Resume Contact Me
Interaction Design and Information Architecture SPACER Web Design and Development SPACER Drawings SPACER Print Design SPACER Research SPACER Writing
SPACER SPACER

Research & Writing
COPPA'sImpact on Data Capture
Ogilvy Interactive (March 2000)
By Cassie Carter, PhD

The Children's Online Privacy Protection Act (COPPA) becomes effective April 21, 2000. COPPA requires all Web sites that specifically target and gather information from children under 13 to first gain “verifiable parental consent.”  Web sites that allow children to give out personal information (via chat rooms, messaging, bulletin boards, homepage building, etc.), and Web sites that share personal information with third parties will be required to use more reliable forms of parental consent, such as postal mail, fax, credit card, or tamper-resistant “digital signatures” before personal information can be collected. If the information is only used internally by the Web site collecting it, parental consent may be obtained via e-mail, provided the operator takes steps to confirm the parent’s identity. (Within the next two years, the technology available for securing parental consent will be reviewed and more specific requirements for electronic forms of verifiable consent will be developed.) The Web site must post a prominent link to a notice of its information-collection practices (privacy policy) on its home page and at each area where personal information is collected and inform parents how they can view, change, and remove information collected about their child as well as revoke consent. 

The full text of COPPA is available as a PDF document on the Federal Trade Commission’s website at http://www.ftc.gov/os/1999/9910/64fr59888.pdf (this link will launch Adobe Acrobat in a new window).

A helpful guide, “How to Comply with the Children's Online Privacy Protection Rule,” is available at: http://www.ftc.gov/bcp/conline/pubs/buspubs/coppa.htm (this link will open a new window).

The present document, based on the FTC’s guide, outlines the specific ways in which COPPA will impact data capture on websites designed for kids.

I. What personal information is protected by COPPA?
A.      COPPA applies to information that would allow someone to identify or contact the child, such as a full name, home address, email address, telephone number.
B.      COPPA also covers other types of information--like hobbies and information collected through cookies or other types of tracking mechanisms--when such information is tied to individually identifiable information.

II.  How does COPPA impact the information we can collect?
A.      We cannot collect any personally identifiable information without parental consent, beyond the information needed to obtain parental consent.
B.      “It is a deceptive practice under Section 5 to represent that a Web site is collecting personal identifying information from a child for one reason (say, to earn points to redeem a premium) when the information will be used for another reason that a parent would find material--and when the Web site does not disclose the other reason clearly or prominently.”
C.      We can get an email address from a child in order to contact the parent to obtain consent.  This email cannot be retained for any other use.
D.      Without parental consent, we can use a child’s email address to respond directly to a child’s request for information; however, the parent should be notified that such contact has been made. The child’s email cannot be retained for any other use.
E.      We can also use a child’s email address to send a newsletter on an ongoing basis, provided the parent is notified of the ongoing contact.
F.      We may not require a child to disclose more personal information than is reasonably necessary to participate in an activity as a condition of participation. Example: we can’t require a kid to tell us his/her favorite color in order to play a game unless the kid’s favorite color is directly related to the game.
G.     Even information collected passively—such as information collected via cookies or other tracking methods—is protected if the information is tied to individually identifiable information.

III.  How does COPPA affect requirements for parental consent/involvement?
A. Method of obtaining parental consent:
     1.       If personally identifiable information is collected for internal purposes only, and the information is not disclosed to others, parental consent can be obtained via email.
     2.       If information is disclosed to third parties, or if child is allowed to post to chat room or message board, we must go through more elaborate processes to obtain parental consent (signed form via snail mail or fax, credit card verification, toll-free telephone, digital signature)
B.      Parent must at any time be able to review the personal information on their child, be able to ask to have it deleted, and refuse further collection or use of child’s information.  The methods and policies must be stated clearly in the parental notification.      
C.      We must be able to verify a parent’s identity.  We must be able to verify that the person accessing a child’s information is his/her parent.
D.      A new notice and request for consent must be sent to parents if there are material changes in the collection, use, or disclosure practices to which the parent had previously agreed.  If the parent consented to allow the child to submit limited personal information in order to participate in a rewards program, we must again request consent if we want to offer chat rooms.

IV.  How does COPPA affect data-collection and data-sharing relations with partners/affiliates?
A.      COPPA covers only Website Operators.  Its information disclosure regulations (and, hence, requirements for parental consent) hinge on the difference between an “Operator” and a “Third Party.”
     1.       An “Operator” is “any person who operates a website located on the Internet or an online service and who collects or maintains personal information from or about the users or visitors . . . or on whose behalf such information is collected or maintained.” 
     2.       A “Third Party” is “any person who is neither an operator with respect to the collection of personal information . . . nor a person who provides support for the internal operations of the website or online service.”  Because third parties are not operators, they are not responsible for carrying out the provisions of COPPA
.B.      A partner such as a company offering a rewards program “provides support for the internal operations of the website," so it is an Operator and is required to meet COPPA regulations. 
C.      Other partners who provide content—say a “fun survey”—and collect information directly from children are also Operators and must adhere to COPPA regulations.
D.      A partner that provides content or sponsorship but does not provide support for the internal operations of the website or collect information directly from children is a Third Party and is not covered by COPPA regulations.  If a kids’ site shares children’s information with such a partner, however, the kids’ site is required to comply with the more stringent COPPA requirements for parental consent.

©2008 Cassie Carter