Author Topic: Coppa Compliance requested per X_A  (Read 2363 times)

0 Members and 1 Guest are viewing this topic.

Rifter01

  • Guest
Coppa Compliance requested per X_A
« on: May 18, 2008, 04:04:01 am »
Due to a request by X_A, here is the details of what I mentioned and misspelled in another thread, specifically, compliance with COPPA / Children's Online Privacy Protection Act.

The reason this is here, is forgive me for the tone and placement of the original suggestion, (in another thread). I feel that this site and the people running it are good and helpful to the local community, my source here is myself since I also have a website and wish to aid in some advice here, however, since I don't know the specifics of your bulletin/forums software, it would as always be best to seek actual legal advice in order to reach and maintain full compliance with COPPA Def. 8c of Sec. 1302 through Sec. 1304.

Lemme put some copy/pasta here and I will continue after the dashed lines ---'s...

What is COPPA?

The Children's Online Privacy Protection Act (COPPA) was signed into law on October 21, 1998 and is effective as of April 21, 2000. The purpose of COPPA is to regulate the online collection and use of personal information provided by and concerning children under the age of thirteen. On October 21, 1999, the Federal Trade Commission, pursuant to the requirements of COPPA, published final rules in the Federal Register implementing COPPA. The Rules set forth the specific manner in which entities are expected to comply with, and how the FTC will enforce, COPPA.

Who Must Comply

If you operate a commercial Web site or an online service directed to children under 13 that collects personal information from children or if you operate a general audience Web site and have actual knowledge that you are collecting personal information from children, you must comply with the Children's Online Privacy Protection Act.

    *     To determine whether a Web site is directed to children, the FTC considers several factors, including the subject matter; visual or audio content; the age of models on the site; language; whether advertising on the Web site is directed to children; information regarding the age of the actual or intended audience; and whether a site uses animated characters [[to my knowledge this INCLUDES avatars/profile pictures -Ed]] or other child-oriented features.
    *     To determine whether an entity is an "operator" with respect to information collected at a site, the FTC will consider who owns and controls the information; who pays for the collection and maintenance of the information; what the pre-existing contractual relationships are in connection with the information; and what role the Web site plays in collecting or maintaining the information.

Personal Information

The Children's Online Privacy Protection Act and Rule apply to individually identifiable information about a child that is collected online, such as full name, home address, email address, telephone number or any other information that would allow someone to identify or contact the child. The Act and Rule also cover other types of information -- for example, hobbies, interests and information collected through cookies or other types of tracking mechanisms -- when they are tied to individually identifiable information.

-------------------------------

So, this website may or may not be 'targeting' or 'directed' to children, (esp. when related to games rated "M" or Mature., however, other games, like Guitar Hero, and Super Smash bros., Pokemon, etc., and others are rated T, or E... this is where many children usually play, but, sometimes they may, or do participate in more mature games, -i.e.shooters, etc). If your website uses login cookies and/or advertisers use tracking cookies.. Well, this is how alot of other websites get into deep water, get sued and/or shut down since they may/may not realize something as basic as a cookie may violate the child's privacy.

Besides login cookies, the main way this website *and many others out there* is mainly, by definition, affected is EMAIL REGISTRATION, and by COPPA 8c, Sec. 1302: [possible] collection of e-mail addresses of individuals 13 years of age or younger, and subsection C, & D Section 1303: the contacting (and/or giving PM's) or notices on game participation.. Here is how that section is worded:

"(C) prohibit conditioning a child's participation in a game, the offering of a prize, or another activity on the child disclosing more personal information than is reasonably necessary to participate in such activity; and

(D) require the operator of such a website or online service to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children. "

In order to be compliant with regulations in Sect. 1303, subsection B, paragraph 1, item(a) A, ii, & B, & C. As well as Sect. 1304, subsection C, entitled "Deemed Compliance".

#1. Be prepared for the eventuality with either the FTC, law enforcement/gov't agency will request to obtain any/all personal information about a child, and/or a parent request info about their own child and/or request the complete removal of such information provided by someone or anyone 13 years of age or younger. From my best understanding, you must provide, (at minimum) a FAX number for a parent to send the website operator a permission or request notice.

Now, I'll stop here for just a second.. Why would a parent or government agency (including any agency dealing with law enforcement) ask or require the webmaster to give them such information (Esp. as the parent should very well know their own child's information, etc.) the quick answer is I don't know why! It almost sounds like less privacy, however, the parent needs to be verified/identified in this process too. How you do that is up to you, and there are suggestions later/below.. But, the best way most website owners cover their bases:

#2, Update the privacy policy.  Here is more copy/paste, a "bottom line" tip and more from me after the ----'s

Privacy Notice

Placement

An operator must post a link to a notice of its information practices on the home page of its Web site or online service and at each area where it collects personal information from children. An operator of a general audience site with a separate children's area must post a link to its notice on the home page of the children's area.

The link to the privacy notice must be clear and prominent. Operators may want to use a larger font size or a different color type on a contrasting background to make it stand out. A link in small print at the bottom of the page -- or a link that is indistinguishable from other links on your site -- is not considered clear and prominent.

