New case study: Children's Miracle Network Hospitals

COPPA 2.0: Determining Identity

Over the next few weeks, we aim to share a few blog posts breaking down the recent amendments to current legislation – referred to as COPPA 2.0 – for anyone that’s a parent, an operator, a publisher, or has general interest in COPPA legislation, and the update’s after-effects.

Welcome to 2013, THE year of change for any business targeting kids & families with online experiences.

imgres-1Izzy’s recycled COPPA elevator pitch: If you are a website aimed at children under 13 (0 to 12 to be precise), you cannot collect ANY personally identifiable information from a child/ children without verified permission from an adult (verified by faxed signature, credit card, social security).

COPPA was created to protect children under 13 years of age from Marketers until a parent could give approval for data collection or contact.  Let me repeat that: created to protect children under 13 from Marketers until a verified adult (hopefully a parent) gives approval for data collection or contact.  It is imperative this point be made (I’ll explain in a bit).

For the last 2+ years, “COPPA” (aka Children’s Online Privacy Protection Act) has been under the FTC microscope.  Why?  Because of the question: Does COPPA do what COPPA is supposed to do?  Can a piece of legislation created in 1997 still hold up in the drastically altered digital environment of 2013?

The FTC has made efforts to round up Site Operators, Marketers, Media Specialists, Privacy Lobbiests, Online Safety Experts, Entertainment & Toy/Licensing companies, and those interested in Child and Family Rights.  They’ve listened to opinions, concerns, and comments with the goal of understanding this particularly sensitive piece of legislation.

Why is it considered sensitive? Aside from the fact we’re talking about “children” here… it’s because this legislation touches these concepts:

  • Privacy rights for identify and children,
  • Privacy rights versus freedom of speech,
  • Social restrictions for social children,
  • Falsified age gates or faux parent approval,
  • Parent Involvement (overzealous parents are loud and opinionated, but non-participatory parents are plentiful and unengaged),
  • High operation costs for highly regulated sites,
  • Kids are encouraged to play in adult sites because they’re easier to access,
  • Mobile vs Web,
  • Legit adult verification processes (and verification ease, or lack there of),
  • Targeting audiences (kids vs family vs general),
  • Parenting a digital generation & identity education,
  • Trackable data,
  • Fear-mongering and the competitive “black watch,”
  • Appropriate content/behavior vs Identity protection,
  • Public-protection for & from identity (ala avoiding cyberbullying),
  • DEFINITION OF IDENTITY

For so long, people have been pulling and stretching at COPPA to cover so many areas of “child safety” – beyond just marketers and data collection.  For as much as we all want the best for children online, being the “black watch” over the industry to regulate “good practices” and digital-community-parenting was not the intention of the law.

imgres-1COPPA was not created to stop a child from playing a game, or to restrict a child from talking to another person, and it was not created to block inappropriate content exposure or contact.  COPPA was purely created to ensure that companies could not collect personally identifiable information from a child without an adult’s (preferably a parent) permission.

From 1997 – July 2013, Personally Identifiable Information (or “PII”) was listed as:

  • First and last name;
  • A home address that includes a street name and a city or town;
  • Email Address;
  • A telephone number; or
  • A social security number.

Relatively straight forward.  Initially, the kind of PII the FTC was concerned with was pulled from online forms, as one might seen during account registration or with straight forward data requests and promotions (“We’ll give you [insert incentive], if you tell us how to contact you later about the product.”).

With in the last 5 years, social aspects within games and websites have become unstoppable for the youth demographic.  Chat, comments and posts, uploading images, and other forms of User Generated Content provide opportunities for PII collection.  Based on this, COPPA developed certain grey areas for debate.  For example, a website for tweens that collects data involuntarily (child A told child B his real name in chat), would that be breaking the law? If a company collects data from children for non-marketing purposes, is that still breaking the law?  Collecting data via a phone app, does it still count in COPPA even thought it’s not classic internet?  And, what about other forms of identity – like physical or digital identity?

On July 1st 2013, COPPA will OFFICIALLY receive an “upgrade.”  After years of research and conversation, the FTC has unanimously approved the following as PII (personally identifiable information):

  • A physical address including a street name and city or town (like School or GPS-applications that narrow down to a child’s exact location);
  • A screen or user name that functions as online contact information (like Skype or AIM);
  • A persistent identifier that can be used to recognize a user over time and across different Web sites or online services (like an IP address);
  • A photograph, video, or audio file, where such file contains a child’s image or voice (as we previously blogged about);
  • Geolocation information sufficient to identify street name and name of a city or town (this information is sometimes cookied with mobile uploads); or
  • Information concerning the child or the parents of that child combined with an identifier described above, as collected from the child.

There’s no way to separate a business from its marketing department.  At the end of the day, data collection IS data collection.  If your company has personally identifiable information collected from children under 13 without verified adult consent, you need to do the following NOW:

  1. You need to examine your systems, and remove or gate any opportunity for data collection.
  2. Scrub all data – delete anything that is personally identifiable.
  3. Implement adult verification tools and build (or purchase) thorough filters to block certain forms of PII.
  4. Get creative and hire well.  There are a lot of ways to work with COPPA, you just need the right people who can help (ahem).

Coming Soon: Lawfully Surpassing COPPA…

Izzy Neis
Director of Digital Engagement and Strategy

This entry was posted in Best Practices, Digital Engagement and tagged , , , , . Bookmark the permalink.

Talk Back

Laura Heagy
Posted on May 10, 2013

Thanks, Izzy. As always this is extremely informative; and I really appreciate the information. Good stuff to know not only for our business, but for our families as well.

Gina
Posted on May 10, 2013

I need the Metaverse in my house! I need someone to tell my kid that sharing his name in chat is NOT good – just one example. Someone other than his mommy saying it and he may not roll his eyes. *sighs*

Get On Your Soapbox

Click here to cancel reply.