COPPA

1,703 views
1,627 views

Published on

An introduction for the online marketer

Published in: Technology, Health & Medicine
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,703
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
21
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • COPPA USC 6501-6508 Enacted in 1999. COPPR enacted April 21 2000 (Friday). COPA created in 1998. In March of 2007, the trial court again found that COPA was unconstitutional.
  • Some sites simply don’t allow marketing to under 13 year olds at all. It is possible and it is permissible.
  • Daniel Simms in Georgia
  • Daniel Simms in Georgia
  • Daniel Simms in Georgia
  • Daniel Simms in Georgia
  • Daniel Simms in Georgia
  • Daniel Simms in Georgia
  • Daniel Simms in Georgia
  • Daniel Simms in Georgia
  • $1 million costSouthern district court of NY
  • Central district of California.
  • Went out of business.District of Massachusetts
  • Southern district of New York
  • Northern district of California. Oakland.
  • $80K costMiddle district court of Pennsylvania.
  • COPPA

    1. 1. COPPA<br />Legal Compliance and Restrictions. <br />An introduction for the online marketer<br />Not to be considered legal advice. <br />Please consult your legal counsel for further details. <br />
    2. 2. I ANAL<br />
    3. 3. IAmNotALawyer<br />
    4. 4. Definitions<br />COPPA. Child Online Privacy Protection Act<br />COPPR. Child Online Privacy Protection Rule<br />COPA. Child Online Protection Act<br />
    5. 5. Definitions<br />The primary goal of COPPA and the Rule is to place parents in control over what information is collected from their young children online. The Rule was designed to protect children under age 13 while accounting for the dynamic nature of the Internet. The Rule applies to operators of commercial websites and online services directed to children under 13 that collect, use, or disclose personal information from children, and operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. <br />
    6. 6. What do we have to do?<br />
    7. 7. Post a clear and comprehensive privacy policy on the website describing their information practices for children’s personal information; <br />1.<br />
    8. 8. Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information from children; <br />2.<br />
    9. 9. Giving parents the option to consent to the collection and internal use of their children's personal information without consenting to the disclosure of that information to third parties;<br />3.<br />
    10. 10. Provide parents access to their child’s personal information to review and/or have the information deleted; <br />4.<br />
    11. 11. Give parents the opportunity to prevent further use or online collection of a child’s personal information; <br />5.<br />
    12. 12. Maintain the confidentiality, security, and integrity of information they collect from children. <br />6.<br />
    13. 13. 1. Privacy Policy<br />Post a privacy policy on the homepage of the website and link to the privacy policy everywhere personal information is collected.<br />The Rule requires that a link to the privacy policy be posted clearly and prominently on your home page and at each area where personal information is collected. <br />16 C.F.R. § 312.4(b).<br />
    14. 14. 1. Privacy Policy<br />Information that counts as “personal”.<br />a first and last name;<br />a home or other physical address including street name and name of a city or town;<br />(C) an e-mail address;<br />(D) a telephone number;<br />(E) a Social Security number;s<br />(F) any other identifier that the Commission determines permits the physical or online contacting of a specific individual; or<br />(G) information concerning the child or the parents of that child that the website collects online from the child and combines with an identifier described in this paragraph.<br />
    15. 15. 1. Privacy Policy<br />The PP must include name, address, telephone number, and email address of each operator collecting or maintaining personal information from children through your site; the types of personal information collected from children and whether it is collected actively or passively; how such personal information is or may be used; whether such personal information is disclosed to third parties.<br />16 C.F.R. § 312.4(b)(2).<br />
    16. 16. 1. Privacy Policy<br />“Cookies,” “GUIDs,” “IP addresses,” or other passive information collection means must be included if they are tied to personally identifiable information. <br />16 C.F.R. § 312.2.<br />
    17. 17. 2. Direct Notice<br />We need consent from parents of children under 13. There are two levels of consent required. One for PII that will be used with third parties or systems that make the information available to people outside of the website operators and another level for internal website operators.<br />
