There’s a book out now that has a chapter I contributed. The book is Settlers of the New Virtual Worlds, and my chapter is called Kids and Digital Ownership.

Here’s an excerpt from my chapter:

Managing Youth Creativity

What is the value of a digital creation, and who owns it? Particularly among the young, the line between creator and consumer has blurred, as has the question of ownership.

Some companies claim full ownership of content created with their tools or stored on their servers, while others take a more hands-off approach. When it comes to kids, neither strategy is ultimately effective.

The hands-off approach, whereby the company denies responsibility for and ownership of user-generated content, is not compatible with laws and standards that are in place to protect young people. For example, the Children’s Online Privacy Protection Act (COPPA) makes it difficult for website operators to allow children to share freely, and when the website is monitored, the operator can’t deny knowledge of a problematic piece of content.

And using an online contract such as a Terms of Service or an End User Licensing Agreement (EULA) to claim ownership of user-generated content does not work with children, and such digital contracts end up being worth the paper they’re written on.

The solution, however, is not to shut the gates to children. Today’s youth are the ones who will build and manage tomorrow’s virtual worlds as well as enact policies that govern those virtual spaces. The manner in which we address their needs today will have a direct impact on tomorrow’s virtual cultures, laws, and best practices.

Go here to learn more about the project:

http://www.bettereula.com/wp/settlers/

Do you have a website where you collect email addresses from kids?

Are you familiar with United States federal law regarding commercial websites that collect personal information from children? It’s called the Children’s Online Privacy Protection Rule, and a single violation can have a civil penalty of up to $11,000.

Even if you aren’t making money from your author website, it’s a commercial site if you are using it to promote your books. Because of this, you have to be careful how you collect personal information from children.

The best resource for learning about this is the FTC website, but it’s a lot of data and more than most of you need. And this is where I make it clear that I’m not a lawyer (IANAL). But I am familiar with the legislation and best practices that protect children online.

So here are a few basic tips.

The easiest thing is not to collect email addresses from kids at all, which means deleting them from your inbox, address book, and anywhere else they might be hiding.

But you wouldn’t be an author if you had any interest in the easy path. And you want to be able to collect those email addresses and send out announcements.

So, let’s take a look at what’s second easiest.

1. Post a privacy statement on your website, in a prominent place on the main page and on any page where you collect email addresses.  There are specific things you should include in the statement, so check them out:
   • Your name, address, telephone number and email address. You may want to use a P.O. Box and create a separate email address. Just be sure to check it regularly
   • The type of personal info you are collecting (in this case, names and email addresses), and how you are collecting it
   • How the info is going to be used (in this case, to send email announcements)
   • The fact that you won’t disclose this info to third parties
   • That the parent can review what info you’ve collected from their child and ask you to delete it
   • And that you aren’t allowed to condition a child’s participation in an activity on the disclosure of more information than is reasonably necessary to participate. That means you should only require email addresses for activities that need it, such as a newsletter or forum notifications.
2. Make sure your sign-up gizmo has an age-screening mechanism:
   • This is generally just a drop-down menu that asks for date of birth.
   • If the signer-upper is under 13, they should be prompted to include a parent’s email address as part of the sign-up process.
3. A notice should automatically be emailed to the parent’s email address. This notice should state the obvious:
   • that you have collected the child’s name and email address.
   • that the parent can respond to the email and tell you to delete the child’s info.
   • and that if the parent doesn’t respond, it means you have permission to use the child’s email address to send announcements.

   Note: this method is only good for collecting email address. If you are collecting home addresses and such, that will require additional steps, which we won’t get into here.

4. Don’t allow children to post freely on your site. If you have a blog or forum open to children, screen everything and remove any personal information, including email addresses.
5. And while it might not be required as part of this particular law, you should remove any other information, such as school or teacher names, that might help a predator track down the child. Best to be safe.
6. If you have a section to display fan mail, fan art, fan fiction, etc., be sure to strip away any personal information. First name and city should be sufficient to give credit.
7. Most importantly, don’t let this scare you into shutting down communication. These few steps will allow you to stay in direct contact with your fans, which is the steady breath of fresh air any children’s book author needs.

Washington post article

FTC statement

What Xanga did wrong was this: they said that children under 13 could not register, but they allowed children under 13 to register. Xanga CEO John Hiler claimed that many of the 1.7 million “under 13″ birth dates may have actually referred to pet birthdays, engagement dates and “born-again” dates for religious bloggers. This explanation might help with some of the bad PR, but COPPA is pretty black and white on the issue.

Like so many COPPA issues, it all comes down to the registration interface.

