The Seven Biggest Myths Of COPPA: Guidance For Advertisers

The Federal Trade Commission ("FTC") recently issued regulations implementing the Children’s Online Privacy Protection Act ("COPPA"), effective on April 21, 2000, 64 Fed. Reg. 59888 (Nov. 3, 1999). COPPA, enacted in 1998, requires commercial web site operators to post a notice of their privacy policies as to personal information ("PI") collected from children, requires separate e-mail notices to parents in some circumstances, and requires the operator to obtain "verifiable parental consent ("VPC") if it plans to transfer PI to third parties, allow for public postings in message boards or chat rooms, provide email accounts or homepages for children, or contact the child offline. Many misperceptions continue to exist about the law and how it applies to online activities. Here are the seven biggest myths of COPPA.

Sorry. Wrong children’s privacy law. The United States Court of Appeals for the Third Circuit on June 22 upheld the issuance of an injunction to prevent enforcement of the Children’s Online Privacy Act ("COPA"). COPA is the successor to the Communications Decency Act (CDA), which was previously found to be unconstitutional. Reno v. American Civ. Liberties Union, ("ACLU v. Reno I") 521 U.S. 844 (1997), aff’g 949 F.Supp. § 24 (E.D. Pa. 1996). This law prohibits an individual or entity from "knowingly" communicating "for commercial purposes" material deemed "harmful to minors." 47.U.S. C. § 231(a)(1). As noted above, the Third Circuit in ACLU v. Reno II (No 99-1324) has concluded that COPA also violates the First Amendment. Congress unfortunately chose two rather similar titles for two very dissimilar laws. Don’t be fooled. The constitutionality of COPPA has not been challenged, and the law is in effect. In fact, the FTC initiated its first enforcement action under COPPA in July in connection with other privacy violations with which it charged failed e-tailer ToySmart.

Under COPPA, the site operator – not the web designer, not the ad agency, not the firms developing or administering contests and sweepstakes for you, not the web host, and not the ISP – is responsible for compliance. The buck stops with you. While it is certainly advisable to ask about their knowledge base, and to include in written agreements representations and warranties mandating COPPA compliance in the activities which they undertake for you, relying solely on the compliance efforts of outside third parties is ill-advised. There remains an astonishingly limited amount of awareness not only of the specific requirements of COPPA, but of how to comply most easily. Consequently, consider involving your advertising and promotional agencies, web designers and other consultants in your own privacy training programs as needed to be sure there are no lapses. And, make sure that sweepstakes and contest entry areas and rules are consistent with your privacy policy for adults and COPPA requirements on PI collected from children under 13.

COPPA does include some important exceptions that allow for limited information collection from children at a web site. One is the "one time only request" exception. Commercial web sites may respond to an online request from a child with an online response. That means that you can respond online to homework help requests, and answer questions – even multiple questions – so long as you only use PI (including the child’s e-mail address) to respond to the question online, and do not retain it or use it for another purpose. Be careful, however, to remember that the interaction must be confined to the online medium. You cannot ask a child to provide a home address for the purpose of sending a packet of homework help materials to the child’s home without getting verifiable parental consent, a problematic quirk in the law that creates an artificial distinction between the online and offline methods of responding to requests of young consumers. (You may, however, provide an 800 contact number. Since COPPA only applies to online data collection, you may collect the home address by phone for the purpose of sending the homework help packet described above, but must avoid combining information collected online with that collected offline.)

E-cards fall under the same exception. So long as all PI of both the sender and the recipient is promptly deleted, sites may continue to offer visitors the opportunity to send e-cards under the one-time exemption.

Another important exception involves the "multiple online contact" exception. The web site operator may collect the child’s e-mail address for the purpose of adding the child to an e-mail newsletter list, or entering the child into a contest, so long as the child is asked to provide a separate e-mail address to the parent. The site must promptly send a separate notice to the parent in a form specified by COPPA outlining how data will be collected and used before making any additional contact with the child. The site may use the PI collected for the purpose(s) specified in the notice unless the parent opts the child out.

There are also ways to offer children opportunities to participate in message board postings by setting up systems where messages are screened and stripped of PI before posting. This approach can be facilitated by using blocking software that blocks e-mail addresses by eliminating text after the "@" sign. While not totally fool-proof (a child could still include PI in the text of a message), it is relatively rare that a child will include full online or offline contact information in a posting. Similarly, sites may offer moderated chat rooms (with a time delay) in which participants’ messages are selectively posted by the moderator to ensure that they do not include PI. This method may be particularly appealing for themed or "celebrity guest chats" with a large audience in order to minimize redundancy of comments and questions.

Sites or areas of sites "directed at children under 13" by virtue of their content are covered by COPPA, as are sites which "knowingly" collect PI from children under 13. Having a privacy policy is always desirable and recommended, but if you are a commercial website and offer a "kid’s corner," a "fun area," or special features clearly designed to appeal to younger children, you are covered by COPPA. If you’re covered by COPPA, your privacy notice (or a separate privacy statement in your kids’ area focusing on your policies as to children) must include the specific elements required under the regulations. On the other hand, if you do not offer any content directed at younger children, you are not subject to COPPA, unless you "know" you are dealing with someone under 13. Knowledge can be inferred through certain activities at the site.

