People now have unlimited access to knowledge thanks to the Internet, but this ease comes with a cost. Children can be harmed by the usage of content available on the Internet, whether intentionally or unintentionally. Users under the age of 18 may be exposed to offensive or violent photos or videos, as well as becoming victims of cyberbullying. COPPA and CIPA were created to safeguard children from unsuitable and objectionable things discovered on the Internet. While both legislations have reasonable goals, they also have certain tough components that make compliance difficult. In this article, we will deal with what are the difficulties companies can face while advertising and marketing because of COPPA and how can they deal with them
What is COPPA?
COPPA takes into account the dynamic features of the Internet and aims to protect children under the age of 13. The Federal Trade Commission’s (FTC) website states that “The primary goal of COPPA is to place parents in control over what information is collected from their young children online.” As per FTC’s website the rule applies to operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children, and operators of general audience websites or online services with actual knowledge that they are collecting, using or disclosing personal information from children under 13.
So, in a nutshell, COPPA forbids website operators from collecting any personal information from any child under the age of 13 without explicit parental permission. Personal information can include things as simple as names and addresses or even more complex identifiers such as geolocation identifiers, pictures or audio files, where such files contain the child’s voice.
It is also because of COPPA that many popular websites, including Facebook, do not allow users under the age of 13 because managing data with COPPA is a slippery slope where even seasoned website operators have found themselves on the wrong side of the law and were held liable by the Federal Trade Commission.
For example, Google and YouTube Will Pay Record $170 Million for Alleged Violations of Children’s Privacy Laws, According to Reports of the FTC.
What do the features of COPPA mean for advertisers?
These measures shouldn’t have much of an impact on your business if your organization
- Isn’t delivering advertising on sites targeted towards children.
2.Doesn’t have “real” knowledge that it is collecting information from minors.
If your company, on the other hand,
1. sells adverts on children’s websites
2. is aware that it is collecting information about minors, you should rethink your privacy policies.
How do you know if you need to comply and what steps do you take to ensure you are compliant with the law?
The FTC has a “Six-Step Compliance Plan” that is recommended by it for any business to help ease out their compliance and they are as given below:
Step 1: Determining if Your Company needs to comply
COPPA doesn’t apply to everyone operating a website or other online service. COPPA applies to operators of websites and online services that collect personal information from kids under 13.
This can be determined if one of the following is true:
- Your website or online service is directed to children under 13 and you collect personal information from them.
- Your website or online service is directed to children under 13 and you let others collect personal information from them.
- Your website or online service is directed to a general audience, but you have actual knowledge that you collect personal information from children under 13.
- Your company runs an ad network or plug-in, for example, and has actual knowledge that you collect personal information from users of a website or service directed to children under 13.
It must indicate how personal data collected online from children under the age of 13 is handled in a transparent and complete manner. The notice must detail not only your policies but also those of any third parties who collect personal information on your site or service, such as plug-ins or ad networks.
A list of all operators collecting personal information, an explanation of the personal information and how it is used, and a statement of parental rights must also be included.
Step 3: Notify Parents Directly Before Collecting Personal Information from Their Kids
Websites must ensure they notify the parents about the data collection and such notice should be clear and easy to read. It shouldn’t include any unrelated or confusing information. The notice must tell parents:
- That you collected their online contact information for the purpose of getting their consent.
- That you want to collect personal information from their child.
- That their consent is required for the collection, use, and disclosure of the information.
- The specific personal information you want to collect and how it might be disclosed to others.
- How the parent can give their consent.
- Incases if the parent doesn’t consent within a reasonable time, you’ll delete the parent’s online contact information from your records.
Step 4: Get Parents’ Verifiable Consent Before Collecting Information from Their Kids
You must receive the parent’s consent but that doesn’t end it, you also need not make sure that such consent is authentic. This can be done by:
- Sign a consent form and send it back to you via fax, mail, or electronic scan
- Use a credit card, debit card, or other online payment systems that provide notification of each separate transaction to the account holder
- Call a toll-free number staffed by trained personnel
- Connect to trained personnel via a video conference
- Provide a copy of a form of government-issued ID that you check against a database, as long as you delete the identification from your records when you finish the verification process.
Step 5: Honor Parents’ Ongoing Rights with Respect to Information Collected from Their Kids
If a parent asks, you must:
- Allow them to review the personal information collected from their child
- Allow them to revoke their consent and refuse the further use or collection of personal information from their child
- Delete their child’s personal information.
Step 6: Implement Reasonable Procedures to Protect the Security of Kids’ Personal Information
These procedures are a matter of the internal functioning of a website or a company. Therefore like any other regulatory compliance, which requires you to implement reasonable procedures that will be followed normally, you must also ensure you have a reasonable procedure to follow while collecting and storing the personal information of children under 13.
What else can advertisers do?
There is a lot you can do and still remain COPPA compliant. Here are a few things to keep in mind.
- Contextual advertising is still compliant: Behavioural advertising that tracks particular users overtime is not allowed without parental consent, but contextual advertising based on content is still legal.
- The use of persistent identifiers is fine so long as they are used solely for internal operations (including the delivery of contextual ads). Just don’t track kids across different websites without parental consent.
This certainly might give you the impression irrespective of the scale of your operation that the FTC wants to put you out of business. But no, the rules are loaded with meaningful exceptions. When you really dig deep, you’ll find these rules aren’t vastly different from the previous COPPA regulations. The amendments that were made were done to make the Internet safer for children.
Even still, it’s a great opportunity to review your current practices to ensure compliance and add value to your company.