Skip to main content

What the Heck is COPPA?

COPPA stands for the "Children's Online Privacy Protection Act," enacted in 1998 to limit the collection of personally identifiable information from kids 13 and under without their parents' consent.  The Act is starting to grow a few grey hairs, and is up for comment and possible revision right now (the public comment period closes at the end of June).
While COPPA only applies directly to sites targeted at kids 13 and under, its provisions can cover a wide array of non-kid oriented sites if they knowingly collect information from kids.  That's why so many sites shrug and say, "ok, then we just won't allow kids to register."  One of the unintended consequences of COPPA has been to limit kids' access to sites that would be perfectly ok for them, because of (possibly justifiable) paranoia on the part of site operators.

How Could this Affect Me?

The FTC recently held a public roundtable to discuss possible changes or updates to COPPA and its enforcement.  It was an all-day series of sessions, involving participants from across the board...attorneys, tech industry reps (not enough of those), safe harbor providers, FTC staffers, marketers, and pediatricians.  As you can guess, it's sometimes scary to hear what folks in the non-tech sector come up with when trying to solve technological problems.  Let's just say the word "Luddite" came up a few times.  But have no fear, I sat and listened to audio of all of the sessions so that you don't have to.

1. The device doesn't matter, the activity does.  There was much discussion of how new devices (iPads, smartphones, DS games, interactive TV, etc.) impact COPPA enforcement.  The bottom line seemed to be that the terms of COPPA will be enforced regardless of the device on which the information is collected.  Takeaway for techies: be sure to include age enforcement gateways on your apps if they collect any information from users.

2. Email-plus may be in danger.  In the current COPPA world, many sites use the so-called "email-plus" mechanism, which allows the use of an email plus confirmation (via another email, postal mail, or phone call) that the person giving consent is the parent. Technically, this method of verification is only allowed when the personally identifiable information being collected is for internal use (not disclosure to a third party), although in practice, it is used much more broadly. In 2006, the FTC said that "email-plus" would be extended indefinitely while they tried to figure out better ways of parental verification.  However, in listening to the discussion in the roundtable, there was almost universal consensus that "email-plus" won't be tolerated forever.  Other ideas bandied about included using premium SMS, credit card transactions, last four digits of parents SSN, or even school-verified tokens. Key takeaway: if you are a kid-oriented website, you need to pay close attention to where the FTC lands on this one. Your parental consent mechanism may need to be updated once the dust settles.

3. "Actual Knowledge" rule could turn into "Constructive Knowledge."  There was a lot of discussion (mainly from the non-techies) about whether site operators can aggregate posted information to infer the age of the person posting it, and whether that should then trigger COPPA. There were some in the room who (correctly) noted that it was not practical to have humans review and analyze every single piece of content in every single website. Key takeaway: Let's hope that cooler heads prevail on this one.

4. New data may be added to "personally identifiable" list.  With the advent of geolocation services, single login APIs, etc., COPPA has to account for a slew of new pieces of information that may be "de facto" personally identifiable.  Services that ping back with user data (OpenID, Facebook Connect, etc.) could trigger COPPA liability for the receiving site if the user being connected is 13 or under.  The FTC is also contemplating the ramifications of adding static IP address and/or geolocation coordinates to the list.  Of course, as one participant noted, making static IP addresses trigger COPPA will "break the internet," since virtually all websites collect IP address upon a user's initial visit. Key takeaway: if I were a geolocation-related service, I would bar users 13 and under. Now.

5. Behaviorally targeted ads can trigger COPPA.  This isn't really a change, but some discussion centered around the fact that if a kid-targeted site is serving third-party ads from an ad network, and the ads are targeted to individual users based on behavior, then the website AND the ad network itself must get parental permission.  I'm pretty sure that this nuance is not widely recognized.  In other words, if you're serving a McDonald's ad to the Dora the Explorer website in general (context), then the ad network doesn't need parental permission. However, if you're serving a McDonald's ad to a particular kid on the Dora the Explorer website based on other information about that kid, then you need parental permission.  Key takeaway: if you're running ads on your kid-oriented website, be sure you're familiar with how the ads are targeted.

Remember, all of this is just discussion right now.  The FTC folks came across loud and clear that the ultimate goal of all of this is to make sure that kids' personal information is not misused, and as they gather input on all of these new developments, that is the guiding principle.

Stay tuned, and I will post updates as the discussion continues!

(Full disclosure---I am a parent of three kids under the age of 7, and I feel that it's my own responsibility to make sure they are protected while they are online.)


I'd love to hear your thoughts here in the comments, or connect with me on Twitter.


Images (1)
  • kid_eyeballs: Kid protection under COPPA

Add Comment

Comments (4)

Newest · Oldest · Popular
You're welcome Lynda!  And the cavalry resolved the issue yesterday...I'm looking to improve our outward communications when things like that happen; we'd like to be much more proactive than we were yesterday, and I'm sorry for that.

Harold, I might agree with you.  It's kind of funny that the actual age issue never really came up in their discussions.  It's probably because there are certain situations where you wouldn't want to lock out 15-16 year olds.
Rosemary O'Neill
Link copied to your clipboard.