TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
10 Step Guide to COPPA Compliance
1. A 10 Step Guide to COPPA
Compliance
Wednesday, June 19, 13
2. Introduction
•There’s lots of talk about the Children’s Online Privacy Protection Act (COPPA), but do
you really understand how the law works? COPPA was enacted in 1998 and was enacted
to protect the privacy of children under 13 years of age. COPPA charged the FederalTrade
Commission (FTC) with creating the regulations necessary to implement the goals of the
law.
•The original act also required that the law be reviewed 5 years after the effective date of
the regulation (April 21, 2000). This review took several years and various stakeholders
were given the opportunity to comment on the proposed revisions. The revised Coppa
Rule was released in December 2012 and is set to go into effect on July 1, 2013.
•What follows are 10 questions that every developer should ask herself over the next
couple weeks in order to conduct an internal COPPA audit and ensure compliance. If you
have any questions, please let us know in the comments.
Wednesday, June 19, 13
3. 1) Did you read the Rule?
This seems obvious, but have you read the revised
Rule yet? It might look big and scary at first, but it’s
not rocket surgery – anyone who can develop
their own application can grasp the content of the
revised COPPA Rule.
Wednesday, June 19, 13
4. 2) Does the Rule apply to you?
Ask yourself this question: “Am I operating a child-directed
website or service or do I have actual knowledge that I’m
collecting, using or disclosing personal information from a child
under 13?”
If you have any doubt, the smart bet is to assume COPPA applies
to you and read on.
Wednesday, June 19, 13
5. 3) Do you collect personal information?
The general idea is that personal information is any information that
can be matched to a single person. Phone numbers and email
addresses are obvious examples, but it’s worth going through the
whole list to determine if you collect personal information, as the
definition has expanded.
Wednesday, June 19, 13
6. 4) What information do you collect?
It’s time to compile an exhaustive list of all the
information you collect. Remember that feature you built,
but never used? Make sure it isn’t still collecting
information. Figuring out what you collect is perhaps the
most important part of your own COPPA audit. Leave no
stone unturned. After all, there’s still time to clean up your
act before July 1.
Wednesday, June 19, 13
7. Now that you know what you collect, it’s time to understand why you collect it. It’s
useful to divide all the information you collect into two categories: information for
the support of internal operations (defined in §312.2) and information that is
disclosed to third parties.
If it’s for the support of internal operations (e.g. collecting data to optimize product
features) make sure you’re using the data and storing it securely. If you don’t use it,
stop collecting it.
If the information is disclosed to third parties, ask yourself why you’re disclosing
that data in the first place. In the general interest of protecting children’s privacy,
disclosure of this data should be carefully and rigorously scrutinized.
5) What do you NEED to collect?
Wednesday, June 19, 13
8. 6) Do you have a privacy policy?
The first step in effectively communicating with parents is to have a well-written
privacy policy. This can seem like a daunting task to non-lawyers, but there are
plenty of good resources to help you out. Here are a few tools to help you get
started:
We also recommend looking at the privacy policies of developers that
are doing similar work or offering similar services. What's more
important than perfect legalese is honesty and transparency.
Wednesday, June 19, 13
9. 7) How are you going to provide notice of your
privacy practices?
Congratulations, you now have your very own
privacy policy! Now, how are you going to tell
parents about your data collection, use and
disclosure practices? The California Attorney
General provides some really good guidance in
Privacy on the Go: Recommendations for the
Mobile Ecosystem, and as always, reread the
Rule.
Wednesday, June 19, 13
10. I’m willing to bet that you probably have questions at this
point.The good news is that you’re not alone. In May the FTC
released a set of FAQ’s to address the most common and
vexing questions they had received in the months since the
amended rule was released.The good news is that you’ll
probably find some clarification to your questions, but be
prepared to add some items to your to-do list as well.
8) Have you read the FAQ?
Wednesday, June 19, 13
11. COPPA Safe Harbor Programs:
These FTC-approved safe harbor programs are an
attempt to provide businesses with the ability to self-
regulate when it comes to COPPA compliance.
9) Have you considered getting a second opinion?
Wednesday, June 19, 13
12. 10) What’s next?
Developers are certainly not strangers to constant
product iterations and you should get used to
thinking of your privacy-related activities the same
way. Children’s privacy is very important, and if you
take your obligation seriously, it will require
constant refinement.
Wednesday, June 19, 13
13. A FinalThought
Hopefully this 10-step guide is helpful in starting you on your
journey to COPPA compliance.This information is not meant
as legal advice, but it does accurately reflect a process that
we’ve used ourselves and that other developers have had
some success with too. If you have suggestions or care to
share your own experiences please leave a comment.
Wednesday, June 19, 13