COPPA clarity: Proceed with caution
The Federal Trade Commission recently revised COPPA, the Children’s Online Privacy Protection Act, to give parents greater control over the personal information that websites and online services can collect from kids under 13. To get the 411, I talked to Linnette Attai, founder of Playwell, LLC, a company that specializes in helping clients navigate the safety and privacy requirements for kids. Linnette will be delving deeper into this subject as a panelist discussing privacy vs. creativity at SandboxSummit@MIT in April. But for now, here’s her top-line interpretation of the changes we can expect:
WS: How does COPPA 2.0 differ from the old COPPA?
LA: The biggest differences in COPPA 2.0 (which is what we’re informally calling the new law), are in the modified definitions of personal information, operator, and website or online service directed to children. The new rule also includes some streamlined provisions related to parental notice, new requirements for data retention and deletion, and additional oversight of safe harbor outlets.
WS: What personal information can’t be collected? And was any of it previously collected?
LA: The personal information that can’t be collected from users under 13 without prior parental consent includes:
- A first and last name
- A home or other physical address including street name and the name of a city or town
- Certain online contact information, such as an email address or other substantially similar identifier that permits direct contact with a person online
- A screen or user name where it functions in the same manner as online contact information
- A telephone number
- A Social Security number
- A persistent identifier (such as a customer number held in a cookie, an IP address, a processor or device serial number, a unique device identifier) that can be used to recognize a user over time and across different websites or online services
- A photograph, video or audio file where such file contains a child’s image or voice
- Geolocation information sufficient to identify street name and name of a city or town;
- Information concerning the child or the parents of the child that the operator collects online from the child and combines with an identifier (as described above)
Significant additions include an expanded definition of persistent identifier, the overt mention of geolocation, the addition of all photographs, videos and audio files that contain a child’s image or voice, and changes to the definition of a screen or user name.
WS: Wow! So what CAN be collected?
LA: When it comes to children, not much! But that’s always been the case. The idea here is twofold: 1) all of the information listed above can be used to identify an individual, and when that individual is a child, it should be the parent who has the final say in what companies can and can’t collect, use or share; and 2) let’s keep data collection from children to the bare minimum.
However, the FTC is by no means interested in putting companies out of business. There is some data that is commonly used for purposes such as analytics, site security or, for example, to ensure that site features function properly, that can still be collected (when used only for those purposes). And companies can still respond once to a specific request from a child as long as the data is deleted once the request has been fulfilled.
WS: What does this mean for existing companies?
LA: The rule goes into effect on July 1, 2013, so companies with established websites and online services are now working to retrofit their policies and practices to comply with the new law.
WS: According to research just released by Nickelodeon, tablet use among kids 11 and younger is projected to grow faster than almost any other age group. So who’s watching over these kids as they go on Instagram or YouTube?
LA: Attempting to ensure that children access only those sites and services that are designed for them is a tremendous challenge for industry and parents. Sites that include social networking features or allow users to upload content create particular challenges. Most of them don’t allow users to register unless they’re 13 or older. Aside from privacy considerations, there are also potential safety issues. And of course, there is also content on some of these sites that is simply not intended for young children.
If the site is age-gating properly, it falls back on the parents to really understand what sites their children are visiting and what they’re doing online. They have to balance empowering their children to use the best that technology has to offer, and setting digital and mobile boundaries just as they do in the real world.
WS: Let’s get real. Will a 10 year old still be able to go on Facebook by making up a birthdate? And if so, what does the new ruling really do?
LA: Yes, it’s true, kids will still be able to make up a birthdate and access sites that aren’t intended for them. Unfortunately, there’s simply no easy way for most operators to truly verify whether or not a child is being honest.
Industry can play a role in helping parents understand that the age limit is often in place for a number of reasons. Privacy law is just one consideration. Safety and age appropriate content are also priorities.
What COPPA does accomplish is that it ensures that parents have control over their child’s personal information when that child honestly enters their birthdate. It also reminds the industry that when we create sites and services intended for children, we need to take responsibility for the fact that our users are not fully able to understand, let alone navigate, complicated concepts such as privacy.
WS: And probably most important for Kidscreen readers, how will this affect new businesses as they develop their products?
LA: Having worked in the compliance space for many years, I believe that when done properly, compliance and business success can go hand in hand. With COPPA 2.0 upon us, it’s very important that businesses take a look at the new regulations and assess their policies and practices for compliance.
Businesses that are still in the development stage actually have an advantage, in that they can truly embrace the concept of “privacy by design,” and build privacy considerations into the infrastructure of their products.
As an industry, we can also help by providing parents with more education about privacy, safety, password security and the implications of uploading user-generated content.
Comments? Private or not at email@example.com