COPPA

On November 19, 2014, the Federal Trade Commission announced that it is seeking public comment on a second proposed verifiable parental consent method by AgeCheq, an online privacy protection service. The Children’s Online Privacy Protection Act (COPPA) requires children and family-friendly website operators and app developers to (1) post privacy policies and (2) notify and obtain verifiable consent from parents prior to collecting, using, or disclosing personal information from children under the age of 13.

There are considerable challenges to obtaining verifiable consent from parents in real time–particularly for use of online services by children. The rule lays out a number of acceptable methods for gaining verifiable parental consent and includes a provision allowing parties to submit new consent methods to the FTC for approval. Age Cheq’s new proposal eliminates the need for paper signatures by providing a digitally signed parental declaration authenticated by a verification code on the parent’s mobile device.

(more…)

Websites should consider treating children as an attractive nuisance. Even consider putting up fences to keep them out. 

The FTC is monitoring many websites that attract children (even unintentionally) for COPPA violations. The Children’s Online Privacy Protection Act, COPPA, requires websites to  obtain verifiable parental consent before collecting personal information from kids under age 13.  Sites that are “directed” to such children must also disclose to parents what it collects about their children, how it uses the information and what it discloses to third parties. If the websites do not comply with COPPA the Federal Trade Commission may investigate, and impose fines and consent orders to curb websites’ tracking of children under 13.

Many website policies include a disclaimer that the website is “NOT directed” to children under age 13 and prohibit or limit access by children under 13 only with direct parental supervision.  Unfortunately, these policies will not limit the liability of a website operator if it knows kids under 13 are providing personal information to its website.  Then, the website is likely to be considered to be directed to such children.  If a website operator knows that kids are attracted to its website, then the website must comply with COPPA as if it the website is intentionally directed to children under 13.

Artist Arena manages fan sites for Justin Bieber, Rhiannon and Selena Gomez (among others)  together collected personal information from more than 25,000 children under the age of 13 without seeking verifiable parental consent.  Artist Arena’s fansites were intentionally directed to ‘tweens as the target audience of the celebrities featured on its fan sites and had COPPA policies, but failed to actually notify the parents and obtain their permission before collecting info from their children.  Artist Arena settled with the FTC, agreeing to pay a cool million dollars, enter into a consent decree against future  COPPA violations, and destroy all data it unlawfully collected from children.

The take-away?

Kids are adept at learning new technology and have unfettered access to smartphones, tablets and desktop computers.  So, it goes without saying that many registration schemes aimed at preventing kids from accessing an attractive website are quickly overcome.  A policy prohibiting use by children is definitely not sufficient. Operators of interactive websites (sites with blogs, forums, comment and sharing features) can’t ignore kids under 13 who are using the site .  Their data stream will likely “rat them (and the operator) out.”  With notice of kids, the operator must either block access or adopt a COPPA policy and enforce it. Get the COPPA FAQ’s  here.

As for Beiberfever.com? Users who admit to being age 13 or younger are persistently blocked from registering:

We are sorry, but you can not register at this time.

Hat/Tip to Sharon Snyder for sending me this Washington Post article about Artist Arena’s woes.

Does your website have a Facebook “Like” button? Is your website, mobile site or mobile app directed at adults but attracts children under age 13?  Pull out your pens.  The Wall Street Journal reports that today FTC is expected to issue new rules proposed last fall to protect children online and on mobile devices. The new rules take effect following  a 30 day comment period.  Take a minute to compare your website audience and information collection practices to the disclosures made in your website terms of use and privacy policy. There are often gaps and mismatches in even the most well meaning policies.  For example, a “Like” button on your website collects and reports a stream of data about your visitors to Facebook — whether they “Like” your website or not.  Is that what your privacy policy discloses?

How about children? How often have you seen kids using tablets and smartphones while their parents are busy? How many younger ‘tweens have their own smartphones? Many children, even very young ones are quite adept with mobile devices.  My secretary’s almost-two-old grandchild already knows how (more…)