1. Old COPPA, New COPPA
“Get Out of Jail Free”
500 Startups – MamaBear Conference
Presented by Shai Samet
May 10, 2013
CONFIDENTIAL AND PROPRIETARY TO SAMET PRIVACY
MUST NOT BE SHARED WITHOUT PERMISSION
2. Basic COPPA equation
CONFIDENTIAL AND PROPRIETARY TO SAMET PRIVACY
MUST NOT BE SHARED WITHOUT PERMISSION
2
personal
information
collected from
child under 13
via the web
(site, app, tablet, etc.)
Verifiable Parental Consent
(plus other requirements)
3. User acquisition costs
(kidSAFE survey – Jan 2013)
CONFIDENTIAL AND PROPRIETARY TO SAMET PRIVACY
MUST NOT BE SHARED WITHOUT PERMISSION
3
Companies polled: AOL, Fantage, Gaia Online, Highlights for Kids, Pearson, TBS, WebKinz, many others
4. Penalties for non-compliance
• Up to $16,000 per violation
• Over 20 FTC lawsuits and $8.4 million in fines since 2000
• Recent fines for COPPA violations:
– Path (app developer) – $800,000
– Artist Arena (various music artist sites) – $1,000,000
– RockYou (social game site) – $250,000
– Disney’s Playdom (for violations by acquired company) – $3,000,000
CONFIDENTIAL AND PROPRIETARY TO SAMET PRIVACY
MUST NOT BE SHARED WITHOUT PERMISSION
4
5. Old COPPA vs. New COPPA
CONFIDENTIAL AND PROPRIETARY TO SAMET PRIVACY
MUST NOT BE SHARED WITHOUT PERMISSION
6. Key information and features
regulated under new COPPA
CONFIDENTIAL AND PROPRIETARY TO SAMET PRIVACY
MUST NOT BE SHARED WITHOUT PERMISSION
6
CONTACT INFO
First and Last Name
Home/mailing address
Email address
Phone numbers
Social Security Number
“personal information”
SCREEN/USER NAME
“personal” in some scenarios
(email, AIM, Skype name, etc.)
THIRD PARTY PLUG-INS
Integration with no VPC
means strict liability
GEOLOCATION
“personal” unless location is
not detailed enough
BEHAVIORAL ADS/PROFILES
“personal” if tracking across
multiple services & over time
PHOTOS, VIDEOS, AUDIO
“personal” if contains
image or voice of child
7. Photos, videos, audio files
(SnapChat, Faces iMake illustrations)
CONFIDENTIAL AND PROPRIETARY TO SAMET PRIVACY
MUST NOT BE SHARED WITHOUT PERMISSION
7
temporary viewing by others = “collection/disclosure”
faces alone (with no other PI) = VPC
9. Behavioral ads and social plugins
(WebKinz, NeoPets illustrations)
CONFIDENTIAL AND PROPRIETARY TO SAMET PRIVACY
MUST NOT BE SHARED WITHOUT PERMISSION
9
Behavioral ads no more (contextual ads OK)
FB Connect needs VPC (link to fan page OK)
11. Current options for parental consent
Method Providers Limitations
• Email Plus consent
Internally-
implemented
• Requires parent to activate via email comm’s
• Not sufficient if info will be shared/publicized
• Signed consent form N/A
• Manual
• Requires access to printer and scanner/fax
• Not mobile friendly
Monetary transaction
Payment
processors
• Requires credit card entry and payment
• Payment via PayPal also sufficient
• [Collection of iTunes password not sufficient]
• Phone call or video
conference
N/A
• Manual
• Requires live and trained personnel
• Video-conference requires device with camera
• Govt-issued ID Various
• Requires sharing of highly-sensitive information
• Not ideal for foreign users
CONFIDENTIAL AND PROPRIETARY TO SAMET PRIVACY
MUST NOT BE SHARED WITHOUT PERMISSION
11
12. CONFIDENTIAL AND PROPRIETARY TO SAMET PRIVACY
MUST NOT BE SHARED WITHOUT PERMISSION
12
Likelihood of industry adoption
(kidSAFE survey – Jan 2013)
13. Penalties for non-compliance
(just a reminder)
• Up to $16,000 per violation
• Over 20 FTC lawsuits and $8.4 million in fines since 2000
• Recent fines for COPPA violations:
– Path (app developer) – $800,000
– Artist Arena (various music artist sites) – $1,000,000
– RockYou (social game site) – $250,000
– Disney’s Playdom (for violations by acquired company) – $3,000,000
CONFIDENTIAL AND PROPRIETARY TO SAMET PRIVACY
MUST NOT BE SHARED WITHOUT PERMISSION
13
14. Considerations for Startups and Investors
CONFIDENTIAL AND PROPRIETARY TO SAMET PRIVACY
MUST NOT BE SHARED WITHOUT PERMISSION
15. Scaling user growth
(COPPA techniques and loopholes)
• Anonymize child-directed features
– Limit sign-up process to anonymous info (username, password, etc.)
