how to comply with coppa
TRANSCRIPT
Disclaimer
This is not a legal advice. You must not rely on the
information on this slide as an alternative to legal
advice from your attorney or other professional legal
services provider. If you have any specific questions
about any legal matter you should consult your
attorney or other professional legal services provider.
You should never delay seeking legal advice, disregard
legal advice, or commence or discontinue any legal
action because of information in this presentation.
COPPA
• The Children’s Online Privacy Protection Act (COPPA) was
enacted by Congress in 1998. COPPA required the Federal Trade
Commission (FTC) to issue and enforce regulations concerning
children’s online privacy. The FTC’s amended Rule became effective
on July 1, 2013.
• COPPA’s primary goal is to ensure that parents have control over
what information is collected from their young children online.
• The Rule only covers developers that:(1) that operate mobile apps that are directed to children under 13 and collect, use or
disclose personal information from children, and
(2) those who have actual knowledge that they are collecting, using, or disclosing
personal information from children under 13.
What does “personal information”
include?
(5) a telephone number;
(6) a social security number;
(7) a persistent identifier;
(8) a photograph, video, or audio
file, where such file contains a
child’s image or voice; or
(9) geo-location information
sufficient to identify street name
and name of a city or town.
(1) first and last name;
(2) a home or other physical
address including street name
and name of a city or town;
(3) online contact information;
(4) a screen or user name that
functions as online contact
information;
If you are covered, what should you do?
• Post a clear and comprehensive privacy policy
• Send direct notice to parents
• Obtain verifiable parental consent from parents
• Provide sufficient security to collected personal
information
• Allow parents to review collected information
What does “comprehensive” mean?
Your privacy policy needs to include the following information:
• The developer and related operators’ personal information.
Including: (1) name, (2) address, (3) telephone number and (4)
email address.
• A description of the types of information the developer collects from
children, and how the developer uses the information.
• A statement that parents can review or delete their children’s
personal information and prevent future collection.
What does “clear” mean?The amended Rule requires the developer to post the privacy policy
link in a clear and prominent location on the website or on the landing
page.
A“clear and prominent” link must stand out and be noticeable to the
site’s visitors. The link is likely to be “clear and prominent” if it is in a
larger font size and in all caps in a color that contrasts with the
background.
For example:
What needs to be in the notice?1. If the notice is used to obtain a parent’s verifiable consent
prior to the collection of a child’s personal information, then
you must:
• State that you have collected the parent’s online contact information from the
child, and that it is only used to obtain the parent’s consent;
• State that the parent’s consent is required for the information collection;
• List the personal information that is going to be collected if there is consent;
• Include a hyperlink to your privacy policy;
• State how the parent can grant verifiable parental consent; and
• State that if the parent does not provide consent within a reasonable amount of
time, then you will delete the parent’s online contact information.
2. If the notice is to provide a parent information about the child’s
online activities and does not involve personal information
collection, then :
• State that you have collected the parent’s online contact information from the
child, and that it is used to obtain the parent’s consent;
• State that the parent’s online contact information will not be used or disclosed for
any other purpose;
• State that the parent can prevent the child from using the app and may require
you to delete the online contact information, and how the parent can do so, and
• Include a hyperlink to your privacy policy.
How to send a notice?
Based on section 312.4 (b) of the amended Rule, you must make
reasonable efforts, taking into consideration the available technology, to
ensure that a parent or child receives the direct notice.
There is no absolute standard about what counts as a proper way to
send a direct notice, and you need to make your own decision based
on the available technology and information.
For example:
Obtain verifiable parental consent from parents
• Existing approved verifiable parental consent
methods
• Alternative “Email-plus” method
Existing approved verifiable parental consent
• Provide consent through mail or fax;
• Provide information about a credit card or a debt card;
• Call a toll-free telephone;
• Send consent via video-conference;
• Checking a government-issued identification.
Alternative “Email-plus” method
If you will only use the personal information for internal purposes, then
you can use the next two steps:
First: send an email to the child’s parent, and the parent can manifest
his consent in the returning email
Second, after receiving the email consent, you need to either (1) make
a confirmation phone call, fax or letter to the parent; or (2) send a
confirmation message via the parent’s online contact information within
a reasonable amount of time.
Provide sufficient security to collected personal information
• COPPA requires developers to establish and maintain reasonable
procedures to protect the confidentiality, security, and integrity of
personal information collected from children.
• If there is an industry security standard, FOLLOW IT!
For example:
Allow parents to review collected information
• Based on section 312.6 of the COPPA Rule, upon a parent’s
request, the developer must grant the parent access to the collected
personal information.
For example:
For more detailed information, please see......
Famigo’s “COPPA for Newbies” blog series:
• http://www.famigo.com/blog/2013/09/coppa-for-newbies-
your-privacy-policy/
• http://www.famigo.com/blog/2013/08/coppa-for-newbies-
who-is-covered-by-this-rule/
• http://www.famigo.com/blog/?p=3653
• http://www.famigo.com/blog/2013/10/coppa-for-newbies-
what-do-we-need-to-get-from-the-parents/