If you control a website that collects personally identifiable information from children under the age of 13, you must insure that your site complies with a relatively new Federal statute called the Children's Online Privacy Protection Act (COPPA) and rules enacted under COPPA. If you don't comply, you may find your company facing hefty penalties.
While there has been much talk about regulating online privacy in the United States, the reality is that the law doesn't impose many restrictions on the ways your business can use information it collects online from surfers. There are two recent prominent exceptions to this generalization.
The first covers financial services businesses like banks. If you're involved with financial services, you need to consider a new federal regulatory scheme, which deals with both online and offline privacy.
The first step in the compliance process is to determine if your site is directed to children. Refreshingly, the Federal Trade Commission uses a common-sense approach in its rules. It looks at the ``[s]ubject matter, visual or audio content, the age of the models on the site, language, whether advertising on the web site is directed to children, information regarding the age of the actual or intended audience, and whether a site uses animated characters or other child-oriented features.''
It is important to understand that COPPA applies to information, which you collect online, that would make a child individually identifiable. This information includes: full name, home address, e-mail address, and telephone number and any other information that would allow the child's identity to be compromised or that would enable somebody to contact the child.
It also includes other types of information such as: hobbies, interests and information collected through cookies (no, not the kind of cookie you eat, but rather a small text file that your web browser saves on your hard drive. It might contain personally identifiable information), and other tracking mechanisms that may be linked to information that would disclose the child's identity.
Let's be practical here. The easiest way to comply with COPPA is to not collect information from children under the age of 13. If young children aren't your target market (let's say you sell retirement plans), you should include a provision in your terms of website use that either prohibits children from using your site or at least warns them not to provide any personally identifiable information.
In case you're not familiar with terms of website use, it's the contract governing the use of your site by surfers. (You do have terms on your website, don't you?) Many sites just have a link at the bottom of their home page to the terms. Of course, we all know that nobody except first year law students (they read and analyze the back of laundry tickets, too) and people without a life read them anyway (wink, wink).
Other sites make surfers click ``I accept'' to the terms before they can surf or buy things at their site.
Then, you should go a step farther. On the form where you might collect personally identifiable information, you might add a box asking the surfer to certify that they are not under the age of 13.
Of course, you'll have no way to really know that the surfer is telling the truth, but if you're not directly or indirectly gearing your site or a portion of your site to young kids, you'll probably be fine with these procedures in place.
You have to give parents the right to agree to the collection and use of their child's information while also having the right to withhold consent from disclosures to third parties. You also have to give parents the right to access, review and delete their child's information.
The biggest headache with COPPA compliance is the requirement of parental consent. The consent must be actual (they gave the kid a computer, ``that's consent'' won't cut it here) and obtained using methods like e-mail and old fashioned snail mail. The method that you can use to get parental consent depends upon the way you will use the child's information.
If it's for internal purposes only, you can use e-mail. If you'll be disclosing the information to third parties, you'll need more meaningful consent, like a signature on paper or a fax.
To fully understand COPPA, you'd have to set up a flow chart with arrows going in different directions depending upon your answer to different questions. It's not that COPPA is conceptually complex, but still proper compliance requires attention to detail and can undoubtedly be expensive. You'll have to live with that because the blow to your reputation for non-compliance along with FTC penalties can be far more costly than compliance.
You need to be sensitive to the issues here. After all, we're dealing with children.