Slashdot Mirror
COPPA, What Are You Doing About It?
Some more information from michael : COPPA shouldn't affect most sites. Unless your site is targeted toward children and actively solicits personal information (name, e-mail address, regular address, age, etc.) from children, you probably have to do nothing. Here's a snippet, straight from the FTC:
"If you operate a commercial Web site or an online service directed to children under 13 that collects personal information from children or if you operate a general audience Web site and have actual knowledge that it collects personal information from children, you must comply with the Children's Online Privacy Protection Act."
"Children" is defined to mean "people under the age of 13". So unless your site is directed to kids 12 and under and collects information from visitors OR you collect information and you know that you're collecting information from kids 12 and under (for instance, you make them register and include an age category with "12 and under" as one of the choices), you don't need to do much at all. Just don't ask their age!
Slashdot received reports that Yahoo was forcing people to provide credit card information in order to register for services. Well, part of Yahoo is directed specifically at children, and Yahoo does collect personal information, so they're concerned. The submissions implied Yahoo was doing this for ALL of their services though, which seems like overkill - a ploy to justify seeking more information from adults (a credit card allows Yahoo to identify you precisely, of course). I would avoid any online service that required adults to provide a credit card or anything similar. If some service is using COPPA as an excuse to demand intrusive information from adults, call them on it.
The law is intended to slow down (hardly stop) sites designed to market to little kids. Registering as "12 and under" at Disney's site, for instance, seeks my name, date of birth, gender, zip code, e-mail address (more than enough information to identify me exactly), mother's maiden name and parent's e-mail address - a veritable bonanza of information. I was waiting for them to ask me for a DNA sample. Disney sends an e-mail to the parental e-mail address. Currently Disney does NOT comply with COPPA; the e-mail sent does not in any way notify the parent that they can opt-out of the information collection, it just says "We collected this information from your child and we're really good people so you can trust us with it. And it's a good thing you can trust us, because we've got it now, and we're not giving it back." Compare the FTC guidelines:
"The notice to parents must contain the same information included on the notice on the Web site. In addition, an operator must notify a parent that it wishes to collect personal information from the child; that the parent's consent is required for the collection, use and disclosure of the information; and how the parent can provide consent. The notice to parents must be written clearly and understandably, and must not contain any unrelated or confusing information. An operator may use any one of a number of methods to notify a parent, including sending an email message to the parent or a notice by postal mail."
So, Disney doesn't comply. But they still have a few days. You may want to check out the FTC's information page which has all you need to know about COPPA. If you want to steer clear of any problems whatsoever, it's simple: don't market to little kids. It takes a certain amount of slime to market to people under age 13 anyway - since they don't have any money, you have to brainwash them to pester their parents. If you do want to market to little kids, COPPA isn't much of a barrier. You may need to notify the parents, but you can simply condition your entertainment service on the provision of information and most parents will probably comply. Then you can market to your heart's content, including selling the information to other companies. COPPA is a pretty feeble barrier, and I don't have much sympathy for anyone who gets tripped up by it. We've already seen that the FTC refuses to investigate even large-scale privacy fraud on the part of Internet companies, so it seems extremely doubtful that they're going to deploy COPPA Vice Squads to go out and enforce compliance. Unless you're a really big company in really flagrant violation of the law, you have nothing to worry about.
You can't think of a single one?
Such as, perhaps, Slashdot collecting one's real email address for granting a login account?
Collecting one's state of residence before allowing one to participate in a contest that's illegal in some states?
Collecting one's zip code to provide TV listings that actually relate to what's on one's cable offerings?
I think you didn't try very hard to think of those reasons.
Frankly, I think the solution is to simply bar access to one's site completely to anyone who identifies himself as under 13, and blame this law for it. If enough angry parents call their Congressman with complaints about, say, Yahoo suddenly being inaccessible, perhaps this law will be rethought.
WTF is the government doing in this, anyway? I can protect my kid just fine without their help, thankyouverymuch.
So. My kids get privacy protection, and I have to expressly give my permission for their information to be stored somewhere.
Why on earth can't these same things be applied to myself? *I* want these protections! You shouldn't be able to harvest information about ME, EITHER!
