Slashdot Mirror
COPPA, What Are You Doing About It?
Some more information from michael : COPPA shouldn't affect most sites. Unless your site is targeted toward children and actively solicits personal information (name, e-mail address, regular address, age, etc.) from children, you probably have to do nothing. Here's a snippet, straight from the FTC:
"If you operate a commercial Web site or an online service directed to children under 13 that collects personal information from children or if you operate a general audience Web site and have actual knowledge that it collects personal information from children, you must comply with the Children's Online Privacy Protection Act."
"Children" is defined to mean "people under the age of 13". So unless your site is directed to kids 12 and under and collects information from visitors OR you collect information and you know that you're collecting information from kids 12 and under (for instance, you make them register and include an age category with "12 and under" as one of the choices), you don't need to do much at all. Just don't ask their age!
Slashdot received reports that Yahoo was forcing people to provide credit card information in order to register for services. Well, part of Yahoo is directed specifically at children, and Yahoo does collect personal information, so they're concerned. The submissions implied Yahoo was doing this for ALL of their services though, which seems like overkill - a ploy to justify seeking more information from adults (a credit card allows Yahoo to identify you precisely, of course). I would avoid any online service that required adults to provide a credit card or anything similar. If some service is using COPPA as an excuse to demand intrusive information from adults, call them on it.
The law is intended to slow down (hardly stop) sites designed to market to little kids. Registering as "12 and under" at Disney's site, for instance, seeks my name, date of birth, gender, zip code, e-mail address (more than enough information to identify me exactly), mother's maiden name and parent's e-mail address - a veritable bonanza of information. I was waiting for them to ask me for a DNA sample. Disney sends an e-mail to the parental e-mail address. Currently Disney does NOT comply with COPPA; the e-mail sent does not in any way notify the parent that they can opt-out of the information collection, it just says "We collected this information from your child and we're really good people so you can trust us with it. And it's a good thing you can trust us, because we've got it now, and we're not giving it back." Compare the FTC guidelines:
"The notice to parents must contain the same information included on the notice on the Web site. In addition, an operator must notify a parent that it wishes to collect personal information from the child; that the parent's consent is required for the collection, use and disclosure of the information; and how the parent can provide consent. The notice to parents must be written clearly and understandably, and must not contain any unrelated or confusing information. An operator may use any one of a number of methods to notify a parent, including sending an email message to the parent or a notice by postal mail."
So, Disney doesn't comply. But they still have a few days. You may want to check out the FTC's information page which has all you need to know about COPPA. If you want to steer clear of any problems whatsoever, it's simple: don't market to little kids. It takes a certain amount of slime to market to people under age 13 anyway - since they don't have any money, you have to brainwash them to pester their parents. If you do want to market to little kids, COPPA isn't much of a barrier. You may need to notify the parents, but you can simply condition your entertainment service on the provision of information and most parents will probably comply. Then you can market to your heart's content, including selling the information to other companies. COPPA is a pretty feeble barrier, and I don't have much sympathy for anyone who gets tripped up by it. We've already seen that the FTC refuses to investigate even large-scale privacy fraud on the part of Internet companies, so it seems extremely doubtful that they're going to deploy COPPA Vice Squads to go out and enforce compliance. Unless you're a really big company in really flagrant violation of the law, you have nothing to worry about.
You can't think of a single one?
Such as, perhaps, Slashdot collecting one's real email address for granting a login account?
Collecting one's state of residence before allowing one to participate in a contest that's illegal in some states?
Collecting one's zip code to provide TV listings that actually relate to what's on one's cable offerings?
I think you didn't try very hard to think of those reasons.
Frankly, I think the solution is to simply bar access to one's site completely to anyone who identifies himself as under 13, and blame this law for it. If enough angry parents call their Congressman with complaints about, say, Yahoo suddenly being inaccessible, perhaps this law will be rethought.
WTF is the government doing in this, anyway? I can protect my kid just fine without their help, thankyouverymuch.
So. My kids get privacy protection, and I have to expressly give my permission for their information to be stored somewhere.
Why on earth can't these same things be applied to myself? *I* want these protections! You shouldn't be able to harvest information about ME, EITHER!
Also I'm interested to see how this effects people like myself who *shock horror* do not live in the us...