Consider this in the context of a registration area of a website, for example. The site may post a notice or disclaimer to the effect of "Sorry. Must be 13 or older to register." So far, so good. But then, in the registration area, the site collects detailed information about the visitor, including information on age ranges (e.g., 6-12, 13-18, etc.), or school (e.g., elementary school, junior high, etc.). Once the visitor fills out information that allows the site to identify that particular individual as a child under 13, the site now has "knowledge" that it is dealing with someone covered under COPPA, and must comply with the requirements of COPPA. Similarly, so is the site which offers chat or message board areas where a child posts a message like this one: "Hi, I’m Pete Smith. I’m 12 and I collect toy cars," if it is connected with a personal identifier, like the child’s e-mail address, that allows others to contact the child online. The scope of this obligation (e.g., whether the site may simply delete the child’s PI from its system, or whether, the site must make a good faith effort to contact a parent and notify them of the situation) is not yet clear.

Age-screening as a technique to avoid COPPA compliance obligations won’t work if the site is one which, by virtue of its content, is "directed to children under 13." The FTC staff has stated that among the factors they will consider in determining whether a general interest site includes a portion targeted to children are: the use of animated characters, child oriented activities and incentives, and evidence regarding the audience composition. So merely stating that an area is not directed at kids in the registration area or privacy policy may not be enough if a significant portion of your site traffic is composed of children. For general interest and teen-oriented sites, however, age-screening is an appropriate and useful technique. Companies are adopting good-faith techniques to prevent younger children from entering areas or engaging in features of a website that are either unsuitable for them or for which the site is unprepared to take on COPPA responsibilities. Again, if a feature (like a sweepstakes or contest) might appeal to both those under and over 13, absent a showing that the promotion is largely directed at the younger crowd, age-screening to prevent the collection of PI from younger children is appropriate. Many promotions now include rules requiring entrants to state that they are 13 or over, and specify that those determined to be under 13 are automatically disqualified as an added measure to prevent those under 13 from signing up.

There is a very fine line, however, between appropriate age-screening and invitations to children to lie about their age which are likely to draw the attention of regulators. Sites which say, "Make sure you tell us you’re over 13," might be viewed to cross that line.

Since COPPA obligations are triggered upon collection of PI, one important point to consider in setting up age-screening mechanisms is to ask about age before you collect other PI (including e-mail address, full name and home address, etc.). Consider using the prompt about age ("Must be 13 or older to enter our chat room") before allowing visitors, especially on "tweener" sites, to register or enter chat or message board areas. Once the visitor enters, a conservative approach is to ask about age first before collecting any other PI. If the child provides information indicating she is under 13, an automatic message can pop up indicating that the child is ineligible. To prevent the child from lying about her age and entering the forbidden area, temporary cookies can be set to prevent the individual who is known to be under 13 (but for whom you have no other PI) from reentering the registration area and providing a false age or birthdate. This is an example of an effective and useful way that cookies can be used to actually avoid collecting PI. (The technique, however, creates new problems in that other members of the same household using the same computer who are over 13 will also be blocked from visiting the site.)

COPPA does allow sites to select from a variety of means to obtain "verifiable parental consent" as defined in the rules. Credit cards can be used, but only in connection with a transaction. Most sites, particularly advertiser-supported sites, do not charge a fee to register, so this option is limited in practice. Toll free telephone numbers staffed by trained personnel are also an option under the rule, but are time-intensive and costly for companies. Digital certificates using public key technology offer promise, but aren’t widely accepted yet. And e-mail accompanied by a PIN or password obtained through another verification method ends up to be cumbersome. Consequently, sites that are directed to children under 13 and that offer features requiring VPC are generally sticking to the tried and true "snail mail" methods, namely, mail and fax permission forms. Forms can be posted online and printed by the visitor, so long as they are sent back using traditional methods.

The rule does specify that for a two-year period, or until April 21, 2002, sites may obtain VPC, for the sole purpose of internal marketing by that site, by use of e-mail "plus." This requires an initial e-mail notice to a parent (at the parent’s separate e-mail address), coupled with additional steps (like sending a confirmatory e-mail to the parent or obtaining a postal address or telephone number from the parent and confirming the parent’s consent by letter or telephone call, along with notice that consent can be revoked at any time) to provide assurances that the parent actually consents. Discussions with the FTC staff indicate that they are looking for more than just two simple e-mail notices to the parent to qualify for this approach.

It certainly is prudent to address legal compliance issues in all of your contracts. Privacy in general, and children’s privacy in particular, are no exception. COPPA, however, explicitly provides that linking alone doesn’t create COPPA obligations for a site, so you should be careful to avoid actually assuming COPPA obligations in such agreements. Children’s sites are not prohibited from linking to general interest sites by COPPA. Each site, then, must examine its own offerings and determine the scope of COPPA obligations, if any. Special attention should be paid, however, to linking arrangements where you are establishing microsites for the purpose of running a sweepstakes or contest. While sharing aggregate user data is not a problem, The information collection practices could be at issue, and it is prudent to specify that the site is collecting PI only to provide technical and fulfillment services to the site operator. Sites which provide technical and fulfillment services to the site operator may access and use PI for the sole purpose of fulfilling their obligations, and VPC is not required for transfers between such entities and the site operator under COPPA.

Compliance with COPPA isn’t easy, but it’s not impossible. Demystifying what’s involved is the first step to a broader understanding of fair online information collection when younger children are concerned.