COPPA, What Are You Doing About It?

dantes asks: "As the managing Internet engineer for a large commercial entertainment site, I am wondering what measures people are taking to deal with the Children's Online Privacy Protection Act (COPPA), which goes into effect April 21, 2000. A description of who must comply from the FTC Web site: "If you operate a commercial Web site or an online service directed to children under 13 that collects personal information from children or if you operate a general audience Web site and have actual knowledge that it collects personal information from children, you must comply with the Children's Online Privacy Protection Act." I have run this by higher-ups and our lawyers here and have received little to no response. I would prefer to not have to re-write our registration functionality on the 20th of April. I have theorized a bunch of tricks including simply not saving information for users who represent themselves as younger than 13; my thinking is that we will be able to use our source code and our data to defend our policy should the need arise. Any other ideas?" Will most online registration forms need to be changed for this? Is it even something that deserves worrying about?

Some more information from michael : COPPA shouldn't affect most sites. Unless your site is targeted toward children and actively solicits personal information (name, e-mail address, regular address, age, etc.) from children, you probably have to do nothing. Here's a snippet, straight from the FTC:

"If you operate a commercial Web site or an online service directed to children under 13 that collects personal information from children or if you operate a general audience Web site and have actual knowledge that it collects personal information from children, you must comply with the Children's Online Privacy Protection Act."

"Children" is defined to mean "people under the age of 13". So unless your site is directed to kids 12 and under and collects information from visitors OR you collect information and you know that you're collecting information from kids 12 and under (for instance, you make them register and include an age category with "12 and under" as one of the choices), you don't need to do much at all. Just don't ask their age!

Slashdot received reports that Yahoo was forcing people to provide credit card information in order to register for services. Well, part of Yahoo is directed specifically at children, and Yahoo does collect personal information, so they're concerned. The submissions implied Yahoo was doing this for ALL of their services though, which seems like overkill - a ploy to justify seeking more information from adults (a credit card allows Yahoo to identify you precisely, of course). I would avoid any online service that required adults to provide a credit card or anything similar. If some service is using COPPA as an excuse to demand intrusive information from adults, call them on it.

The law is intended to slow down (hardly stop) sites designed to market to little kids. Registering as "12 and under" at Disney's site, for instance, seeks my name, date of birth, gender, zip code, e-mail address (more than enough information to identify me exactly), mother's maiden name and parent's e-mail address - a veritable bonanza of information. I was waiting for them to ask me for a DNA sample. Disney sends an e-mail to the parental e-mail address. Currently Disney does NOT comply with COPPA; the e-mail sent does not in any way notify the parent that they can opt-out of the information collection, it just says "We collected this information from your child and we're really good people so you can trust us with it. And it's a good thing you can trust us, because we've got it now, and we're not giving it back." Compare the FTC guidelines:

"The notice to parents must contain the same information included on the notice on the Web site. In addition, an operator must notify a parent that it wishes to collect personal information from the child; that the parent's consent is required for the collection, use and disclosure of the information; and how the parent can provide consent. The notice to parents must be written clearly and understandably, and must not contain any unrelated or confusing information. An operator may use any one of a number of methods to notify a parent, including sending an email message to the parent or a notice by postal mail."

So, Disney doesn't comply. But they still have a few days. You may want to check out the FTC's information page which has all you need to know about COPPA. If you want to steer clear of any problems whatsoever, it's simple: don't market to little kids. It takes a certain amount of slime to market to people under age 13 anyway - since they don't have any money, you have to brainwash them to pester their parents. If you do want to market to little kids, COPPA isn't much of a barrier. You may need to notify the parents, but you can simply condition your entertainment service on the provision of information and most parents will probably comply. Then you can market to your heart's content, including selling the information to other companies. COPPA is a pretty feeble barrier, and I don't have much sympathy for anyone who gets tripped up by it. We've already seen that the FTC refuses to investigate even large-scale privacy fraud on the part of Internet companies, so it seems extremely doubtful that they're going to deploy COPPA Vice Squads to go out and enforce compliance. Unless you're a really big company in really flagrant violation of the law, you have nothing to worry about.