Working for the (other) man
First I would like to say that Parents should not be allowing 13 y/o or younger children to surf the net unsupervised and if they were not neglecting their responsibility the COPPA law would not be necessary. However, in America and probably in most developed nations, parents have abdicated their rights and responsibilities as parents in favor of governmental control and so COPPA is a necessary evil. The argument about offshore sites is a valid one but then America cannot police the entire world, yet! But we have a responsibility to police ourselves. In all I wish the law were unnecessary but lazy, uncaring parents force us to legislate the protection parents are supposed to provide but don't. Will COPPA work? No, like all other laws it will not impact the law-breakers and the law-abiding people (except Disney!!!) were already doing what is necessary to protect our childrens rights. Well that ought to stir up a whole bunch of religious zealots, Paranoids, and Flame hounds so I'll quit there.
I suppose that if you had a
If you're collecting demographic information on kids, you're probably trying to sell to them. If you're capable of selling to kids (actually, their parents) in the US, you have enough presence in the US for the US law to get at you. If you're in Europe, you're worse off, since the US will call your jurisdiction's cops, and say "these guys are violating even our extremely lax standards - they're probably violating yours, too". I don't know this will work in the rest of the world, but the real kicker is the money. If you're not making money from collecting consumer data, why bother?
As someone who has worked extensively with young people I can tell you that statement has no merit. I can't tell you how often I've been amazed to find myself among a group of adolescents with more cash in their pockets than I had in my checking account (unless it was right after payday and just prior to paying the bills). There were very few exceptions, even among those considered to be from 'low-income' families.
Unfortunately many parents today think that, since their time is used to generate money, that throwing money at their children is an acceptable substitute for spending time with them. Go hang out at a mall and watch all the pre-pubescent girls spend wads of cash on little doohickeys to stick in their hair and young boys swapping $5 US bills for arcade tokens like they were pitching pennies in a fountain -- all this with nary a parent in sight. (Yeah I'm sure that sounds sexist, but just go watch and see if it isn't accurate. You do see girls in the arcade, but often they're only watching, and I have yet to see a boy plop down good money for a handfull of multi-hued butterflies to put in his hair though.)
Don't blame the marketeers entirely. If parents exercised some responsibility in this area the justification for targeting penniless waifs would dry up and blow away.
carlos
--
As a matter of fact, I am a lawyer. But I play an actor on TV.
Frankly, I can't think of a single, legitimate, non-sleazy reason to collect information from anyone under 13. How about giving kids a break from your demographic-analyzing targeted-marketing schemes, guys?
Next, you'll be calling them at home before school to tell them about your great new breakfast cereal. Give me a break.
Save the whales. Feed the hungry. Free the mallocs.
The legislation and rulemaking for COPPA was quite contentious, and the FTC is probably going to be much more of a stickler for children's privacy than it has been for Net fraud.
michael wrote that "We've already seen that the FTC refuses to investigate even large-scale privacy fraud on the part of Internet companies, so it seems extremely doubtful that they're going to deploy COPPA Vice Squads to go out and enforce compliance. Unless you're a really big company in really flagrant violation of the law, you have nothing to worry about."
But it's not quite that simple. Actually, the FTC has been conducting sweeps for Net fraud, and I expect they will start doing much the same thing for kiddie privacy. However, while fraud-hunting is challenging because you need to chase down elusive "businesses" that change online locations frequently, playing the sheriff for violations of children's privacy is easier: investigating and confirming violations are simpler since the FTC can go after established companies.
Also, FTC sweeps aside, COPPA may open the door for lots of lawsuits, perhaps even class-action suits. (Are your lawyers listening yet?)
COPPA ought to be taken very seriously, and many companies are scrambling to comply. (See, for instance, this C|NET article, Many Web sites will pay high price for children's data , or this Wired article, Time Running Out on Kid E-mail .)
Not complying by tonight is not a big deal. Not complying by early summer is a problem. If you don't have your act together by August, you're in serious trouble.
A. Keiper
The Center for the Study of Technology and Society
Washington, D.C.
If your site sells products for an age group under 14, or has reason to believe minors(as defined within' the scope of this law) are on your website then you need to comply. Selling pokeman, but not putting an age catagory in the signon, may not be enough to protect you. Since is perfectly reasonable too assume minors will visit your site.
On a humorous note:
about 2 weeks ago I logged on to NeverQuest, and they had a pop up that said, If you are under 13 you need to get parental permission. If you made a "mistake" entering your birthdate you should change it now.
Could you find a less obvious way to say "Lie to us so we won't be liable, or have to do too much extra work"
The Kruger Dunning explains most post on