Personal information, parental consent, and COPPA
Acting on the Center of Media Education’s petition, the Federal Trade Commission (FTC) started an investigation into data collection practices of kidscom.com. Back in the 1990s, this popular website targetted individuals between 8 to 14 years of age. It allowed users to interact in a virtual world using avatars. As the website brought in significant changes, FTC did not bring charges. The necessity of parental consent and informing parents about risks lead to the drafting of the Children’s Online Privacy Protection Act, 1998 (COPPA). The then President signed the bill on October 21, 1998, and it came into force on April 21, 2000.
The main goal of this act is to ensure that parents have control over their children’s data collected by online platforms. This act defines “children” as individuals below 13 years of age. It applies to all commercial service providers or operators that collect, process, and retain information from children. It also applies to service providers that do not have a lower age restriction, but they do have actual knowledge that they are collecting, using, or processing personal information of children.
Definition of personal information under COPPA
The act provides an inclusive definition of personal information. The definition includes:
- First and last name of a child
- Any address-related information of a child
- Any way to contact a child such as a phone number, email address, etc.
- Telephone number
- Social security number
- Any kind of audio or visual of a child;
- Geolocation information sufficient to identify street name and city/town of a child
- Any identifier available on multiple websites that can be directly linked to a child
- Searching a child through their username on a website and contacting them via this username, or
- Any other information that directly or indirectly identifies a child.
Privacy policy requirements under COPPA
COPPA requires online service providers to implement a privacy policy concerning their collection, usage, and disclosure of children’s personal information. They must provide direct notices to parents about the changes in their privacy policies. COPPA’s privacy policy requirements are:
- Name, address, contact details, and other necessary information about the website operator
- Description of types of information being collected
- Informing the parents that they can deny the collection of their child’s personal information
- Information about other operators, if involved via plugins, contact forms, etc.
- A privacy policy shall be clear, understandable, and concise
- Links to the privacy policy shall be close to the area where a website is requesting for information.
- If a mobile application is collecting information, the privacy policy should be available on the home page.
- If there is a general-purpose website that also caters to children, such websites shall have a separate privacy policy.
Parental consent under COPPA
Section 312.5 deals with parental consent. An operator shall obtain parental consent before collecting, processing, storing, or disclosing any personal data belonging to a child. It must retake the consent if there is any change in the requirements. Further, the act places an obligation on operators to verify parental consent using technology-based solutions. Some of the possible ways to achieve verifiable consent are:
- Sending a consent form to a parent’s email address or postal address;
- Credit/debit cards providing explicit notifications to parents about transactions; or
- Using hard identifiers such as government-issued ID cards and signatures.
Here, it is essential to note that an operator must take parental consent before collecting or processing data. If an operator is unable to obtain parental consent, the act prohibits them from collecting personal data of children under Section 312.7. Parents also have the right to review the personal information collected from their child, irrespective of the fact whether they gave their consent or not.
Ending notes
COPPA appears to be a stringent legislation that seems to comprehensively address concerns related to children’s data. It seeks to ensure that the operators follow acceptable security practices and standards (Section 312.8). The scope of applicability is not limited to US-based operators, it also applies to websites that are collecting data from children in the United States, whether knowingly or unknowingly. As per Section 312.9, FTC is responsible for the enforcement of this act. Over the last two decades since this act came into force, FTC has prescribed hefty fines against many major operators. In one of my upcoming articles, I will be discussing such incidents wherein FTC has levied fines from prominent online platforms.
Check out our Digital Parenting Guide for setting up Google Family Link app here.
Interested in contributing to our blog and knowledge base? Write to us at [email protected] and elaborate on how you can help us in creating a safer cyber space.
Featured Image Credits: Background photo created by freepik – www.freepik.com