Key elements of a COPPA rule compliance program

May 21, 2013

Child Online ProtectionThis is the last of a short series of posts I’ve been doing on the substantial changes to the Children’s Online Privacy Protection Rule (“Rule”) in 16 C.F.R. Part 312 that become effective on July 1, 2013.  As you may know, the Rule has been developed and enforced by the Federal Trade Commission (“FTC”) to implement the Children’s Online Privacy Protection Act (“COPPA”) (15 U.S.C.A. §§ 6501 et seq.), which prohibits unfair or deceptive acts or practices in connection with the collection, use and/or disclosure of personal information from and about children on the Internet.

I’ve previous discussed changes in the rules that determine whether or not your clients would be subject to the requirements of COPPA and the Rule and the expanded scope of the “personal information” that your clients will need to protect.  Now it’s time to make sure that clients falling within the Rule’s expanded definition of a “website operator” have procedures in place to fulfill the following key obligations:

  • Making sure that notice is provided regarding what information it collects from children, how it uses that information, and its disclosure practices for that information;
  • Making reasonable efforts to obtain verifiable parental consent (taking into consideration available technology) prior to any collection, use, and/or disclosure of personal information from children;
  • Providing a reasonable means for a parent to review the personal information collected from a child and to refuse or permit its further use or maintenance;
  • Not conditioning a child’s participation in an activity on the child disclosing more personal information than is reasonably necessary to participate in the activity and not retaining a child’s personal information any longer than is necessary to fulfill the purpose for collecting the information in the first place; and
  • Establishing and maintaining reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children (including making sure that third parties service providers to whom information is released are also capable of protecting the confidentiality, security and integrity of children’s personal information).

Each of these obligations should be reviewed in detail with clients; however, compliance generally begins with preparation and prominent posting of a notice or policy on the client’s homepage (and at each location where it collects information from children) which carefully describes the information collection practices on the website (i.e., name and contact information of the website operator; a description of what information the operator collects from children, including whether the website or online service enables a child to make personal information publicly available; how the operator uses such information; and, the operator’s disclosure practices for such information).

In addition to the online notice of information practices, website operators must make reasonable efforts (taking into account available technology) to ensure that a parent of a child receives direct notice of the operator’s practices with regard to the collection, use, or disclosure of personal information from children, including notice of any material change in the collection, use, or disclosure practices to which the parent has previously consented.  However, notice is not enough: before the website owner can actually collect, use or disclose any personal information from a child, a parent of the child must provide verifiable consent using one of several methods sanctioned under the Rule such as providing a consent form to be signed by the parent and returned to the operator by postal mail, facsimile, or electronic scan.

You can get the discussion going with your clients on the steps that need to be taken for compliance in this area by using the practice tools available in Privacy and Data Security (§§100A:1 et seq.) in Business Transactions Solutions, which is available on the Thomson Reuters Legal Solutions site and through Westlaw Next at Business Counselor.  Among other things you’ll find examples of a children’s online privacy policy, a COPPA notice to parents and a parent consent form.  The FTC has also created a guide to assist Website operators in complying with the requirements of COPPA which is available on the FTC’s Website: http://www.business.ftc.gov/privacy-and-security/childrens-privacy.