Research & Writing
COPPA'sImpact on Data Capture
By Cassie Carter, PhD
The Children's Online Privacy Protection
Act (COPPA) becomes effective April 21, 2000. COPPA requires
all Web sites that specifically target and gather information
from children under 13 to first gain “verifiable parental
consent.” Web sites that allow children to give out
personal information (via chat rooms, messaging, bulletin
boards, homepage building, etc.), and Web sites that share
personal information with third parties will be required to
use more reliable forms of parental consent, such as postal
mail, fax, credit card, or tamper-resistant “digital
signatures” before personal information can be collected.
If the information is only used internally by the Web site
collecting it, parental consent may be obtained via e-mail,
provided the operator takes steps to confirm the parent’s
identity. (Within the next two years, the technology available
for securing parental consent will be reviewed and more specific
requirements for electronic forms of verifiable consent will
be developed.) The Web site must post a prominent link to
a notice of its information-collection practices (privacy
policy) on its home page and at each area where personal information
is collected and inform parents how they can view, change,
and remove information collected about their child as well
as revoke consent.
The full text of COPPA is available as a
PDF document on the Federal Trade Commission’s website
(this link will launch Adobe Acrobat in a new window).
A helpful guide, “How to Comply with
the Children's Online Privacy Protection Rule,” is available
at: http://www.ftc.gov/bcp/conline/pubs/buspubs/coppa.htm (this link will open a new window).
The present document, based on the FTC’s
guide, outlines the specific ways in which COPPA will impact
data capture on websites designed for kids.
I. What personal information is
protected by COPPA?
A. COPPA applies
to information that would allow someone to identify or contact
the child, such as a full name, home address, email address,
B. COPPA also covers
other types of information--like hobbies and information collected
through cookies or other types of tracking mechanisms--when
such information is tied to individually identifiable information.
II. How does COPPA impact
the information we can collect?
A. We cannot collect
any personally identifiable information without parental consent,
beyond the information needed to obtain parental consent.
B. “It is a deceptive
practice under Section 5 to represent that a Web site is collecting
personal identifying information from a child for one reason
(say, to earn points to redeem a premium) when the information
will be used for another reason that a parent would find material--and
when the Web site does not disclose the other reason clearly
C. We can get an email
address from a child in order to contact the parent to obtain
consent. This email cannot be retained for any other use.
D. Without parental consent,
we can use a child’s email address to respond directly
to a child’s request for information; however, the parent
should be notified that such contact has been made. The
child’s email cannot be retained for any other use.
E. We can also use a
child’s email address to send a newsletter on an ongoing
basis, provided the parent is notified of the ongoing contact.
F. We may not require
a child to disclose more personal information than is reasonably
necessary to participate in an activity as a condition of
participation. Example: we can’t require a kid
to tell us his/her favorite color in order to play a game
unless the kid’s favorite color is directly related
to the game.
G. Even information collected
passively—such as information collected via cookies
or other tracking methods—is protected if the information
is tied to individually identifiable information.
III. How does COPPA affect
requirements for parental consent/involvement?
A. Method of obtaining parental consent:
If personally identifiable information is collected for
internal purposes only, and the information is not disclosed
to others, parental consent can be obtained via email.
If information is disclosed to third parties, or if child
is allowed to post to chat room or message board, we must
go through more elaborate processes to obtain parental consent
(signed form via snail mail or fax, credit card verification,
toll-free telephone, digital signature)
B. Parent must at any
time be able to review the personal information on their child,
be able to ask to have it deleted, and refuse further collection
or use of child’s information. The methods and policies
must be stated clearly in the parental notification.
C. We must be able
to verify a parent’s identity. We must be able to verify
that the person accessing a child’s information is his/her
D. A new notice and request
for consent must be sent to parents if there are material
changes in the collection, use, or disclosure practices to
which the parent had previously agreed. If the parent consented
to allow the child to submit limited personal information
in order to participate in a rewards program, we must again
request consent if we want to offer chat rooms.
IV. How does COPPA
affect data-collection and data-sharing relations with partners/affiliates?
A. COPPA covers only
Website Operators. Its information disclosure regulations
(and, hence, requirements for parental consent) hinge on the
difference between an “Operator” and a “Third
An “Operator” is “any person who operates
a website located on the Internet or an online service and
who collects or maintains personal information from or about
the users or visitors . . . or on whose behalf such information
is collected or maintained.”
A “Third Party” is “any person who is
neither an operator with respect to the collection of personal
information . . . nor a person who provides support for the
internal operations of the website or online service.”
Because third parties are not operators, they are not responsible
for carrying out the provisions of COPPA
.B. A partner such as
a company offering a rewards program “provides support
for the internal operations of the website," so it is
an Operator and is required to meet COPPA regulations.
C. Other partners
who provide content—say a “fun survey”—and
collect information directly from children are also Operators
and must adhere to COPPA regulations.
D. A partner that
provides content or sponsorship but does not provide support
for the internal operations of the website or collect
information directly from children is a Third Party and is
not covered by COPPA regulations. If a kids’ site shares
children’s information with such a partner, however,
the kids’ site is required to comply with the more stringent
COPPA requirements for parental consent.