    18. 18. 2. Direct Notice<br />Approved methods to gain consent from parents for usage of PII with third parties:<br />Provide a form for the parent to print, fill out, sign, and mail or fax back to you (the “print-and-send” method); <br />Require the parent to use a credit card in connection with a transaction (which could consist of a membership or subscription fee, a purchase, or a charge to cover the cost of processing the credit card). <br />Maintain a toll-free telephone number staffed by trained personnel for parents to call in their consent; <br />Obtain consent through an email from the parent, if that email contains a digital signature, or other digital certificate that uses public key technology obtained through one of the above methods. <br />
    19. 19. 2. Direct Notice<br />Approved methods to gain consent from parents for usage of PII for Internal usage - “Email plus”:<br />Requesting in your initial email seeking consent that the parent include a phone or fax number or mailing address in the reply email, so that you can follow up to confirm consent via telephone, fax, or postal mail; or <br />After a reasonable time delay, sending another email to the parent to confirm consent. In this confirmatory email, you should include all the original information contained in the direct notice, inform the parent that he or she can revoke the consent, and inform the parent how to revoke the consent. <br />
    20. 20. 3. Scope of consent<br />Approval for collection of PII for internal use should not automatically include or imply approval for external usage. <br />“An operator is prohibited from conditioning a child’s participation in a game, the offering of a prize, or another activity on the child’s disclosing more information than is reasonably necessary to participate in such activity.”. Section 312.7<br />
    21. 21. 4. Access of data<br />Access should be on demand but the operator is not liable for keeping all records that have been created. If data has been deleted the operator is not in breach of the CFR. <br />The format of the data isn’t specified by the act.<br />
    22. 22. 5. Revocation of Permissions <br />Parents can revoke their children's participation and the site operator is responsible for baring the child from their site using reasonable measures. <br />
    23. 23. 6. Data Retention Policy<br />Web site data owners must take reasonable precautions to secure the data of minors using their service. <br />
    24. 24. Exceptions<br />There are sui generis exceptions to the CFR requirements for site operators.<br />
    25. 25. Silver bullets<br />We can request an email address for notification of a competition entry or content personalization.<br />If contact needs to be made more than once or another piece of unique information needs to be paired with the email address standard Direct Notice procedure must be enforced.<br />
    26. 26. Silver bullets<br />Communication without direct notice can be conducted for the purpose of:<br /><ul><li>Requesting direct notice
    27. 27. One time support request and the email address is deleted immediately
    28. 28. If the safety of the individual is at risk
    29. 29. If the security of the site is at risk</li></li></ul><li>Silver bullets<br />Email addresses can be used anonymously for multiple communications without requiring direct notice if the addresses are converted into anonymous hashes, otherwise known as one way encryption, and cannot be retrieved from a data source. <br />
    30. 30. Avoiding COPPA?<br />Offer activities that do not require the collection or disclosure of personal information; <br />Use screen names or other anonymous techniques to personalize the site; <br />Limit the amount of personal information collected<br />
    31. 31. Gotchas<br />“Keep in mind that "COPPA compliant" does not only apply to websites that are intended for audiences under 13 years of age. All websites are required to have in place mechanisms for dealing with users who are known to be minors.”<br />–Sol Irvine, Partner at Yuson & Irvine<br />
    32. 32. Gotchas<br />“This isn’t don’t ask-don’t tell. If incompliant data is there: delete it”<br />–Anonymous<br />
    33. 33. Gotchas<br />Age gates should not “lead” the user to inputting their age as older than 13. Even if they are older. <br />The site should provide a neutral approach where a visitor input’s their year of birth rather than hitting a check box that they are older than 13.<br />
    34. 34. Gotchas<br />Look at OpenID for managed Direct Notice consent.<br />http://openidforkids.com/<br />
    35. 35. Gotchas<br />The IAB and DMA are lobbying for amendments of the COPPA act to allow ad servers more behavioral targeting privileges for kids thanks to Illinois’ Bobby Rush.<br />“[…] the requirement to obtain verifiable consent from parents may also have impacted the ability of our members to provide innovative offerings to children.”<br />
    36. 36. Gotchas<br />The IAB and DMA are lobbying for amendments of the COPPA act to allow ad servers more behavioral targeting privileges for kids thanks to Illinois’ Bobby Rush.<br />“[…] the requirement to obtain verifiable consent from parents may also have impacted the ability of our members to provide innovative offerings to children.”<br />
