An introduction for the online marketer

1. COPPA Legal Compliance and Restrictions. An introduction for the online marketer Not to be considered legal advice. Please consult your legal counsel for further details.

2. I ANAL

3. IAmNotALawyer

4. Definitions COPPA. Child Online Privacy Protection Act COPPR. Child Online Privacy Protection Rule COPA. Child Online Protection Act

5. Definitions The primary goal of COPPA and the Rule is to place parents in control over what information is collected from their young children online. The Rule was designed to protect children under age 13 while accounting for the dynamic nature of the Internet. The Rule applies to operators of commercial websites and online services directed to children under 13 that collect, use, or disclose personal information from children, and operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13.

6. What do we have to do?

7. Post a clear and comprehensive privacy policy on the website describing their information practices for children’s personal information; 1.

8. Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information from children; 2.

9. Giving parents the option to consent to the collection and internal use of their children's personal information without consenting to the disclosure of that information to third parties; 3.

10. Provide parents access to their child’s personal information to review and/or have the information deleted; 4.

11. Give parents the opportunity to prevent further use or online collection of a child’s personal information; 5.

12. Maintain the confidentiality, security, and integrity of information they collect from children. 6.

13. 1. Privacy Policy Post a privacy policy on the homepage of the website and link to the privacy policy everywhere personal information is collected. The Rule requires that a link to the privacy policy be posted clearly and prominently on your home page and at each area where personal information is collected. 16 C.F.R. § 312.4(b).

14. 1. Privacy Policy Information that counts as “personal”. a first and last name; a home or other physical address including street name and name of a city or town; (C) an e-mail address; (D) a telephone number; (E) a Social Security number;s (F) any other identifier that the Commission determines permits the physical or online contacting of a specific individual; or (G) information concerning the child or the parents of that child that the website collects online from the child and combines with an identifier described in this paragraph.

15. 1. Privacy Policy The PP must include name, address, telephone number, and email address of each operator collecting or maintaining personal information from children through your site; the types of personal information collected from children and whether it is collected actively or passively; how such personal information is or may be used; whether such personal information is disclosed to third parties. 16 C.F.R. § 312.4(b)(2).

16. 1. Privacy Policy “Cookies,” “GUIDs,” “IP addresses,” or other passive information collection means must be included if they are tied to personally identifiable information. 16 C.F.R. § 312.2.

17. 2. Direct Notice We need consent from parents of children under 13. There are two levels of consent required. One for PII that will be used with third parties or systems that make the information available to people outside of the website operators and another level for internal website operators.

18. 2. Direct Notice Approved methods to gain consent from parents for usage of PII with third parties: Provide a form for the parent to print, fill out, sign, and mail or fax back to you (the “print-and-send” method); Require the parent to use a credit card in connection with a transaction (which could consist of a membership or subscription fee, a purchase, or a charge to cover the cost of processing the credit card). Maintain a toll-free telephone number staffed by trained personnel for parents to call in their consent; Obtain consent through an email from the parent, if that email contains a digital signature, or other digital certificate that uses public key technology obtained through one of the above methods.

19. 2. Direct Notice Approved methods to gain consent from parents for usage of PII for Internal usage - “Email plus”: Requesting in your initial email seeking consent that the parent include a phone or fax number or mailing address in the reply email, so that you can follow up to confirm consent via telephone, fax, or postal mail; or After a reasonable time delay, sending another email to the parent to confirm consent. In this confirmatory email, you should include all the original information contained in the direct notice, inform the parent that he or she can revoke the consent, and inform the parent how to revoke the consent.

20. 3. Scope of consent Approval for collection of PII for internal use should not automatically include or imply approval for external usage. “An operator is prohibited from conditioning a child’s participation in a game, the offering of a prize, or another activity on the child’s disclosing more information than is reasonably necessary to participate in such activity.”. Section 312.7

21. 4. Access of data Access should be on demand but the operator is not liable for keeping all records that have been created. If data has been deleted the operator is not in breach of the CFR. The format of the data isn’t specified by the act.

22. 5. Revocation of Permissions Parents can revoke their children's participation and the site operator is responsible for baring the child from their site using reasonable measures.

23. 6. Data Retention Policy Web site data owners must take reasonable precautions to secure the data of minors using their service.

24. Exceptions There are sui generis exceptions to the CFR requirements for site operators.

25. Silver bullets We can request an email address for notification of a competition entry or content personalization. If contact needs to be made more than once or another piece of unique information needs to be paired with the email address standard Direct Notice procedure must be enforced.

27. One time support request and the email address is deleted immediately

28. If the safety of the individual is at risk

30. Avoiding COPPA? Offer activities that do not require the collection or disclosure of personal information; Use screen names or other anonymous techniques to personalize the site; Limit the amount of personal information collected

31. Gotchas “Keep in mind that "COPPA compliant" does not only apply to websites that are intended for audiences under 13 years of age. All websites are required to have in place mechanisms for dealing with users who are known to be minors.” –Sol Irvine, Partner at Yuson & Irvine

32. Gotchas “This isn’t don’t ask-don’t tell. If incompliant data is there: delete it” –Anonymous

33. Gotchas Age gates should not “lead” the user to inputting their age as older than 13. Even if they are older. The site should provide a neutral approach where a visitor input’s their year of birth rather than hitting a check box that they are older than 13.