– For interactive features (chat, UGC), filter on the back-end to avoid upfront consent requirement
– For mobile features (geo-location, photos), keep data local to the device (do not upload/share)
– Utilize COPPA’s parental consent exceptions for other features
• Direct your account sign-up process to older users (when allowed)
– If kids under 13 not your “primary audience”, you can limit registration to users 13 and older
– On sites/apps directed to preschoolers, collect registration info from parents/adults
– Put behavioral ads and social plug-ins behind special parents section (or 13+ section)
• When parental consent is required, use least burdensome method
– Avoid collection of payment solely for consent purposes
– Avoid collection of govt-issued ID (last 4 of SSN, driver’s license)
– Consider email-based consent as first option
CONFIDENTIAL AND PROPRIETARY TO SAMET PRIVACY
MUST NOT BE SHARED WITHOUT PERMISSION
15
17. Parent lock for social features
(StoryBots, TocaBoca app illustrations)
CONFIDENTIAL AND PROPRIETARY TO SAMET PRIVACY
MUST NOT BE SHARED WITHOUT PERMISSION
17
Math problem before access to web or social sharing features
Swipe to access parents section or apps for sale
18. Most viable revenue streams
(under new COPPA)
• E-commerce and retail (tied to compelling content or experience)
– Virtual goods, subscriptions, premium content/features (e.g., Wizard 101)
– Game/app downloads, in-app purchases (e.g., Minecraft, Toca Boca)
– Tablets, toys, offline merchandise (e.g., Nabi, Skylanders, Moshi Monsters)
– Brands/stories with TV or licensing potential
• Contextual ads
– Display, text, or video ads (all OK)
– NOT behaviorally-targeted or retargeted ads
• NOT models dependent heavily on social sharing/connections
– Hard to scale with current COPPA restrictions
CONFIDENTIAL AND PROPRIETARY TO SAMET PRIVACY
MUST NOT BE SHARED WITHOUT PERMISSION
18
19. Distribution ideas
• Kid-directed platforms
– Popular gaming portals (e.g., Miniclip)
– Kids’ tablets (e.g., nabi, Kurio)
– Other curated environments (e.g., Zui.com, Magic Desktop)
• Schools
– For properties with educational, nutritional, or creative utility (e.g., myNutratek, Minecraft)
– Schools/teachers can provide consent in lieu of parents
• Participation in kidSAFE
– Get noticed by users visiting our site from other popular sites/properties
– Reach our growing database of parents
CONFIDENTIAL AND PROPRIETARY TO SAMET PRIVACY
MUST NOT BE SHARED WITHOUT PERMISSION
19
20. CONFIDENTIAL AND PROPRIETARY TO SAMET PRIVACY
MUST NOT BE SHARED WITHOUT PERMISSION
20
About kidSAFE Seal Program
• Leading safety “seal of approval” program
– Certifying kid-directed sites, apps, software, tablets, and other technologies – GLOBALLY
– Over 100 seal holders since public launch in April 2012
– Fast becoming the industry standard for “online safety”
• kidSAFE+ membership offers full COPPA audit
– Qualifiers receive prestigious kidSAFE+ Seal and many other benefits
– Application for FTC approval coming soon
• Business-friendly, responsive, and highly knowledgeable
– Founder is former attorney and long-time COPPA expert
• For more info, visit kidsafeseal.com or email shai@kidsafeseal.com
21. Some of our customers
WEBANDPC
CONFIDENTIAL AND PROPRIETARY TO SAMET PRIVACY
MUST NOT BE SHARED WITHOUT PERMISSION
21
MOBILE
Collectively, these few sites alone account for over 15M unique visitors a month in the US alone (Source: Compete.com)
22. Questions?
(happy to share the deck)
CONFIDENTIAL AND PROPRIETARY TO SAMET PRIVACY
MUST NOT BE SHARED WITHOUT PERMISSION
Upcoming kidSAFE Webinar on COPPA – May 30, 2013
(featuring open Q&A session with the FTC)
REGISTER HERE
