10 Step Guide to COPPA Compliance
Upcoming SlideShare
Loading in...5

10 Step Guide to COPPA Compliance



A 10 Step Guide to COPPA Compliance. Legislation goes into effect July 1, 2013.

A 10 Step Guide to COPPA Compliance. Legislation goes into effect July 1, 2013.



Total Views
Views on SlideShare
Embed Views



3 Embeds 98

http://www.famigo.com 95
http://famigo.com 2
http://www.redditmedia.com 1


Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    10 Step Guide to COPPA Compliance 10 Step Guide to COPPA Compliance Presentation Transcript

    • A 10 Step Guide to COPPAComplianceWednesday, June 19, 13
    • Introduction•There’s lots of talk about the Children’s Online Privacy Protection Act (COPPA), but doyou really understand how the law works?  COPPA was enacted in 1998 and was enactedto protect the privacy of children under 13 years of age. COPPA charged the FederalTradeCommission (FTC) with creating the regulations necessary to implement the goals of thelaw.•The original act also required that the law be reviewed 5 years after the effective date ofthe regulation (April 21, 2000). This review took several years and various stakeholderswere given the opportunity to comment on the proposed revisions. The revised CoppaRule was released in December 2012 and is set to go into effect on July 1, 2013.•What follows are 10 questions that every developer should ask herself over the nextcouple weeks in order to conduct an internal COPPA audit and ensure compliance.  If youhave any questions, please let us know in the comments.Wednesday, June 19, 13
    • 1)   Did you read the Rule?This seems obvious, but have you read the revisedRule yet?  It might look big and scary at first, but it’snot rocket surgery – anyone who can developtheir own application can grasp the content of therevised  COPPA Rule.Wednesday, June 19, 13
    • 2)   Does the Rule apply to you?Ask yourself this question:  “Am I operating a child-directedwebsite or service or do I have actual knowledge that I’mcollecting, using or disclosing personal information from a childunder 13?”If you have any doubt, the smart bet is to assume COPPA appliesto you and read on.Wednesday, June 19, 13
    • 3)   Do you collect personal information?The general idea is that personal information is any information thatcan be matched to a single person.  Phone numbers and emailaddresses are obvious examples, but it’s worth going through thewhole list to determine if you collect personal information, as thedefinition has expanded.Wednesday, June 19, 13
    • 4)   What information do you collect?It’s time to compile an exhaustive list of all theinformation you collect. Remember that feature you built,but never used? Make sure it isn’t still collectinginformation.  Figuring out what you collect is perhaps themost important part of your own COPPA audit.  Leave nostone unturned.  After all, there’s still time to clean up youract before July 1.Wednesday, June 19, 13
    • Now that you know what you collect, it’s time to understand why you collect it. It’suseful to divide all the information you collect into two categories: information forthe support of internal operations (defined in §312.2) and information that isdisclosed to third parties.If it’s for the support of internal operations (e.g. collecting data to optimize productfeatures) make sure you’re using the data and storing it securely. If you don’t use it,stop collecting it. If the information is disclosed to third parties, ask yourself why you’re disclosingthat data in the first place.  In the general interest of protecting children’s privacy,disclosure of this data should be carefully and rigorously scrutinized.5)   What do you NEED to collect?Wednesday, June 19, 13
    • 6)   Do you have a privacy policy?The first step in effectively communicating with parents is to have a well-writtenprivacy policy. This can seem like a daunting task to non-lawyers, but there areplenty of good resources to help you out. Here are a few tools to help you getstarted:We also recommend looking at the privacy policies of developers thatare doing similar work or offering similar services.  Whats moreimportant than perfect legalese is honesty and transparency.Wednesday, June 19, 13
    • 7)   How are you going to provide notice of yourprivacy practices?Congratulations, you now have your very ownprivacy policy! Now, how are you going to tellparents about your data collection, use anddisclosure practices?   The California AttorneyGeneral provides some really good guidance inPrivacy on the Go: Recommendations for theMobile Ecosystem, and as always, reread theRule.Wednesday, June 19, 13
    • I’m willing to bet that you probably have questions at thispoint.The good news is that you’re not alone.  In May the FTCreleased a set of FAQ’s to address the most common andvexing questions they had received in the months since theamended rule was released.The good news is that you’llprobably find some clarification to your questions, but beprepared to add some items to your to-do list as well.8)   Have you read the FAQ?Wednesday, June 19, 13
    • COPPA Safe Harbor Programs:These FTC-approved safe harbor programs are anattempt to provide businesses with the ability to self-regulate when it comes to COPPA compliance.9)   Have you considered getting a second opinion?Wednesday, June 19, 13
    • 10) What’s next? Developers are certainly not strangers to constantproduct iterations and you should get used tothinking of your privacy-related activities the sameway. Children’s privacy is very important, and if youtake your obligation seriously, it will requireconstant refinement.Wednesday, June 19, 13
    • A FinalThoughtHopefully this 10-step guide is helpful in starting you on yourjourney to COPPA compliance.This information is not meantas legal advice, but it does accurately reflect a process thatwe’ve used ourselves and that other developers have hadsome success with too.  If you have suggestions or care toshare your own experiences please leave a comment.Wednesday, June 19, 13