COPPA in 2005

The Children’s Online Privacy Protection Act (COPPA) of 1998 became law in April 2000 (PDF). At that time, the FTC instituted a “sliding scale mechanism” that relaxed requirements for obtaining parental consent. This temporary sliding scale was supposed to expire in 2005, but the FTC recently decided to extend it indefinitely (PDF).

What this means is that websites collecting personally identifiable information from kids for internal purposes only can use email to obtain parental consent. This is called the “email plus” method.

Email Plus

Under the “email plus” method, you can simply e-mail a parent with the required notice, and the parent can respond by e-mail to provide consent. However, an additional step is required:

• After a reasonable amount of time, you can send a follow-up e-mail to the parent confirming the consent. or…
• In the initial e-mail to parents requesting consent, you can obtain a phone number or snail mail address. After receiving consent by e-mail, use the phone number or snail mail address to follow up with the parent and confirm consent.

The intent of the additional step is to increase the chances that a parent will actually see the exchange. It’s based on the assumption that kids often use a parent’s e-mail address to register for a website. If the follow-up message is delayed (or given by phone or snail mail), it increases the chance that it will not be intercepted by the child.

What is not addressed is the likelihood of a child lying and giving a personal e-mail address and claiming it’s the parent’s. This is a common practice, but at the moment there seems to be no effective way to address it without overburdening businesses affected by the Rule.

Who can use the “sliding scale” mechanism?

Only websites that use the info for internal purposes only and who do not allow children to share the information through the website can take advantage of this more relaxed method of obtaining consent.

The first part of this is simple–if you are using the information for internal purposes only, then you aren’t selling it, giving it, trading it, or otherwise sharing it with outside parties. (Contractors and freelancers doing work for you aren’t considered “outside parties,” because they are covered under your privacy policy).

The second part is what gets people in trouble. Websites that offer chat rooms, discussion boards, or other methods through which a child may share personally identifiable information with strangers, are not allowed to use the “email plus” method. Even if the chat room is monitored, and even if the message board is “swept” (meaning people look at posts after they are already online), it doesn’t matter. If it’s at all possible for a child to use the website to share a full name or phone number (even if that post gets deleted an hour later), this still falls under the category of allowing the collection of PII by third parties.

However, if messages in your chat room are all pre-screened (as in an auditorium-style chat, and if all messages in your message board are screened before they go live, then you may still be allowed to use the “email plus” method.

Who should care about COPPA?

COPPA regulates the online collection of personally identifiable information (PII) from children under the age of 13. The rule concerns not only websites targeted at children, but any website that collects personally identifiable information from children under 13. The Rule only applies to commercial websites (and in some cases to not-for-profits that exist for the purpose of making money for their for-profit members), but not-for-profits are encouraged to adopt the practices, and it is federal policy that all federal websites (and their contractors) are required to follow.

Tags: coppa, online privacy