Over the next few weeks, we aim to share a few blog posts breaking down the recent amendments to current legislation – referred to as COPPA 2.0 – for anyone that’s a parent, an operator, a publisher, or has general interest in COPPA legislation, and the update’s after-effects.

Since its birth in 1997, COPPA has created a wee barrier between marketers & children.  The legislation has been controversial in several areas: child online safety, digital parenting, personal information & data collection, and freedom of speech.  In 2012, the FTC proposed changes to this piece of legislation, and in 2013 (with an unanimous vote), the updates were approved and are now law.

If you operate a site, game, or app targeting kids or families – this change probably affects you.

My COPPA elevator pitch: If you are a website aimed at children under 13 (0 to 12 to be precise), you cannot collect ANY personally identifiable information from a child/ children without verified permission from an adult (verified by faxed signature, credit card, social security).

From 1997 – 2013, personally identifiable information (or “PII”) was listed as information that – if alone or combined – allowed you to locate (and contact) a child under the age of 13, such as:

• Full Name (First + Last)
• Telephone Number
• Email Address
• Home Address (street address + city)
• Social Security Number

As you may notice, most of this data was “real world” information, and focused around the idea of offline contact & offline identity.  The FTC increased this definition to include many more identifiers (mobile numbers, unique identifiers like usernames, etc, please forgive the briefness, we’ll be discussing these more over the course of the month).

Previously, PII was purely text based data.  This has clearly changed:

The amended Rule considers photos, videos, and audio recordings that contain a child’s image or voice to be personal information.  This means that operators covered by COPPA must either (i) prescreen and delete from children’s submissions any photos, videos, or audio recordings of themselves or other children or (ii), first give parents notice and obtain their consent prior to permitting children to upload any photos, videos, or audio recordings of themselves or other children.

Complying with COPPA Frequently Asked Questions

What does this mean for Operators?

Dear Marketing, Community, Social Media, Game Designers, Website Producers, etc, I’m sorry to say that you can no longer allow a child under the age of 13 to upload a UGC avatar for your forum, a fan video to support your brand, a sing-a-long mp3, or any other file (audio or visual) without specific additional steps, which are: an age gate, pre-screening & scrubbing content, and/or the verification of an adult associated to the child (with proper notification of collection).  Oh, and you should spend some time scrubbing the content currently live on your site to ensure you’re compliant with the new rules (need help?  That’s what we’re here for: [email protected]).

What does this mean for Parents?

Let’s be clear: your child’s image/voice is your right to protect, and therefore it’s important that you understand how necessary you are in this process.  Help your child understand identity safety (use Clark Kent / Superman as an example, or check out the Stop. Think. Connect. campaign from StaySafeOnline.org).  Fact: children knowingly LIE about their age to participate in a site.  Children do not understand the importance of privacy and identity, and only want to hop a barrier to get to the fun stuff. Companies will comply with the law, but we need parents to help reinforce the policies we put in place.

In the past, an engaging/fun website might allow for image or audio uploads to support an event or theme, for example: Halloween costume photos for Halloween.  This cannot happen for family or kid sites without consent from a verified adult.  Additionally, there are some rad apps FOR kids that allow your child to play creatively with photos (adding characters, changing colors, etc), or wav files (alter voice to sound funny).  As long as there is not an UPLOAD feature that enables the company to collect or share without verified-adult permission, this shouldn’t be a problem.

For everyone:

Aside from the “identity” issue, uploading a photo may allow for a company to pull an IP Addresses, and/or collect one’s Geolocation.  Both of these events are now considered PII.  IP Addresses can narrow data collection to a small town, an apartment complex, or an individual computer.  If a kid/family website has IP Address tracking abilities, that will have to be scrapped relatively quickly (which, operationally, can be problematic when attempting to stop trolls, account clones, spammers, banned accounts, etc, but that’s an argument for another time).

Geolocation is a bit different, as it is a bit more creepy “personal” (on vacation? we can find you…).  Think of Geolocation as a thumb-tack on a map marking the place you visited at one specific moment (like a map-stamp snapshot with time/date).  If Geolocating is enabled, an app can cookie the location the picture was taken, with or without your active knowledge.  Unlike IP Addresses, parents can proactively prevent the collection of geolocation data way before a child downloads an app.  How?  On your smart phone or tablet, go to “Settings” and select “General,” followed by “Location Services.” Look for “Camera” and switch it to off.  Might want to take a moment to surf around in “Settings” and ensure that Geolocation is not enabled within other applications.

So, to recap, I’ve bulleted out the big take-aways here, haiku-style:

COPPA 2.0
Video, audio, and
Photo are no-no.

Data Collection
IP, Geolocation
COPPA kid says no!

Whether you agree with the changes or not, COPPA 2.0 is officially here to stay.  Understanding how it affects you, your family, and your company/brand/website is essential!  As mentioned, we will be profiling various elements of this update, make sure to check back for more!

Izzy Neis
Director of Digital Engagement and Strategy

This entry was posted in Best Practices, Digital Engagement, Social Media and tagged coppa, digital safety, families, ftc, identity, kids, online safety, privacy. Bookmark the permalink.