So, it seems that I could set up a magnet site outside the US for kiddies, collect their info, destroy any info from non-US kiddies, and sell the resulting mailing list to US companies. On the surface, at least, this looks safe: not "violating" the privacy of any of the locals, so the local cops won't have any excuse to hassle me, if I've chosen my local wisely. And I'm not doing anything inside the US, so I'm certainly safe there too. The only thing which could screw this up is a US law forbidding US companies from using such data. Try enforcing that one!
See what I've been reading.
Why, I'm doing my part to smash the state and capitalism. How about you?
Anarchist Revolution. NOW!
Thank you, that is all...
Michael Chisari
mchisari@usa.net
Any time I hear sombody talkning about "Parents right" it is very clear that they have completley forgoten what it is like to be in high school, your children are alrady out of your hands, the are infact people. All you acomplish by trying to trow you weight around is to iritate and alianate them. And no I am not in high school, I have not been in high school for many years, I just have a memory!
Also I'm interested to see how this effects people like myself who *shock horror* do not live in the us...
Working for the (other) man
Try any of these solutions if you want to avoid violating this act:
1. Don't target your site to people under 13 as a specific demographic.
2. Don't ask for age on a registration form.
3. If you must ask for age, use a select list who's lowest band is above 13.
If you don't target kids, and have no way of knowing if your visitors are kids, you should be fine.
If you're paranoid, use option 3 for registrations. That way, any kid who registers with your site is lying when he selects anything from your mandatory select list.
Well, gotta go. Time for recess and then a nap.
--
Some people have a way with words, and some people, um, thingy.
You need to ask the kids what their age is. You have to collect (minimal) information about them, such as their email addresses.
So, now you need to get their parent's permission before you collect anything about the kid beyond his or her first name. Plus, you must provide a means for the parent to see what info you have collected about his or her child(ren) and offer the ability for the parent to remove said permission.
Bravery, Kindness, Clarity, Honesty, Compassion, Generosity
...Nothing interesting here. Just move along...
when do we get the Adult Online Privacy Protection Act? :)
They don't own the internet.
The internet dosen't exist in one physical place.
The internet is basically "Use at your own risk."
Therefore: They have no real juristiction in it.
The US is very unstable now. With the recent riots in Seattle and Washington D.C. and the numerous cases of police brutality and overreaction in these riots, "The Land of the Free" is looking more like Neo-Toyko in Akira. The tear gas canisters are being fired at point blank range, mass arrests for using the 1st amendment.
Not that this is totally bad. I kind of find this exciting. I lust over change and dynamic government. I am one of those who believe that people can take care of themselves and don't need a government looking over their shoulder.
Which brings me on-topic. We don't need this law. If parents are so worried about this, why don't they monitor their children. If the children don't want the parents to monitor them, they shouldn't do dumb things. I was an expert at formulating lies when I was younger than 13, and I would use it all the time. Why don't these kids lie about themselves? If people would just use common sense and understand that the 'net isn't anything more than a sprawl and that you have to take care of yourself in it, then we wouldn't have this problem.
"It's the little touches that make a future solid enough to be destroyed" --William S. Bourroughs
To a certain extent this is true, but a parent can't always be with h{is,er} children. Kids go to school, where there are probably computers. Kids visit friends, where there are probably computers. Kids spend time on their home PC doing homework, etc.
I have a 7 month old son, so things like this are constantly on my mind. Some day soon, some day very soon, he is going to start using the computer we have at home (he is already showing interest as he sits on my lap and we read Slashdot together -- he bangs on the keys and reaches for the screen), and I am not going to be able to be with him (as a progammer, I spend a lot of time at work). The best I can hope for is that by the time he is using it when alone, my wife and I have taught him what he should be doing and what he shouldn't be doing. Never give information out over the internet. Never make plans to meet someone you met over the internet. The same things as *I* was taught growing up about the phone -- if someone calls, and you don't know who it is, ask; if someone asks who you are, don't tell them until you know who they are; etc.
This is the fate of most regulation-type laws, unfortunately. Gun control laws tends to fail (or at least fail to live up to expectations) for the same reasons. Prohibition failed for this reason. The real answer is education -- I need to teach my kids what is right and wrong, and what is appropriate and inappropriate.
darren
Cthulhu for President!
(darren)
That's a fine and dandy little law for you American folk to have to deal with... but what about us foreigners?