    37. 37. Gotchas<br />“These ad networks have no way of knowing whether a website is being accessed by a child under the age of 13 or an adult, since such ad networks are not the website operator. If the definition of ‘personal information’ were expanded to include anonymous data obtained through behavioral advertising, third parties would be forced to collect individually identifiable information about the user in order to effectuate the verifiable parental consent notice requirements.”<br />
    38. 38. Gotchas<br />“Unlike their predecessors from over a decade ago, today’s teenagers are what are known as “digital natives” – people for whom digital technologies such as computers, the Internet, and mobile phones have always been available.”<br />Michael Zaneis Vice President of Public Policy Interactive Advertising Bureau<br />
    39. 39. Gotchas<br />CLEAR Ad Notice Technical Specifications<br />
    40. 40. Gotchas<br />
    41. 41. Gotchas<br />What’s a website?<br />(i) a home page of a website;<br />(ii) a pen pal service;<br />(iii) an electronic mail service;<br />(iv) a message board; or<br />(v) a chat room.<br />
    42. 42. Examples of good policies<br />http://www.clubpenguin.com/terms.htm<br />http://www.nick.com/info/privacy-policy.html<br />http://www.neopets.com/privacy.phtml<br />
    43. 43. Examples of what can go wrong<br />
    44. 44. Xanga<br />“You must check the box below to certify that you are at least 13 years old”<br />Other bio fields of the users profile contained birth dates younger than 13.<br />2006.<br />
    45. 45. Lil’ Romeo<br />Defendant has not disclosed it’s information practices including what information it has already collected from child and it’s intended uses of such information.<br />Automatically registered parents consent on privacy policy click through.<br />2002<br />
    46. 46. Toysmart<br />“Personal information, voluntarily submitted by visitors to our site, such as name, address, billing information and shopping preferences, is never shared with a third party. When you register with toysmart.com, you can rest assured that your information will never be shared with a third party.”<br />They sold it. <br />2001.<br />
    47. 47. Toysmart<br />Children who entered dates of both indicating that they were under 13 years old were freely available to register on Sony Music’s websites; they were neither restricted from participating, nor did Sony Music use cookies to assure that any restriction persisted.<br />2000<br />
    48. 48. Imbee<br />“The web's first and premier social networking 'mega-platform' for kids between the ages of 8 - 14. It's a cool, safe and fun environment: […]”<br />The direct notice emailed to parents failed to disclose that imbee.com already had a collected a child’s full name, DOB, child's email address, gender and a username and password prior to sending the notice to parents. <br />2008<br />
    49. 49. Hershey’s<br />Hershey’s Candy of the month club provided a parents consent form for participation to collect private information. At the bottom of the form there was a box labeled “Click here to consent” which took the visitor directly to the reg form. <br />No measures to review collected data.<br />2000<br />
    50. 50. FTC contact<br />1-(877) FTC-HELP - General enquires<br />(202) 326-3140 - Specific enquires<br />
    51. 51. Appendix: Research links<br />http://www.ftc.gov/privacy/coppafaqs.shtm<br />http://business.ftc.gov/privacy-and-security/children%E2%80%99s-online-privacy<br />http://business.ftc.gov/documents/bus45-how-comply-childrens-online-privacy-protection-rule<br />http://www.philadelphiafed.org/bank-resources/publications/compliance-corner/2003/fourth-quarter/q4cc1_03.cfm<br />http://www.ftc.gov/privacy/coppafaqs.shtm<br />http://business.ftc.gov/legal-resources/30/35<br />http://www.zephoria.org/thoughts/archives/2010/06/10/how-coppa-fails-parents-educators-youth.html<br />http://www.quora.com/What-are-good-examples-of-COPPA-compliant-web-sites<br />http://blogs.wsj.com/digits/2010/09/17/understanding-the-childrens-online-privacy-protection-act/<br />http://www.ftc.gov/ogc/coppa1.htm<br />http://www.slideshare.net/dsims/coppa-and-you<br />http://www.the-dma.org/privacy/HowtoComplywithCOPPA-PDFVersion.pdf<br />http://www.iab.net/wiki/index.php/COPPA<br />http://www.google.com/url?sa=t&source=web&cd=3&ved=0CCAQFjAC&url=http%3A%2F%2Fwww.iab.net%2Fmedia%2Ffile%2FAugust_Legislative_Update.docx&rct=j&q=iab%20coppa&ei=XrasTcT0MJCosQPo2-zJCQ&usg=AFQjCNERkcWncVC4Wv8tX4xyMOtrC77MgA&cad=rja<br />http://www.advertisinglawblog.com/2010/08/ftc-in-ongoing-review-of-coppa.shtml<br />http://www.iab.net/media/file/DC1DOCS1-%23400330-v1-Comments_-_COPPA_Rule_Review_P104503.PDF<br />http://www.scribd.com/doc/15610373/IAB-Document-on-Best-Practices-in-Social-Advertising<br />http://info.yahoo.com/privacy/us/yahoo/attandyahoo/adchoices.html<br />http://www.iab.net/clear<br />

    ×