QUESTION
We
were recently cited for not having our website COPPA compliant. We offered our
customers a chance to start a savings plan for their children’s college
education and the children would be given access to see how their savings plan
was growing. We are trying to do a review for COPPA compliance, but it seems to
be somewhat of a daunting task. What are some of the COPPA requirements that we
should be considering?
ANSWER
Compliance
with the Children’s Online Privacy Protection Act (COPPA) can be challenging.
Although you can conduct a website compliance review on your own, be careful, because there are a
host of regulations that apply, of which COPPA is but one.
If you want a quick and cost-effective website compliance review, I suggest you contact us for a Website Tune-up!™ You will get the kind of diagnostics that let you make the updates you need to ensure compliance.
All
institutions that operate websites (or even web pages) designed for use by
children should be aware that the Federal Trade Commission adopted regulations
to implement COPPA requirements. [15 USC § 6501 et seq.; 16 CFR Part 312. COPPA
provides that the federal banking agencies are responsible for implementing its
provisions regarding financial institutions. See 15 USC § 6505(b)]
You
may be thinking COPPA does not apply to you, since you are a financial
institution. But when you publish your website children may also have access to
it. There’s a reason why certain disclosures qualify the applicant by affirming
that he or she is eighteen years of age or older. A financial institution does
not usually operate a website directed at children for financial purposes;
however, COPPA requires website operators, including banks and other financial
institutions, to comply with the regulations adopted by the FTC to implement
COPPA, but leaves enforcement up to the federal banking regulators.
Operators
of websites or online services directed to children or operators who have
actual knowledge that the person from whom they seek information is a child must:
- Post prominent links on their websites to a notice of how they collect, use, and/or disclose personal information from children.
- With certain exceptions, notify parents that they wish to collect information from their children and obtain parental consent before collecting, using, and/or disclosing the information.
- Not condition a child’s participation in online activities on the provision of more personal information than is reasonably necessary to participate in the activity.
- Allow parents the opportunity to review and/or have their children’s information deleted from the operator’s database and to prohibit further collection from the child.
- Establish procedures to protect the confidentiality, security, and integrity of personal information they collect from children.
The
rules focus on operators of websites or online services specifically directed
at children, but they also reach operators of general audience websites (in
other words, non-child-directed sites). A
website is not considered directed at children simply because it refers or
links to other websites or online service(s) directed to children. [64 Federal
Register 59893 (11/3/99)]
Nevertheless,
operators of general audience websites are liable for violating the COPPA rules
only if they:
- Have actual knowledge that postings are being made by children under 13, or
- Fail to delete any personal information before it is made public and also fail to delete it from their records.
If a
general audience website has a distinct children’s “portion” or “area,” then
the operator is required to provide the protections of the FTC regulation for
visitors to that portion of the site. The rule allows general audience websites
with children’s areas to post the required link to the children’s privacy
policy at the home page of the children’s area rather than the home page of the
overall site. [Idem at 59894]
There
are a host of rules involving COPPA. For instance, operators of child-directed
sites must give notice and obtain parental consent in order to give a child an
email account. Operators of general audience sites would only be required to
provide notice and obtain parental consent if registration or other information
reveals the person seeking the email account is a child.
In
August 2009, the Office of the Comptroller of the Currency (OCC) revised its
Comptroller’s Manual to include COPPA procedures that previously had appeared
only in banking bulletins. So, expect regulators to be including COPPA
compliance in regulatory examinations. The Controller’s Manual explains that
the regulation requires an operator of a website or online service directed to
a child, or any operator who has actual knowledge that it is collecting or
maintaining personal information from a child, to:
- Provide a clear, complete, and understandably written notice to the parent and on the website or online service of their information collection practices with regard to children, describing how the operator collects, uses, and discloses the information.
- Obtain, through reasonable efforts and with limited exceptions, verifiable parental consent prior to the collection, use, or disclosure of personal information from children.
- Provide a parent, upon request, with the means to review and have deleted the personal information collected from his or her child and to refuse to permit its further use or maintenance.
- Limit collection of personal information for a child’s online participation in a game, prize offer, or other activity to information reasonably necessary for the activity.
- Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of the personal information collected from children.
Jonathan
Foxx
Managing
Director
Lenders
Compliance Group