.com .net or .org address they might have some jurisdiction (as those domains are managed from the USA)... but the worst they could do there is take away your domain name.
I suppose that if you had a
BlackNova Traders
First I would like to say that Parents should not be allowing 13 y/o or younger children to surf the net unsupervised and if they were not neglecting their responsibility the COPPA law would not be necessary. However, in America and probably in most developed nations, parents have abdicated their rights and responsibilities as parents in favor of governmental control and so COPPA is a necessary evil. The argument about offshore sites is a valid one but then America cannot police the entire world, yet! But we have a responsibility to police ourselves. In all I wish the law were unnecessary but lazy, uncaring parents force us to legislate the protection parents are supposed to provide but don't. Will COPPA work? No, like all other laws it will not impact the law-breakers and the law-abiding people (except Disney!!!) were already doing what is necessary to protect our childrens rights. Well that ought to stir up a whole bunch of religious zealots, Paranoids, and Flame hounds so I'll quit there.
I posted the same story a few days ago and it was declined =(...
Anyway...doesn't this mean that...
Think of it this way: If you don't know who is a "child", you don't have to employ any special tactics. A major hole in the law. If you don't ask the age, you're off scott-free.
"spare the lachrymosity when the fulminations have inveighed"
-madd
"Is it even something that deserves worrying about?"
Cliff, are you kidding me? Do you want telemarketers collecting information on your child and indirectly on you through a web site? Don't you want to protect your child from blatant violations of your child's right to privacy because they don't understand that what they're doing is creating a profile under their name on some stranger's database? What if your kid goes to a site that asks for information about YOU? Hmmm... what if Disney, upon realizing that they were gathering information from a child, asks for their parents income (or puts it in cute terms like "what kind of car does your daddy drive?") Does this strike you as a problem?
That was Mountain Dew. It was actually considered a brilliant marketing move - give kids pagers for general use, but pay for them by advertising delivered via the pager.
...phil
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
As someone who has worked extensively with young people I can tell you that statement has no merit. I can't tell you how often I've been amazed to find myself among a group of adolescents with more cash in their pockets than I had in my checking account (unless it was right after payday and just prior to paying the bills). There were very few exceptions, even among those considered to be from 'low-income' families.
Unfortunately many parents today think that, since their time is used to generate money, that throwing money at their children is an acceptable substitute for spending time with them. Go hang out at a mall and watch all the pre-pubescent girls spend wads of cash on little doohickeys to stick in their hair and young boys swapping $5 US bills for arcade tokens like they were pitching pennies in a fountain -- all this with nary a parent in sight. (Yeah I'm sure that sounds sexist, but just go watch and see if it isn't accurate. You do see girls in the arcade, but often they're only watching, and I have yet to see a boy plop down good money for a handfull of multi-hued butterflies to put in his hair though.)
Don't blame the marketeers entirely. If parents exercised some responsibility in this area the justification for targeting penniless waifs would dry up and blow away.
carlos
--
As a matter of fact, I am a lawyer. But I play an actor on TV.
The Protect-Us-From-Government Protection Act
But they never seem to do that...
New XFMail home page
/bin/tcsh: Try it; you'll like it.
I'll provide my data point, and ask for /. advice. My organization provides online courses to K-12 students. Aside from the obvious issue about who is filling out our application form, I also have a "say hello to your Instructor" page which asks registered students about their hobbies and interests.
Our application forms require payment, which implicitly blocks out small children. But the hello form...suggestions?
Frankly, I can't think of a single, legitimate, non-sleazy reason to collect information from anyone under 13. How about giving kids a break from your demographic-analyzing targeted-marketing schemes, guys?
Next, you'll be calling them at home before school to tell them about your great new breakfast cereal. Give me a break.
Save the whales. Feed the hungry. Free the mallocs.
The legislation and rulemaking for COPPA was quite contentious, and the FTC is probably going to be much more of a stickler for children's privacy than it has been for Net fraud.
michael wrote that "We've already seen that the FTC refuses to investigate even large-scale privacy fraud on the part of Internet companies, so it seems extremely doubtful that they're going to deploy COPPA Vice Squads to go out and enforce compliance. Unless you're a really big company in really flagrant violation of the law, you have nothing to worry about."
