COPPA 2.0 compliance is just around the corner (July 1st, 2013). Whether your site is ready or not, you need to be asking, enquiring, and doing whatever you can to come up to par with the current regulations. There is a laundry list of provision’s the FTC has put in to place, and on their behalf, have offered reasonable responses and substantial time to comply.
Over the next week, Inversoft will supply shortened versions of the ‘Business and Parents and Small Entity Compliance Guide’.
Please remember, this is merely a simplified reference. For more detailed information refer to the link at the bottom of this page.
Privacy Policies & Direct Notices to Parents
No. However, the FTC recommends that all Web sites/services directed to children – post privacy policies online so visitors can easily learn about the operator’s information practices.
While the original Rule required operators to provide extensive categories of information in their online privacy notices, the amended Rule now takes a shorter, more streamlined approach... Under the amended Rule, the online notice must state the following three categories of information:
- Name, address, telephone number, and email address of all operators collecting or maintaining personal information through the site or service...
- Description of what information is collected from children, including whether the operator enables children to make their personal information publicly available, uses information, and the disclosure practices for such information.
- State the procedures in place and provide the ability for the parents to review, delete and refuse the further collection of their children's personal information.
No. The Rule requires that privacy policies must be “clearly and understandably written, complete, and must contain no unrelated, confusing, or contradictory materials.”
It depends. Examine your procedure for collecting information to determine if you are collecting personal information this is (now) considered under the Rule... you may be required to notify parents to get consent.
If multiple operators for the site/service collect information (including plug-ins) - all names, addresses, phone numbers, and emails must be provided. However, only one designated operator is required to answer all inquires regarding any and all operators.
The amended Rule defines “personal information” to include identifiers: customer number held in a cookie, IP address, a processor or device serial number, unique device identifier that can be used to recognize a user over time and across different Web sites or online services, even where such identifier is not paired with other items of personal information.
Commission explains that 'clear and prominent' is a link of different font size, color, background (make it stand out). It must be easily distinguishable from other links to meet the 'clear and prominent' criteria. As long as you meet these requirements, it will suffice.
If the application collects childrens information the moment it is downloaded, notice is necessary to obtain verifiable consent at point of purchase or prior to download completion.
Commission noted that “operators are free to combine the privacy policies into one document, as long as the link for the children’s policy takes visitors directly to the point in the document where the operator’s policies with respect to children are discussed, or it is clearly disclosed at the top of the notice that there is a specific section discussing the operator’s information practices with regard to children.”
11. I know that the amended Rule made some changes to the direct notice that must be sent to parents before I collect personal information from children. What are those changes?
There are four instances where a direct notice is required or appropriate under the Rule:
- Where an operator seeks to obtain a parent’s verifiable consent prior to the collection, use, or disclosure of a child’s personal information. In this case, the direct notice must:
- State that the operator has collected the parent’s online contact information from the child, and, if such is the case, the name of the child or the parent, in order to obtain the parent’s consent;
- State that the parent’s consent is required for the collection, use, or disclosure of such information...
- Set forth the additional items of personal information the operator intends to collect from the child...
- Provide the means by which the parent can provide verifiable consent to the collection, use, and disclosure of the information
- State that if the parent does not provide consent within a reasonable time from the date the direct notice was sent, the operator will delete the parent’s online contact information from its records.
- Where an operator voluntarily seeks to provide notice to a parent of a child’s online activities that do not involve the collection, use or disclosure of personal information. In this case, the direct notice must:
- State that the operator has collected the parent’s online contact information from the child in order to provide notice to, and subsequently update the parent about, a child’s participation...
- State that the parent’s online contact information will not be used or disclosed for any other purpose
- State that the parent may refuse to permit the child’s participation in the Web site or online service and may require the deletion of the parent’s online contact information, and how the parent can do so
- Provide a hyperlink to the operator’s online notice of its information practices.
- Where an operator intends to communicate with the child multiple times via the child’s online contact information and collects no other information. In this case, the direct notice must
- State that the operator has collected the child’s online contact information from the child in order to provide multiple online communications to the child
- State that the operator has collected the parent’s online contact information from the child in order to notify the parent that the child has registered to receive multiple online communications from the operator
- State that the online contact information collected from the child will not be used for any other purpose, disclosed, or combined with any other information collected from the child;
- State that the parent may refuse to permit further contact with the child and require the deletion of the parent’s and child’s online contact information, and how the parent can do so;
- State that if the parent fails to respond to this direct notice, the operator may use the online contact information collected from the child for the purpose stated in the direct notice; and
- Provide a hyperlink to the operator’s online notice of its information practices
- Where the operator’s purpose for collecting a child’s and a parent’s name and online contact information is to protect a child’s safety and the information is not used or disclosed for any other purpose. In this case, the direct notice must:
- State that the operator has collected the name and the online contact information of the child and the parent in order to protect the safety of a child
- State that the information will not be used or disclosed for any purpose unrelated to the child’s safety
- State that the parent may refuse to permit the use, and require the deletion, of the information collected, and how the parent can do so
- State that if the parent fails to respond to this direct notice, the operator may use the information for the purpose stated in the direct notice
- Provide a hyperlink to the operator’s online notice of its information practices
No. The intention of the changes made to the Rule is to help ensure that the direct notice functions as an effective “just-in-time” message to parents about an operator’s information practices, while also directing parents online to view any additional information contained in the operator’s online notice.
13. I have an app directed to children. At what point in the download process should I send parents my direct notice?
Send parents the direct notice prior to the collection of any personal information from the child. Exception - you collect the parent's online contact information to send the parent direct notice.
Other means of notice: Through the app itself by providing a notice of collection to obtain parent's consent and 'reasonably' ensures delivery of notification to the parent.
For more information on Privacy Policies & Parental Notification click here.