It wasn’t any sort of evil white-collar schemy crime. They didn’t launder money or engage in insider trading. Like a surprising lot of companies, they just didn’t bother to bother the experts. In this case, children’s online community experts. They demonstrated a profound lack of rigor.

The thing wasn’t that they collected email addresses. There are ways to do that legally without jumping through too many hoops. And it wasn’t that they pshawed the COPPA Commandments. The mistake, at the simplest level, was asking for date of birth. That tiny little drop-down doohickey provided the “actual knowledge” that did them in.

There’s more to it, of course. And a company like Sony should be just as invested in best practices as they are in the law, and best practices for them would start with the acknowledgment that kids are going to be visiting their music websites and they’d better face that fact head on.

I wouldn’t be surprised if they went out shortly and recruited themselves a Czar to wear the thinking cap on this sort of thing from now on.

Do you have a website where you collect email addresses from kids?

Are you familiar with United States federal law regarding commercial websites that collect personal information from children? It’s called the Children’s Online Privacy Protection Rule, and a single violation can have a civil penalty of up to $11,000.

Even if you aren’t making money from your author website, it’s a commercial site if you are using it to promote your books. Because of this, you have to be careful how you collect personal information from children.

The best resource for learning about this is the FTC website, but it’s a lot of data and more than most of you need. And this is where I make it clear that I’m not a lawyer (IANAL). But I am familiar with the legislation and best practices that protect children online.

So here are a few basic tips.

The easiest thing is not to collect email addresses from kids at all, which means deleting them from your inbox, address book, and anywhere else they might be hiding.

But you wouldn’t be an author if you had any interest in the easy path. And you want to be able to collect those email addresses and send out announcements.

So, let’s take a look at what’s second easiest.

1. Post a privacy statement on your website, in a prominent place on the main page and on any page where you collect email addresses.  There are specific things you should include in the statement, so check them out:
   • Your name, address, telephone number and email address. You may want to use a P.O. Box and create a separate email address. Just be sure to check it regularly
   • The type of personal info you are collecting (in this case, names and email addresses), and how you are collecting it
   • How the info is going to be used (in this case, to send email announcements)
   • The fact that you won’t disclose this info to third parties
   • That the parent can review what info you’ve collected from their child and ask you to delete it
   • And that you aren’t allowed to condition a child’s participation in an activity on the disclosure of more information than is reasonably necessary to participate. That means you should only require email addresses for activities that need it, such as a newsletter or forum notifications.
2. Make sure your sign-up gizmo has an age-screening mechanism:
   • This is generally just a drop-down menu that asks for date of birth.
   • If the signer-upper is under 13, they should be prompted to include a parent’s email address as part of the sign-up process.
3. A notice should automatically be emailed to the parent’s email address. This notice should state the obvious:
   • that you have collected the child’s name and email address.
   • that the parent can respond to the email and tell you to delete the child’s info.
   • and that if the parent doesn’t respond, it means you have permission to use the child’s email address to send announcements.

   Note: this method is only good for collecting email address. If you are collecting home addresses and such, that will require additional steps, which we won’t get into here.

4. Don’t allow children to post freely on your site. If you have a blog or forum open to children, screen everything and remove any personal information, including email addresses.
5. And while it might not be required as part of this particular law, you should remove any other information, such as school or teacher names, that might help a predator track down the child. Best to be safe.
6. If you have a section to display fan mail, fan art, fan fiction, etc., be sure to strip away any personal information. First name and city should be sufficient to give credit.
7. Most importantly, don’t let this scare you into shutting down communication. These few steps will allow you to stay in direct contact with your fans, which is the steady breath of fresh air any children’s book author needs.