental consent before collecting, using, or disclosing personal information from children.
COPPA Compliance Is Required If Your Website:
- Contains content directed towards children (or partially directed to children). Even if your business’s website is not directed towards children, if the content contains items that normally would appeal to children, such as cartoons or animations, you should maintain COPPA compliance to be safe;
- Contains ads directed towards children;
- Collects any type of information from children.
If any of the above circumstances apply, the required COPPA disclosures must appear on your website as well. A checklist of these requirements can be found at www.copa.org and you need to make sure you incorporate each required disclosure.
In order to determine whether a website is directed towards children, the FTC considers several factors, including the subject matter; visual or audio content; the age of models on the site; language; whether advertising on the website is directed to children; information regarding the age of the actual or intended audience; and whether a website uses animated characters or other child-oriented features.
- the name and address of all the operators of the site;
- the kinds of information being collected and how it is being collected;
- how the operator intends to use the information;
- whether the operator provides this information to third parties and information about those third parties and how they intend to use the information;
- a notice to parents that they have the right to allow the collection of the information by the operator but not by third parties; and a statement that the parent can review the child’s information and ask to have it deleted.
There are other provisions that must be included in the notice as well, including providing a written procedure for a notice sent directly to the parents and for the parents to actively consent, in writing, to the collection of this information prior to the information being collected. The site operator must notify a parent in the form of an email, postal mail, fax and in other similar ways set forth in the regulations and the operator must then obtain “verifiable parental consent” to the entire process.
During an interim period, there are specific regulations about how this consent is to be obtained based upon how the information is going to be used by your website. If the information will be made widely available to the public or third-party providers, the more restrictive the requirements are under COPPA. In the event the site changes how the information is collected, used or disclosed, a new, verifiable parental consent must be obtained and, of course, the written policy must be changed on your site. If you disseminate collected information to third parties, you must have a procedure for such third parties to delete any information requested to be deleted by a parent or legal guardian.
Interactive Service Providers Note
In terms of your business’s website, if your business is an interactive computer service provider under the Communications Decency Act (47 U.S.C. Section 230 (d)), it must, “at the time of entering an agreement with a customer for the provision of interactive computer service and in a manner deemed appropriate by the provider, notify such customer that parental control protections (such as computer hardware, software, or filtering services) are commercially available that may assist the customer in limiting access to material that is harmful to minors.”
The term “interactive computer service” means any information service, system, or access software provider that provides or enables computer access by multiple users to a computer server, including specifically a service or system that provides access to the Internet and such systems operated or services offered by libraries or educational institutions. Most courts have held that through these provisions, Congress granted interactive services of all types, including blogs, forums, and listservs, immunity from tort liability so long as the information is provided by a third-party.
There have been some recent changes made to COPPA laws last year. I wrote about those changes in an earlier blog post and you will want to review it to determine if COPPA laws apply to your business’s information collection practices.