Xanga, a social networking site with 25 million registered members, has been ordered by the Federal Trade Commission, which regulates the Children’s Online Privacy Protection Act (COPPA), to pay a $1 million fine for violating COPPA.

Washington post article

FTC statement

What Xanga did wrong was this: they said that children under 13 could not register, but they allowed children under 13 to register. Xanga CEO John Hiler claimed that many of the 1.7 million “under 13″ birth dates may have actually referred to pet birthdays, engagement dates and “born-again” dates for religious bloggers. This explanation might help with some of the bad PR, but COPPA is pretty black and white on the issue.

Like so many COPPA issues, it all comes down to the registration interface.

What should they have done? The simplest thing would have been to change their signup process so that children under 13 could not sign up. They would have to allow for “under 13″ birth dates to be entered, to reduce the fib factor, and they would also need some sort of mechanism that doesn’t allow the same kid to click “back” on their browser and try to change their date of birth. Simple. If the kid cleared the cache or used another browser and tried again, Xanga would not be held responsible. They’d be covered. They would also want to contact all their “under 13″ members and alert them to the change in their privacy policy, and find a nice way to tell them that their membership is being deleted.

Ok, maybe that’s not so simple, in part because all those kids who get deleted are going to be angry. The only responsible reaction is to create a parental consent system for the kids. The effect would be similar, because signed parental consent is a huge barrier, but it’s better than saying “you’re too young” to an entire segment of your membership.

Ok, let’s take a look at Xanga’s registration and see what their new Chief Safety Officer has done.

The privacy policy looks fine, though they only have one tiny section devoted to the issue of children. They provide a way for parents to delete their children’s accounts, which is good. Xanga’s solution is to restrict access completely to kids under 13. Sad, but probably the right move for them.

Next, the registration form has no link to the Privacy Policy, which is a Bad Thing, especially considering the age of their audience. They aren’t technically breaking the law here, but it’s on the border. Just add the link, please. The rule says, “Post a privacy policy on the homepage of the Web site and link to the privacy policy on every page where personal information is collected.”

Ok, so I just tried to sign up as a 10 year old, and I got this error message: “Sorry! Based on the information you provided, you are not eligible to register for a new account.” So far so good. And now I changed my age to 34 and tried again, and I got the same message. Kudos, Xanga.
If I remember correctly, that particular mechanism isn’t mandated by COPPA but rather recommeded highly by the Children’s Advertising Review Unit (CARU), which among many other things is a top COPPA watchdog.

Yeah, instead of playing World of Warcraft on a Sunday night I’m blogging about COPPA. Sue me.

Tags: chief safety officer, coppa, online privacy, xanga