Your SlideShare is downloading. ×
0
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
COPPA
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

COPPA

1,443

Published on

An introduction for the online marketer

An introduction for the online marketer

Published in: Technology, Health & Medicine
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,443
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
20
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • COPPA USC 6501-6508 Enacted in 1999. COPPR enacted April 21 2000 (Friday). COPA created in 1998. In March of 2007, the trial court again found that COPA was unconstitutional.
  • Some sites simply don’t allow marketing to under 13 year olds at all. It is possible and it is permissible.
  • Daniel Simms in Georgia
  • Daniel Simms in Georgia
  • Daniel Simms in Georgia
  • Daniel Simms in Georgia
  • Daniel Simms in Georgia
  • Daniel Simms in Georgia
  • Daniel Simms in Georgia
  • Daniel Simms in Georgia
  • $1 million costSouthern district court of NY
  • Central district of California.
  • Went out of business.District of Massachusetts
  • Southern district of New York
  • Northern district of California. Oakland.
  • $80K costMiddle district court of Pennsylvania.
  • Transcript

    • 1. COPPA
      Legal Compliance and Restrictions.
      An introduction for the online marketer
      Not to be considered legal advice.
      Please consult your legal counsel for further details.
    • 2. I ANAL
    • 3. IAmNotALawyer
    • 4. Definitions
      COPPA. Child Online Privacy Protection Act
      COPPR. Child Online Privacy Protection Rule
      COPA. Child Online Protection Act
    • 5. Definitions
      The primary goal of COPPA and the Rule is to place parents in control over what information is collected from their young children online. The Rule was designed to protect children under age 13 while accounting for the dynamic nature of the Internet. The Rule applies to operators of commercial websites and online services directed to children under 13 that collect, use, or disclose personal information from children, and operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13.
    • 6. What do we have to do?
    • 7. Post a clear and comprehensive privacy policy on the website describing their information practices for children’s personal information;
      1.
    • 8. Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information from children;
      2.
    • 9. Giving parents the option to consent to the collection and internal use of their children's personal information without consenting to the disclosure of that information to third parties;
      3.
    • 10. Provide parents access to their child’s personal information to review and/or have the information deleted;
      4.
    • 11. Give parents the opportunity to prevent further use or online collection of a child’s personal information;
      5.
    • 12. Maintain the confidentiality, security, and integrity of information they collect from children.
      6.
    • 13. 1. Privacy Policy
      Post a privacy policy on the homepage of the website and link to the privacy policy everywhere personal information is collected.
      The Rule requires that a link to the privacy policy be posted clearly and prominently on your home page and at each area where personal information is collected.
      16 C.F.R. § 312.4(b).
    • 14. 1. Privacy Policy
      Information that counts as “personal”.
      a first and last name;
      a home or other physical address including street name and name of a city or town;
      (C) an e-mail address;
      (D) a telephone number;
      (E) a Social Security number;s
      (F) any other identifier that the Commission determines permits the physical or online contacting of a specific individual; or
      (G) information concerning the child or the parents of that child that the website collects online from the child and combines with an identifier described in this paragraph.
    • 15. 1. Privacy Policy
      The PP must include name, address, telephone number, and email address of each operator collecting or maintaining personal information from children through your site; the types of personal information collected from children and whether it is collected actively or passively; how such personal information is or may be used; whether such personal information is disclosed to third parties.
      16 C.F.R. § 312.4(b)(2).
    • 16. 1. Privacy Policy
      “Cookies,” “GUIDs,” “IP addresses,” or other passive information collection means must be included if they are tied to personally identifiable information.
      16 C.F.R. § 312.2.
    • 17. 2. Direct Notice
      We need consent from parents of children under 13. There are two levels of consent required. One for PII that will be used with third parties or systems that make the information available to people outside of the website operators and another level for internal website operators.
    • 18. 2. Direct Notice