But it's not quite that simple. Actually, the FTC has been conducting sweeps for Net fraud, and I expect they will start doing much the same thing for kiddie privacy. However, while fraud-hunting is challenging because you need to chase down elusive "businesses" that change online locations frequently, playing the sheriff for violations of children's privacy is easier: investigating and confirming violations are simpler since the FTC can go after established companies.
Also, FTC sweeps aside, COPPA may open the door for lots of lawsuits, perhaps even class-action suits. (Are your lawyers listening yet?)
COPPA ought to be taken very seriously, and many companies are scrambling to comply. (See, for instance, this C|NET article, Many Web sites will pay high price for children's data , or this Wired article, Time Running Out on Kid E-mail .)
Not complying by tonight is not a big deal. Not complying by early summer is a problem. If you don't have your act together by August, you're in serious trouble.
A. Keiper
The Center for the Study of Technology and Society
Washington, D.C.
I get worried when I see any internet Protection Act.
. The protect-anything-from-anybody-Protection Act.
The-protect-your-pet- parakeet-from-bad-bird-feed-Protection Act.
The protect-My-pants-from-hot-grits -Protection Act.
The protect-Cowboy-neal-from-natalie-portman-glam-shot s -Protection Act.
The protect-my-karma-from-AOL-moderators-Protection Act.
The protect-the-other-guy-from-himself-Protection Act.
The protect-yourself-from-yourself-Protection Act.
It seems that there is no end to the gov. trying to baby-sit us.
___
Here's the design problem: As the poster pointed out, if you don't target your site at the under-13 crowd, and if you simply fail to ask the respondant's age, you don' hafta do nothin'. Well, that should be OK, right? After all, if you don't know their age, you lose one of the most important pieces of marketing information, and therefore you can't really use your nefarious marketing tactics on their impressionable little minds.
Unfortunately, wrong. The purpose of all those demographic studies is to find out what people in a certain group like to buy and what characteristics they have, but you can surely reverse those demographics to find out, given a set of characteristics, what age group they are in. Ask them a relatively few "key" questions scattered in with the rest of the form ("What's your favorite possession? a) car b) home c) pokemon cards") and you will know what market segment you are interviewing. Then the rest is buttah - you can collect their data with just as much (if not more) certainty that they actually are the age you believe them to be. After all, anyone can lie to a direct age question; but you may not realize someone is asking your age when they ask you about your favorite possession.
Oops. Back to the drawing board, lawmakers.
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
Would a guestbook count as collecting "personal information", as it asks for name, website, where you're from, etc.----or since it's hosted by Bravenet, do they take the heat? Even though all fields are optional (excepting name and comment, which can be easily lied to)?
How am I supposed to know if my site is directed towards people under 13? I'm sure there are plenty of adults out there that would be interested in it, though it is more child-like stuff.
I regret I can't give the site out here; the /. effect might kill it, since it's only a free site.
~~~LXT~~~
Life is like a computer program: anything that can't happen, will.
... is a difficult thing to prove. One possible solution is to discard any information on anyone who is less than 13 years of age. Not a hard algorith to do...
---
-
ping -f 255.255.255.255 # if only
Not that it applies to many sites - most can brush this off. But the problem is that legislation like this gets it's foot in the door and then more regulation starts pouring through. They tried it first by saying that it was all these perverts who were online. Then they attacked crypto as being tools for "infocriminals". Now they're saying "It's for the children!", a cry that should sound an alarm for any activist who fears government regulation. Christ, don't these people just give up? I rather wish congress wasn't based on districts but was held at the national level - it would put an end to this sillyness.. but that's an entirely different discussion..
Regulation like this needs to be shot down - it will only open the door to more legislation, litigation, and regulation. I want as little of any of those as possible online.
If your site sells products for an age group under 14, or has reason to believe minors(as defined within' the scope of this law) are on your website then you need to comply. Selling pokeman, but not putting an age catagory in the signon, may not be enough to protect you. Since is perfectly reasonable too assume minors will visit your site.
On a humorous note:
about 2 weeks ago I logged on to NeverQuest, and they had a pop up that said, If you are under 13 you need to get parental permission. If you made a "mistake" entering your birthdate you should change it now.
Could you find a less obvious way to say "Lie to us so we won't be liable, or have to do too much extra work"
The Kruger Dunning explains most post on