Federal Trade Commission (FTC) has prescribed a list of six steps for complying with COPPA compliance requirements. These steps are:
- Check if your website or online service collects information from children below the age of 13 years.
- Ensure that your company takes parental consent before collecting any information from a child.
- Parental consent taken in the third step is verifiable as required by COPPA.
- Provide clear communication to parents regarding their rights related to their children’s data and inform the parents that they respect all the decisions made by the parents for their children’s data.
- Ensure that you have implemented reasonable security practices for your website to protect children’s information.
Step 1: Check if your website or online service collects information from children below the age of 13 years.
COPPA does not apply to all the websites that exist on the internet. It applies to websites that
- do not have age-restrictions when users sign up.
- are offering services tending to children and collecting their personal data.
- have an ad plugin that collects personal information specifically about children.
Companies can use various age-verification techniques to know the exact age of their users. I have discussed some of these techniques here.
- information about third-parties with whom the processing of personal data is delegated;
- types of personal data being collected and the manner of collection; and
- rights of parents/guardians on their children’s personal data.
Step 3: Ensure that your company takes parental consent before collecting any information from a child.
Before collecting personal data of children, companies must give clear and concise notice to parents for receiving parental consent. This notice must not contain any irrelevant or confusing content. This notice should inform the parents that:
- their contact information has been collected for the purpose of parental consent;
- the website seeks to collect their child’s personal information;
- parental consent is necessary for collecting and disclosing personal information of children;
- if parents do not give their consent in a reasonable amount of time, the website will automatically delete their contact information.
This notice should also mention the ways through which parents can provide their consent.
Step 4: Parental consent taken in the third step is verifiable as required by COPPA.
COPPA does not list any exhaustive method to obtain verifiable parental consent. However, some of the acceptable methods are:
- Parents sign a consent form and send it back to the company through fax, postal service, or email.
- The service requires a credit/debit card or similar online payment systems that are bound to notify the parents about a transaction.
- Parents call a toll free number staffed by trained professionals.
- Websites ask for some kind of hard identification from parents, provided that companies delete this information after the verification process completes.
- Parents answer knowledge-based challenge questions that would be difficult for kids to answer.
- Parents submit a driver’s license or any other photo identity card for comparison with another photo using facial recognition technology.
Step 5: Clear communication between the website and parents.
- methods available with parents to review their child’s personal information collected by the website;
- methods for revoking the parental consent, or refuse further use or processing of their children’s personal information; and
- their rights related to personal data of their children, including deletion.
Step 6: Ensure that you have implemented reasonable security practices for your website to protect children’s information.
COPPA expects companies to implement reasonable security practices for their websites. The idea behind COPPA is to give the highest priority to the best interests of children. The same should reflect in security practices adopted by a company. COPPA requires companies to not to retain data for a period longer than actually required. Further, it also restricts the sharing of personal information only with those third-parties who are capable of maintaining confidentiality, integrity, and availability of such information.
Some businesses may perceive COPPA compliance to be difficult and complicated. However, it has immeasurable benefits in the long-term when we talk about the online safety of children. In the last two decades, FTC has passed many landmark rulings that have shaped how companies collect and process personal information of children. I will be discussing some of these rulings in my next article. Meanwhile, I hope that once PDPB becomes an act and comes into effect, the Indian data protection authority will prescribe similar requirements for Indian companies.
Interested in contributing to our blog and knowledge base? Write to us at firstname.lastname@example.org and elaborate on how you can help us in creating a safer cyber space.