      Approved methods to gain consent from parents for usage of PII with third parties:
      Provide a form for the parent to print, fill out, sign, and mail or fax back to you (the “print-and-send” method);
      Require the parent to use a credit card in connection with a transaction (which could consist of a membership or subscription fee, a purchase, or a charge to cover the cost of processing the credit card).
      Maintain a toll-free telephone number staffed by trained personnel for parents to call in their consent;
      Obtain consent through an email from the parent, if that email contains a digital signature, or other digital certificate that uses public key technology obtained through one of the above methods.
    • 19. 2. Direct Notice
      Approved methods to gain consent from parents for usage of PII for Internal usage - “Email plus”:
      Requesting in your initial email seeking consent that the parent include a phone or fax number or mailing address in the reply email, so that you can follow up to confirm consent via telephone, fax, or postal mail; or
      After a reasonable time delay, sending another email to the parent to confirm consent. In this confirmatory email, you should include all the original information contained in the direct notice, inform the parent that he or she can revoke the consent, and inform the parent how to revoke the consent.
    • 20. 3. Scope of consent
      Approval for collection of PII for internal use should not automatically include or imply approval for external usage.
      “An operator is prohibited from conditioning a child’s participation in a game, the offering of a prize, or another activity on the child’s disclosing more information than is reasonably necessary to participate in such activity.”. Section 312.7
    • 21. 4. Access of data
      Access should be on demand but the operator is not liable for keeping all records that have been created. If data has been deleted the operator is not in breach of the CFR.
      The format of the data isn’t specified by the act.
    • 22. 5. Revocation of Permissions
      Parents can revoke their children's participation and the site operator is responsible for baring the child from their site using reasonable measures.
    • 23. 6. Data Retention Policy
      Web site data owners must take reasonable precautions to secure the data of minors using their service.
    • 24. Exceptions
      There are sui generis exceptions to the CFR requirements for site operators.
    • 25. Silver bullets
      We can request an email address for notification of a competition entry or content personalization.
      If contact needs to be made more than once or another piece of unique information needs to be paired with the email address standard Direct Notice procedure must be enforced.
    • 26. Silver bullets
      Communication without direct notice can be conducted for the purpose of:
      • Requesting direct notice
      • 27. One time support request and the email address is deleted immediately
      • 28. If the safety of the individual is at risk
      • 29. If the security of the site is at risk
    • Silver bullets
      Email addresses can be used anonymously for multiple communications without requiring direct notice if the addresses are converted into anonymous hashes, otherwise known as one way encryption, and cannot be retrieved from a data source.
    • 30. Avoiding COPPA?
      Offer activities that do not require the collection or disclosure of personal information;
      Use screen names or other anonymous techniques to personalize the site;
      Limit the amount of personal information collected
    • 31. Gotchas
      “Keep in mind that "COPPA compliant" does not only apply to websites that are intended for audiences under 13 years of age. All websites are required to have in place mechanisms for dealing with users who are known to be minors.”
      –Sol Irvine, Partner at Yuson & Irvine
    • 32. Gotchas
      “This isn’t don’t ask-don’t tell. If incompliant data is there: delete it”
      –Anonymous
    • 33. Gotchas
      Age gates should not “lead” the user to inputting their age as older than 13. Even if they are older.
      The site should provide a neutral approach where a visitor input’s their year of birth rather than hitting a check box that they are older than 13.
    • 34. Gotchas
      Look at OpenID for managed Direct Notice consent.
      http://openidforkids.com/
    • 35. Gotchas
      The IAB and DMA are lobbying for amendments of the COPPA act to allow ad servers more behavioral targeting privileges for kids thanks to Illinois’ Bobby Rush.
      “[…] the requirement to obtain verifiable consent from parents may also have impacted the ability of our members to provide innovative offerings to children.”
    • 36. Gotchas
      The IAB and DMA are lobbying for amendments of the COPPA act to allow ad servers more behavioral targeting privileges for kids thanks to Illinois’ Bobby Rush.