What should they have done? The simplest thing would have been to change their signup process so that children under 13 could not sign up. They would have to allow for “under 13″ birth dates to be entered, to reduce the fib factor, and they would also need some sort of mechanism that doesn’t allow the same kid to click “back” on their browser and try to change their date of birth. Simple. If the kid cleared the cache or used another browser and tried again, Xanga would not be held responsible. They’d be covered. They would also want to contact all their “under 13″ members and alert them to the change in their privacy policy, and find a nice way to tell them that their membership is being deleted.

Ok, maybe that’s not so simple, in part because all those kids who get deleted are going to be angry. The only responsible reaction is to create a parental consent system for the kids. The effect would be similar, because signed parental consent is a huge barrier, but it’s better than saying “you’re too young” to an entire segment of your membership.

Ok, let’s take a look at Xanga’s registration and see what their new Chief Safety Officer has done.

The privacy policy looks fine, though they only have one tiny section devoted to the issue of children. They provide a way for parents to delete their children’s accounts, which is good. Xanga’s solution is to restrict access completely to kids under 13. Sad, but probably the right move for them.

Next, the registration form has no link to the Privacy Policy, which is a Bad Thing, especially considering the age of their audience. They aren’t technically breaking the law here, but it’s on the border. Just add the link, please. The rule says, “Post a privacy policy on the homepage of the Web site and link to the privacy policy on every page where personal information is collected.”

Ok, so I just tried to sign up as a 10 year old, and I got this error message: “Sorry! Based on the information you provided, you are not eligible to register for a new account.” So far so good. And now I changed my age to 34 and tried again, and I got the same message. Kudos, Xanga.
If I remember correctly, that particular mechanism isn’t mandated by COPPA but rather recommeded highly by the Children’s Advertising Review Unit (CARU), which among many other things is a top COPPA watchdog.

Yeah, instead of playing World of Warcraft on a Sunday night I’m blogging about COPPA. Sue me.

The Children’s Online Privacy Protection Act (COPPA) of 1998 became law in April 2000 (PDF). At that time, the FTC instituted a “sliding scale mechanism” that relaxed requirements for obtaining parental consent. This temporary sliding scale was supposed to expire in 2005, but the FTC recently decided to extend it indefinitely (PDF).

What this means is that websites collecting personally identifiable information from kids for internal purposes only can use email to obtain parental consent. This is called the “email plus” method.

Email Plus

Under the “email plus” method, you can simply e-mail a parent with the required notice, and the parent can respond by e-mail to provide consent. However, an additional step is required:

• After a reasonable amount of time, you can send a follow-up e-mail to the parent confirming the consent. or…
• In the initial e-mail to parents requesting consent, you can obtain a phone number or snail mail address. After receiving consent by e-mail, use the phone number or snail mail address to follow up with the parent and confirm consent.

The intent of the additional step is to increase the chances that a parent will actually see the exchange. It’s based on the assumption that kids often use a parent’s e-mail address to register for a website. If the follow-up message is delayed (or given by phone or snail mail), it increases the chance that it will not be intercepted by the child.

What is not addressed is the likelihood of a child lying and giving a personal e-mail address and claiming it’s the parent’s. This is a common practice, but at the moment there seems to be no effective way to address it without overburdening businesses affected by the Rule.

Who can use the “sliding scale” mechanism?

Only websites that use the info for internal purposes only and who do not allow children to share the information through the website can take advantage of this more relaxed method of obtaining consent.

The first part of this is simple–if you are using the information for internal purposes only, then you aren’t selling it, giving it, trading it, or otherwise sharing it with outside parties. (Contractors and freelancers doing work for you aren’t considered “outside parties,” because they are covered under your privacy policy).

The second part is what gets people in trouble. Websites that offer chat rooms, discussion boards, or other methods through which a child may share personally identifiable information with strangers, are not allowed to use the “email plus” method. Even if the chat room is monitored, and even if the message board is “swept” (meaning people look at posts after they are already online), it doesn’t matter. If it’s at all possible for a child to use the website to share a full name or phone number (even if that post gets deleted an hour later), this still falls under the category of allowing the collection of PII by third parties.

However, if messages in your chat room are all pre-screened (as in an auditorium-style chat, and if all messages in your message board are screened before they go live, then you may still be allowed to use the “email plus” method.

Who should care about COPPA?

COPPA regulates the online collection of personally identifiable information (PII) from children under the age of 13. The rule concerns not only websites targeted at children, but any website that collects personally identifiable information from children under 13. The Rule only applies to commercial websites (and in some cases to not-for-profits that exist for the purpose of making money for their for-profit members), but not-for-profits are encouraged to adopt the practices, and it is federal policy that all federal websites (and their contractors) are required to follow.