34. Gotchas Look at OpenID for managed Direct Notice consent. http://openidforkids.com/

35. Gotchas The IAB and DMA are lobbying for amendments of the COPPA act to allow ad servers more behavioral targeting privileges for kids thanks to Illinois’ Bobby Rush. “[…] the requirement to obtain verifiable consent from parents may also have impacted the ability of our members to provide innovative offerings to children.”

36. Gotchas The IAB and DMA are lobbying for amendments of the COPPA act to allow ad servers more behavioral targeting privileges for kids thanks to Illinois’ Bobby Rush. “[…] the requirement to obtain verifiable consent from parents may also have impacted the ability of our members to provide innovative offerings to children.”

37. Gotchas “These ad networks have no way of knowing whether a website is being accessed by a child under the age of 13 or an adult, since such ad networks are not the website operator. If the definition of ‘personal information’ were expanded to include anonymous data obtained through behavioral advertising, third parties would be forced to collect individually identifiable information about the user in order to effectuate the verifiable parental consent notice requirements.”

38. Gotchas “Unlike their predecessors from over a decade ago, today’s teenagers are what are known as “digital natives” – people for whom digital technologies such as computers, the Internet, and mobile phones have always been available.” Michael Zaneis Vice President of Public Policy Interactive Advertising Bureau

39. Gotchas CLEAR Ad Notice Technical Specifications

40. Gotchas

41. Gotchas What’s a website? (i) a home page of a website; (ii) a pen pal service; (iii) an electronic mail service; (iv) a message board; or (v) a chat room.

42. Examples of good policies http://www.clubpenguin.com/terms.htm http://www.nick.com/info/privacy-policy.html http://www.neopets.com/privacy.phtml

43. Examples of what can go wrong

44. Xanga “You must check the box below to certify that you are at least 13 years old” Other bio fields of the users profile contained birth dates younger than 13. 2006.

45. Lil’ Romeo Defendant has not disclosed it’s information practices including what information it has already collected from child and it’s intended uses of such information. Automatically registered parents consent on privacy policy click through. 2002

46. Toysmart “Personal information, voluntarily submitted by visitors to our site, such as name, address, billing information and shopping preferences, is never shared with a third party. When you register with toysmart.com, you can rest assured that your information will never be shared with a third party.” They sold it. 2001.

47. Toysmart Children who entered dates of both indicating that they were under 13 years old were freely available to register on Sony Music’s websites; they were neither restricted from participating, nor did Sony Music use cookies to assure that any restriction persisted. 2000

48. Imbee “The web's first and premier social networking 'mega-platform' for kids between the ages of 8 - 14. It's a cool, safe and fun environment: […]” The direct notice emailed to parents failed to disclose that imbee.com already had a collected a child’s full name, DOB, child's email address, gender and a username and password prior to sending the notice to parents. 2008

49. Hershey’s Hershey’s Candy of the month club provided a parents consent form for participation to collect private information. At the bottom of the form there was a box labeled “Click here to consent” which took the visitor directly to the reg form. No measures to review collected data. 2000

50. FTC contact 1-(877) FTC-HELP - General enquires (202) 326-3140 - Specific enquires

51. Appendix: Research links http://www.ftc.gov/privacy/coppafaqs.shtm http://business.ftc.gov/privacy-and-security/children%E2%80%99s-online-privacy http://business.ftc.gov/documents/bus45-how-comply-childrens-online-privacy-protection-rule http://www.philadelphiafed.org/bank-resources/publications/compliance-corner/2003/fourth-quarter/q4cc1_03.cfm http://www.ftc.gov/privacy/coppafaqs.shtm http://business.ftc.gov/legal-resources/30/35 http://www.zephoria.org/thoughts/archives/2010/06/10/how-coppa-fails-parents-educators-youth.html http://www.quora.com/What-are-good-examples-of-COPPA-compliant-web-sites http://blogs.wsj.com/digits/2010/09/17/understanding-the-childrens-online-privacy-protection-act/ http://www.ftc.gov/ogc/coppa1.htm http://www.slideshare.net/dsims/coppa-and-you http://www.the-dma.org/privacy/HowtoComplywithCOPPA-PDFVersion.pdf http://www.iab.net/wiki/index.php/COPPA http://www.google.com/url?sa=t&source=web&cd=3&ved=0CCAQFjAC&url=http%3A%2F%2Fwww.iab.net%2Fmedia%2Ffile%2FAugust_Legislative_Update.docx&rct=j&q=iab%20coppa&ei=XrasTcT0MJCosQPo2-zJCQ&usg=AFQjCNERkcWncVC4Wv8tX4xyMOtrC77MgA&cad=rja http://www.advertisinglawblog.com/2010/08/ftc-in-ongoing-review-of-coppa.shtml http://www.iab.net/media/file/DC1DOCS1-%23400330-v1-Comments_-_COPPA_Rule_Review_P104503.PDF http://www.scribd.com/doc/15610373/IAB-Document-on-Best-Practices-in-Social-Advertising http://info.yahoo.com/privacy/us/yahoo/attandyahoo/adchoices.html http://www.iab.net/clear