      “[…] the requirement to obtain verifiable consent from parents may also have impacted the ability of our members to provide innovative offerings to children.”
    • 37. Gotchas
      “These ad networks have no way of knowing whether a website is being accessed by a child under the age of 13 or an adult, since such ad networks are not the website operator. If the definition of ‘personal information’ were expanded to include anonymous data obtained through behavioral advertising, third parties would be forced to collect individually identifiable information about the user in order to effectuate the verifiable parental consent notice requirements.”
    • 38. Gotchas
      “Unlike their predecessors from over a decade ago, today’s teenagers are what are known as “digital natives” – people for whom digital technologies such as computers, the Internet, and mobile phones have always been available.”
      Michael Zaneis Vice President of Public Policy Interactive Advertising Bureau
    • 39. Gotchas
      CLEAR Ad Notice Technical Specifications
    • 40. Gotchas
    • 41. Gotchas
      What’s a website?
      (i) a home page of a website;
      (ii) a pen pal service;
      (iii) an electronic mail service;
      (iv) a message board; or
      (v) a chat room.
    • 42. Examples of good policies
      http://www.clubpenguin.com/terms.htm
      http://www.nick.com/info/privacy-policy.html
      http://www.neopets.com/privacy.phtml
    • 43. Examples of what can go wrong
    • 44. Xanga
      “You must check the box below to certify that you are at least 13 years old”
      Other bio fields of the users profile contained birth dates younger than 13.
      2006.
    • 45. Lil’ Romeo
      Defendant has not disclosed it’s information practices including what information it has already collected from child and it’s intended uses of such information.
      Automatically registered parents consent on privacy policy click through.
      2002
    • 46. Toysmart
      “Personal information, voluntarily submitted by visitors to our site, such as name, address, billing information and shopping preferences, is never shared with a third party. When you register with toysmart.com, you can rest assured that your information will never be shared with a third party.”
      They sold it.
      2001.
    • 47. Toysmart
      Children who entered dates of both indicating that they were under 13 years old were freely available to register on Sony Music’s websites; they were neither restricted from participating, nor did Sony Music use cookies to assure that any restriction persisted.
      2000
    • 48. Imbee
      “The web's first and premier social networking 'mega-platform' for kids between the ages of 8 - 14. It's a cool, safe and fun environment: […]”
      The direct notice emailed to parents failed to disclose that imbee.com already had a collected a child’s full name, DOB, child's email address, gender and a username and password prior to sending the notice to parents.
      2008
    • 49. Hershey’s
      Hershey’s Candy of the month club provided a parents consent form for participation to collect private information. At the bottom of the form there was a box labeled “Click here to consent” which took the visitor directly to the reg form.
      No measures to review collected data.
      2000
    • 50. FTC contact
      1-(877) FTC-HELP - General enquires
      (202) 326-3140 - Specific enquires
    • 51. Appendix: Research links
      http://www.ftc.gov/privacy/coppafaqs.shtm
      http://business.ftc.gov/privacy-and-security/children%E2%80%99s-online-privacy
      http://business.ftc.gov/documents/bus45-how-comply-childrens-online-privacy-protection-rule
      http://www.philadelphiafed.org/bank-resources/publications/compliance-corner/2003/fourth-quarter/q4cc1_03.cfm
      http://www.ftc.gov/privacy/coppafaqs.shtm
      http://business.ftc.gov/legal-resources/30/35
      http://www.zephoria.org/thoughts/archives/2010/06/10/how-coppa-fails-parents-educators-youth.html
      http://www.quora.com/What-are-good-examples-of-COPPA-compliant-web-sites
      http://blogs.wsj.com/digits/2010/09/17/understanding-the-childrens-online-privacy-protection-act/
      http://www.ftc.gov/ogc/coppa1.htm
      http://www.slideshare.net/dsims/coppa-and-you
      http://www.the-dma.org/privacy/HowtoComplywithCOPPA-PDFVersion.pdf
      http://www.iab.net/wiki/index.php/COPPA
      http://www.google.com/url?sa=t&source=web&cd=3&ved=0CCAQFjAC&url=http%3A%2F%2Fwww.iab.net%2Fmedia%2Ffile%2FAugust_Legislative_Update.docx&rct=j&q=iab%20coppa&ei=XrasTcT0MJCosQPo2-zJCQ&usg=AFQjCNERkcWncVC4Wv8tX4xyMOtrC77MgA&cad=rja
      http://www.advertisinglawblog.com/2010/08/ftc-in-ongoing-review-of-coppa.shtml
      http://www.iab.net/media/file/DC1DOCS1-%23400330-v1-Comments_-_COPPA_Rule_Review_P104503.PDF
      http://www.scribd.com/doc/15610373/IAB-Document-on-Best-Practices-in-Social-Advertising
      http://info.yahoo.com/privacy/us/yahoo/attandyahoo/adchoices.html
      http://www.iab.net/clear

    ×