Inversoft has provided a shortened version of the ‘Business and Parents and Small Entity Compliance Guide’.
1. How can I qualify as a Commission-approved COPPA safe harbor program?
A member of the industry or person must submit 'self-regulatory' guidelines to the FTC for approval. The Commission is required to publish the safe harbor application in the Federal Register (for public comment), and then writes a determination on the application within 180 days of filing.
COPPA safe harbor applications must contain:
- Applicant's business model and technological capabilities and tools it will use to assess member operator's information collection practices
- A copy of the full text of the safe harbor program’s guidelines and any accompanying commentary
- A comparison of each program guideline with each corresponding Rule provision and a statement of how each guideline meets the Rule’s requirements
- A statement of how the assessment mechanisms and disciplinary consequences provide effective COPPA enforcement.
Continue reading →
Inversoft has provided a shortened version of the ‘Business and Parents and Small Entity Compliance Guide’.
1. If I operate a social networking service and a parent revokes her consent to my maintaining personal information collected from the child, can I deny that child access to my service?
Yes.
2. I know that the Rule says I cannot condition a child’s participation in a game or prize offering on the child’s disclosing more information than is reasonably necessary to participate in those activities. Does this limitation apply to other online activities?
Yes. The Rule includes games, prize offerings and "another activity". Minimize and examine carefully how you collect information with every activity so it is "reasonably" necessary.
For more information on COPPA FAQs and COPPA Schools click here.
Continue reading →
Inversoft has provided a shortened version of the ‘Business and Parents and Small Entity Compliance Guide’.
1. If I want to share children’s personal information with a service provider or a third party, how should I evaluate whether the security measures that entity has in place are “reasonable” under the Rule?
You need to determine what data practices the third parties have in place for maintaining the confidentiality of that data, and what security is in place to prevent unwanted exposure or access to personal information.
How your users data is being used by the third party' or service' needs to be thoroughly defined and addressed by contractual agreement.
It is important to periodically monitor/checkup on the third party to confirm they are maintaining confidentiality and security of your users personal information.
2. If a third party discovers that it has been collecting information via a child-directed service, what are its obligations regarding information it has already collected?
It must comply with COPPA by:
- Stop collecting any personal information
- Delete all relevant information on users and close their accounts or;
- Take all information offline and take the necessary steps the Rule requires for parental notification and consent
- If immediate consent is not obtained by the parent the information must be deleted and account closed
For more information on COPPA FAQs click here.
Continue reading →
Inversoft has provided a shortened version of the ‘Business and Parents and Small Entity Compliance Guide’.
1. Do I have to keep all information I have ever collected online from a child in case a parent may want to see it in the future?
No. If the child's information was deleted prior to the parent inquiry, a simple reply, "the information has been deleted and no longer exists" will suffice.
2. What if, despite my most careful efforts, I mistakenly give out a child’s personal information to someone who is not that child’s parent or guardian?
Although the Rule requires the operator to ensure the requestor of the child's information to be the parent, if reasonable steps/procedures are taken the operator will not be held liable under federal or state law.
More details on COPPA FAQs can be found here.
Continue reading →
Inversoft has provided a shortened version of the ‘Business and Parents and Small Entity Compliance Guide’.
Please remember, this is merely a simplified reference. For more detailed information refer to the link at the bottom of this page.
Verifiable Parental Consent (1 - 8)
1. When do I have to get verifiable parental consent.
The operator must obtain verifiable parental consent before any personal information from a child is collected.
Read on for exceptions.
2. May I first collect personal information from the child, and then get parental permission to such collection if I do not use the child’s information before getting the parent’s consent?
Operators must get verifiable consent prior to the collection of a child's personal information.
Limited Exceptions to certain personal information:
Continue reading →
