QUESTION
We were just cited by our regulator for violations of COPPA. The violation stemmed from our online website, which we use for originating mortgages. Really, we were not even aware that this was a problem! I see from your website that you do website reviews and you probably would have picked up on the COPPA violation. Please tell us, what is COPPA? Also, what are some requirements?
ANSWER
“COPPA” stands for Children’s Online Privacy Protection Act. It regulates websites that collect personal information from children under the age of thirteen. COPPA is monitored through the Federal Trade Commission’s regulations. [15 USC § 6501, et sequi; 16 CFR Part 312]
The purpose of COPPA is to increase privacy protection for children’s information obtained online. Subject websites must post privacy notices and adopt procedures to protect the confidentiality and security of the information. There is an element of parental control, too, in that COPPA provides that parents should have control over what kinds of information websites can collect from their children. It follows then, that any website that targets children under age thirteen or, for that matter, any general website that collects personal information from children under age thirteen, is required to comply with COPPA. [15 USC § 6501(1); 16 CFR § 312.2]
Examples of personal information are a child’s name, address, email address, telephone number, Social Security number, or other identifying information. [15 USC § 6501(8)]
One overlooked item often involves getting parental consent, which must be “verifiable” parental consent. This means that a website operator must take steps before personal information is collected from a child under the age of thirteen, such as notifying the parent of the operator’s’ information practices and obtaining the parent’s consent to those practices.
Requirements involving the collecting of personal information from children include (1) providing privacy notices, and (2) obtaining verifiable parental consent before collecting, using or disclosing children’s personal information (with some exceptions).
With respect to the privacy notice, it must state the types of information collected from children under the age of thirteen, how the information is used, and the website operator’s information disclosure procedures pertaining to the website. [15 USC § 6502(b)(1)(A)] If a parent requests, the operator must inform the parents of the information collected from the child and give the parents the opportunity to refuse additional collection of the child’s information. [See Industry and Financial Markets Association v Garfield, 469 F. Supplement 2nd 25 (D. CT); also, 15 USC § 6502(b)(1)(B)]
Your best bet is to have your website fully reviewed by competent risk management professionals, such as Lenders Compliance Group. Website compliance is a critical review component of mortgage banking. The exposure of a bank or nonbank to legal and regulatory violations due to website violations is very high and the website needs great care in structure, disclosure, and use in order to reduce such risks.
Jonathan Foxx
Managing Director
Lenders Compliance Group
