Share |
Article Categories Advertising, Marketing & Trademark Antitrust and Trade Regulation Bank & Finance China Construction Corporate & Securities Electronic Discovery Resources Employment & Labor Energy Family Law Government Relations Health Law Immigration Intellectual Property Internal Investigations International Internet, Technology &
E–Commerce Life Sciences Litigation Non-Competes & Trade Secrets Real Estate Shareholder Disputes Tax Planning & Business Organization Trusts & Estates White Collar & Regulatory Defense
 
Steven E. Helland

Steven E. Helland Internet, Technology & E-Commerce

shelland@fredlaw.com
612.492.7113
Printable Version

Complying With The Children's Online Privacy Protection Act

By: STEVEN E. HELLAND

Spring 2001

Karen DeMars is president of eCrush.com, a teen romance website. Despite a flood of complaints from angry youngsters, DeMars says she will continue to block children under 13 from using eCrush.com for fear of violating the Children's Online Privacy Protection Act ("COPPA").

Due to its complexity and the cost of compliance, kids aren't the only ones complaining about the harsh consequences of COPPA. Two economic think tanks recently named the COPPA regulations to their list of the "10 Worst Regulations of 2000."

Who is Covered?

A commercial website must comply with COPPA if it

  • is directed towards children under thirteen and collects personal information, or

  • is a general interest website and has actual knowledge that it collects information from children under thirteen.

The Federal Trade Commission (FTC), which enforces COPPA, considers a variety of factors in deciding whether a website is "directed towards children." These include subject matter, visual or audio content, the age of models on the site, animation, and products advertised on the site.

Even if a website is directed towards children, it does not have to comply with COPPA if it does not collect such personal information as a child's full name, email address, telephone number or street address.

Requirements for Covered Websites

COPPA imposes four primary requirements on covered websites:

  • First, covered websites must post a privacy policy with a link on the home page and at each area where personal information is collected. The privacy policy link should be "prominent," and stand out from other links on the page. The policy must describe the website operator's contact information, the kinds of information collected, how the information is used, and whether the information is disclosed to third parties. In addition, the policy must inform parents of certain rights, such as the right to review information submitted by their child.

  • Second, before collecting personal information from a child, a covered website must send a notice to the child's parents or guardian by email, letter, or some other direct and personalized method. The required notice must inform the parent or guardian that it wishes to collect personal information from his or her child, and that parental consent is required. The notice must also describe the same information contained in the privacy policy.

  • Third, before collecting any personal information from a child, the site operator must obtain "verifiable parental consent." The FTC does not mandate any particular method of obtaining parental consent, and acceptable methods include sending a letter for the parents to sign and return or a telephone call by a trained operator. Under certain circumstances parental consent can be obtained by email.

  • Fourth, once the website begins to collect personal information, the child's parents must have access to the personal information submitted by their child. In addition, the parent must be able to revoke their consent and may require the website operator to delete the personal information collected about their child.

Compliance Strategies

Due to the individualized and labor intensive nature of the parental notification, consent and access requirements, complying with COPPA is very expensive. A common estimate of the cost is $50,000 - $100,000 per year, or $5 per child.

The overwhelming industry trend is to revise websites and business practices to avoid triggering the COPPA requirements. Specific strategies include:

  • Prohibiting users under 13 from using the website (the eCrush approach).

  • Eliminate registration questions that indicate age, such as date of birth or grade (for general interest websites).

  • Collect personal information off-line (COPPA applies only to personal information collected over the Internet).

  • Eliminate chat rooms or other areas in which a child could disclose personal information.

Although the FTC insists that the intent of COPPA is not to limit children's access to Internet content, the substantial costs inevitably trigger that result. Even well funded websites, such as those operated by Disney and Nickelodeon, now block young users from some or all portions of their sites. Privacy remains a hot political issue, and new and more sweeping legislation is a virtual certainty.