In light of the recent COPPA (Children's Online Privacy Protection Act) violations and some hefty fines being doled out by the FTC (see our resources at the end of this post for links to the violations), we put together a list of 7 ways to be more COPPA compliant.
1. Collect as Little Information as Possible
The simplest way to be more COPPA compliant is not to collect personally identifiable information (PII) from your users. If you are collecting this type of information, ask yourself why. If the answer to that question isn't vital to your business, stop collecting the information. It’s easy to fall into the trap of collecting information for no other reason than having it.
One place you might have overlooked where you could be collecting PII is blog comments. Some blog software requires users to give their name and email addresses to post a comment. If you want to allow users to comment on blogs, make sure they can do so without sharing their information.
Another place to look is online features. If you require that users register in order to provide online features like saved games, settings and preferences, ask yourself if a simple username and password is sufficient. If you don't need additional information from the user, don't collect it.
2. Ask for the Age First
If users must register for your website, game, or community, you must determine their age first. Asking "are you under 13" with a yes or no answer isn't sufficient. You must ask for the user’s age in such a manner that they are more inclined to answer truthfully.
In most cases, it is simplest to ask the user for their birth day (not including the year) and their age. You might ask them this after they have started creating their character or while they are selecting a username. Asking for their age while having them do something else helps increase your chances of getting the correct answer.
You might be wondering why you need to know their age. If the user is under 13, you will need to get permission from a parent before collecting any more information from them, which we cover next.
3. Get Parental Consent: Email Plus
Once you have determined that the user is under 13, you must obtain parental consent before asking for any other information (if you absolutely need it). Currently, the best way to ask for parental consent is through a process called "Email Plus". The “Email Plus” process is sufficient if you are using the information for internal use only. This means that you can’t share PII with 3rd parties, which includes other users in the community.
Email Plus is a relatively simple process of 5 steps:
- Ask the child for their parent’s email address
- Create an account for the parent and associate it with the child's account
- Get the parent's consent
- Activate the child's account
- At some later time (12-24 hours), send another email to the parent letting them know they created an account and gave their consent.
The key here is the last step of sending a second email to the parent later. The second email allows for the possibility that the child was watching the parents email during the sign up process, but might not check it later. Therefore, the parent will get the second email and be able to shut off the child's account if they did not actually give their consent.
Email Plus is a tricky rule, which has been debated at length. Email Plus is still part of the recent COPPA updates although it is only allowed when the child’s information is used for internal purposes only. Many believe that Email Plus is not sufficient because kids can easily create a fake email address and use that to activate their account rather than using their parent's actual email address. While these concerns are valid, Email Plus is still the simplest method for parental consent, but is no longer allowed if you plan to share any PII with 3rd parties.
5. Don't Share Info with 3rd Parties Unless you Have To
Don't share any PII of your users with anyone unless it is absolutely necessary. You should perform an audit of all your vendors and ensure they don't have access to any PII. It is also a good idea to prefer on-premise software whenever possible. On-premise software runs on your servers and generally means that user PII is not sent to 3rd parties.
6. Know Where Your Data Is
You should know where all of your user data is at all times. COPPA requires that parents are given the ability to delete their child's information at any point. You should ensure that you can quickly delete user data from all locations including backups and 3rd parties you are sharing it with.
7. If You are Going to Have Community, Filter and Moderate It
Although, COPPA has provisions to prevent users from sharing PII on forums and in chat, it is not heavily enforced. You should still make every effort to ensure that your users are not sharing their PII with each other in your community. Inversoft recommends using a combination of filters and human moderators to ensure that PII is kept private. Filtering and moderating your community also has the benefit of preventing inappropriate behavior and promoting a clean environment for kids. As an added bonus, partnering with a company that provides quality moderation services can provide you with deep insight and valuable information about your community, and a solid process to manage it.
You should follow me on Twitter
COPPA 2012 Update: Children's Online Protection Rule
Path Fines: FTC Fines 'Path' Social Networking App
Artist Arena Fines: FTC Fines Children's Fan Site $1 Million
RockYou fines: FTC Fines RockYou $250k