TOPICS

Friday, April 26, 2019

Protecting Children’s Online Privacy

QUESTION
We were recently cited for not having our website COPPA compliant. We offered our customers a chance to start a savings plan for their children’s college education and the children would be given access to see how their savings plan was growing. We are trying to do a review for COPPA compliance, but it seems to be somewhat of a daunting task. What are some of the COPPA requirements that we should be considering?

ANSWER
Compliance with the Children’s Online Privacy Protection Act (COPPA) can be challenging. Although you can conduct a website compliance review on your own, be careful, because there are a host of regulations that apply, of which COPPA is but one.

If you want a quick and cost-effective website compliance review, I suggest you contact us for a Website Tune-up! You will get the kind of diagnostics that let you make the updates you need to ensure compliance.

All institutions that operate websites (or even web pages) designed for use by children should be aware that the Federal Trade Commission adopted regulations to implement COPPA requirements. [15 USC § 6501 et seq.; 16 CFR Part 312. COPPA provides that the federal banking agencies are responsible for implementing its provisions regarding financial institutions. See 15 USC § 6505(b)]

You may be thinking COPPA does not apply to you, since you are a financial institution. But when you publish your website children may also have access to it. There’s a reason why certain disclosures qualify the applicant by affirming that he or she is eighteen years of age or older. A financial institution does not usually operate a website directed at children for financial purposes; however, COPPA requires website operators, including banks and other financial institutions, to comply with the regulations adopted by the FTC to implement COPPA, but leaves enforcement up to the federal banking regulators.

Operators of websites or online services directed to children or operators who have actual knowledge that the person from whom they seek information is a child must: 
  • Post prominent links on their websites to a notice of how they collect, use, and/or disclose personal information from children.
  • With certain exceptions, notify parents that they wish to collect information from their children and obtain parental consent before collecting, using, and/or disclosing the information.
  • Not condition a child’s participation in online activities on the provision of more personal information than is reasonably necessary to participate in the activity.
  • Allow parents the opportunity to review and/or have their children’s information deleted from the operator’s database and to prohibit further collection from the child.
  • Establish procedures to protect the confidentiality, security, and integrity of personal information they collect from children.

The rules focus on operators of websites or online services specifically directed at children, but they also reach operators of general audience websites (in other words, non-child-directed sites). A website is not considered directed at children simply because it refers or links to other websites or online service(s) directed to children. [64 Federal Register 59893 (11/3/99)]

Nevertheless, operators of general audience websites are liable for violating the COPPA rules only if they: 
  • Have actual knowledge that postings are being made by children under 13, or
  • Fail to delete any personal information before it is made public and also fail to delete it from their records.

If a general audience website has a distinct children’s “portion” or “area,” then the operator is required to provide the protections of the FTC regulation for visitors to that portion of the site. The rule allows general audience websites with children’s areas to post the required link to the children’s privacy policy at the home page of the children’s area rather than the home page of the overall site. [Idem at 59894]

There are a host of rules involving COPPA. For instance, operators of child-directed sites must give notice and obtain parental consent in order to give a child an email account. Operators of general audience sites would only be required to provide notice and obtain parental consent if registration or other information reveals the person seeking the email account is a child.

In August 2009, the Office of the Comptroller of the Currency (OCC) revised its Comptroller’s Manual to include COPPA procedures that previously had appeared only in banking bulletins. So, expect regulators to be including COPPA compliance in regulatory examinations. The Controller’s Manual explains that the regulation requires an operator of a website or online service directed to a child, or any operator who has actual knowledge that it is collecting or maintaining personal information from a child, to: 
  • Provide a clear, complete, and understandably written notice to the parent and on the website or online service of their information collection practices with regard to children, describing how the operator collects, uses, and discloses the information.
  • Obtain, through reasonable efforts and with limited exceptions, verifiable parental consent prior to the collection, use, or disclosure of personal information from children.
  • Provide a parent, upon request, with the means to review and have deleted the personal information collected from his or her child and to refuse to permit its further use or maintenance.
  • Limit collection of personal information for a child’s online participation in a game, prize offer, or other activity to information reasonably necessary for the activity.
  • Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of the personal information collected from children.

Jonathan Foxx
Managing Director
Lenders Compliance Group