COPPA 2.0 compliance is here. Whether your site is ready or not, you need to be asking, enquiring, and doing whatever you can to come up to par with the current regulations. There is a laundry list of provision’s the FTC has put in to place and it’s time to comply.
Inversoft has provided a shortened version of the ‘Business and Parents and Small Entity Compliance Guide’.
Please remember, this is merely a simplified reference. For more detailed information refer to the link at the bottom of this page.
1. Am I responsible if children lie about their age during the registration process on my general audience Web site?
The Rule does not require operators of a general audience to investigate the age of visitors to their site/service.
"However, operators will be held to have acquired 'actual knowledge' of having collected personal information from a child where, for example, they later learn of a child’s age or grade from a concerned parent who has learned that his child is participating on the site or service."
2. I have an online service that is intended for teenagers. How does COPPA affect me?
Although you may intend to operate a “teen service,” in reality, your site may attract a substantial number of children under 13, and thus may be considered to be a “Web site or online service directed to children” under the Rule.
Always consider the subject matter the site/service provides. If the content targets children as one of its audience but is not intended as it's primary - the site/service is "directed to children."
Just as the Commission considers several factors in determining whether a site or service is directed to children, you too should consider your service’s subject matter, visual content, character choices, music, and language, among other things. If your service targets children as one of its audiences – even if children are not the primary audience – then your service is “directed to children.”
The amended Rule allows you to age screen in order for COPPA to protect those who indicate they are under 13. This does not mean you can block 13 and under but rather provide the proper actions necessary under COPPA:
- Collect parents’ online contact information to provide direct notice in order to obtain parents’ consent to your information collection, use and disclosure practices; or
- Direct child visitors to content that does not involve the collection, use, or disclosure of personal information.
3. Can I block children under 13 from my general audience Web site or online service?
Yes, but you may not block children 13 and under from a child directed site/service.
If you choose to block children under 13 on your general audience site or service, you should take care to design your age screen in a manner that does not encourage children to falsify their ages to gain access to your site or service...
In designing a neutral age-screening mechanism, you should consider:
- Making sure the data entry point allows users to enter their age accurately. An example - freely enter month, day, and year of birth.
- A site that includes a drop-down menu that only permits users to enter birth years making them 13 or older, would not be considered a neutral age-screening mechanism since children cannot enter their correct ages on that site.
- Avoid stating that visitors under 13 may not engage with others/site there is the possibility of age falsification...
FTC recommends using a cookie to keep children from 'back-buttoning' in hopes of resubmitting a different age.
If you ask for users to enter age information, and then fail to screen or prevent further age submissions by those under 13 you are liable under COPPA.
4. I operate a general audience gaming site and do not ask visitors to reveal their ages. I do permit users to submit feedback, comments, or questions by email. What are my responsibilities if I receive a request for an email response from a player who indicates that he is under age 13?
Under the Rule’s one-time response exception (16 C.F.R. § 312.5(c)(3)) you are permitted to send a response to the child, via the child’s online contact information, without sending notice to the parent or obtaining parental consent.
- You must delete the child's online contact information from your records after the response. No other correspondence may be sent after the initial (one time) response.
- If you choose not to respond you must delete the child's contact information.
5. I operate a general audience online service and do not ask visitors to reveal their ages. However, I do permit users to create their own blog pages, and my service has a number of online forums.
(a) What happens if a child registers on my service and posts personal information (e.g., on a comments page) but does not reveal his age anywhere?
If a child posts personal information on a general audience site or service but does not reveal his age, and if the operator has no other information that would lead it to know that the visitor is a child, then the operator would not be deemed to have acquired “actual knowledge” under the Rule and would not be subject to the Rule’s requirements.
(b) What happens if a child posts in a forum and announces her age?
If the post goes unnoticed by those within your organization, the Rule does not apply.
However, actual knowledge may take place if attention is brought to the post via monitoring, a member alerts you or a concerned parent who becomes aware of their child's engagement on the site/service.
For more detailed information on how COPPA applies to General Audiences, Teen, and Mixed Audiences Sites/Services click here.