Content

The notice must be clearly written and understandable; it should not include any unrelated or confusing materials. It must state the following information:

    *      The name and contact information (address, telephone number and email address) of all operators collecting or maintaining children's personal information through the Web site or online service. If more than one operator is collecting information at the site, the site may select and provide contact information for only one operator who will respond to all inquiries from parents about the site's privacy policies. Still, the names of all the operators must be listed in the notice.
    *      The kinds of personal information collected from children (for example, name, address, email address, hobbies, etc.) and how the information is collected -- directly from the child or passively, say, through cookies.
    *      How the operator uses the personal information. For example, is it for marketing back to the child? Notifying contest winners? Allowing the child to make the information publicly available through a chat room?
    *      Whether the operator discloses information collected from children to third parties. If so, the operator also must disclose the kinds of businesses in which the third parties are engaged; the general purposes for which the information is used; and whether the third parties have agreed to maintain the confidentiality and security of the information.
    *      That the parent has the option to agree to the collection and use of the child's information without consenting to the disclosure of the information to third parties.
    *      That the operator may not require a child to disclose more information than is reasonably necessary to participate in an activity as a condition of participation.
    *      That the parent can review the child's personal information, ask to have it deleted and refuse to allow any further collection or use of the child's information. The notice also must state the procedures for the parent to follow.

Direct Notice to Parents

Content

The notice to parents must contain the same information included on the notice on the Web site. In addition, an operator must notify a parent that it wishes to collect personal information from the child; that the parent's consent is required for the collection, use and disclosure of the information; and how the parent can provide consent. The notice to parents must be written clearly and understandably, and must not contain any unrelated or confusing information. An operator may use any one of a number of methods to notify a parent, including sending an email message to the parent or a notice by postal mail.

Verifiable Parental Consent

Before collecting, using or disclosing personal information from a child, an operator must obtain verifiable parental consent from the child's parent. This means an operator must make reasonable efforts (taking into consideration available technology) to ensure that before personal information is collected from a child, a parent of the child receives notice of the operator's information practices and consents to those practices.

----------------------------------------

To "bottom line" #2, and play it completely safe, would be like some websites do, is to basically bar access to certain features (i.e. registration, writing posts, replies, profile page, etc.) to someone 13 or under until their parents give permission, and the posting of this in the privacy policy.. i.e. something to this effect:

"Our website" and COPPA
To address COPPA, we do not permit children under age 13 to use the forums, post any personal information and/or PM without having first the express/written permission of their parents. In any event, some parents may opt if/when a child is posting or PM'ing and may allow their child to communicate with their parents account, (or a we apologize, but sometimes it is the easiest way. We regret any inconvenience this may cause, but it is simply the easiest way to deal with the problem.

Now, please note, this consent from parents needs verification, and here are the ways the FTC recommends.......

-----

They can use a variety of methods to verify the parent's identity, including:

    *      obtaining a signed form from the parent via postal mail or facsimile;
    *      accepting and verifying a credit card number;
    *      taking calls from parents on a toll-free telephone number staffed by trained personnel;
    *      email accompanied by digital signature;
    *      email accompanied by a PIN or password obtained through one of the verification methods above.

--------------------

So finally, it comes down to #3, The webmaster should provide official contact information for parents, FTC or law enforcement to communicate with the website operator/host, which is at minimum a FAX or email address at forum/website registration pages, AND/OR player/gamer signups for website-hosted events before game time, or, on a seperate "COPPA Compliance / Parent Consent / Privacy page" by either Fax, Email, HTML Form, or mailing address, so that parents can provide verifiable I.D, and consent to you.

So, in sum, what is mainly needed is:

#1) Be ready / drawn up parental consent form(s) & policy in place / prepared to handle both 'automated' e-mail or FAX requests and human 'manual' hand-written or in very rare cases called-in (by phone) verified COPPA compliance checks. By collecting registrations, (both website and real life at game event signups, etc.) all information must be safeguarded and privacy policy stated, communicated to parent of child, and the parental consent form (that you, yourself or lawyer/legal professional can draw up including the guidelines here and on the FTC's coppa.org website) filed on the private record, and most importantly in the safe keeping of the website owner(s)/administrator(s), available only to themselves and only to AUTHORIZED "I.D. or PIN # VERIFIED" PARENTS / IDENTIFIED OR AUTHORIZED LAW ENFORCEMENT AGENTS/AGENCIES.

#2) Website needs privacy policy update to express parents permission required for 13 and younger child's full access to all forum features, PM, public profile, posting, contest/game announcements both in-person and on mailing list(s). If any information is shared with 3rd parties, (like advertisers, via cookies or other database sharing) it should be listed how it is used within the privacy policy.

#3) Website owner FAX # and/or email and/or mailing address (minimal I do for my website is email, fax and mailing address, your website may vary) to address COPPA Compliance. Many websites put the FAX # and mailing address of the head honcho's office, or office manager, with either the webmaster's name and/or other operators of the website after a registration prompt asking the new user if they are 13 years old or younger. [And something to the effect like, in order to have full forum access, please ask your parent/legal guardian to email us, FAX us for a consent form, or mail the printed form to, blah blah..]


Hopefully I've helped to clear up some of the red tape. If not, I'm sorry for the wordiness of this, it is like 3AM right now.. Here is the website page for FTC/COPPA compliance: http://www.coppa.org/comply.htm also, feel free to check out the root url of that, as well as message me and I will try and help anyway I can. Maybe this website forums package already has some COPPA plug-in you can use. I'm not sure though.

Rifter/Kevin

Offline X_A

  • X A - Lead OKGamer Evangelist
  • Administrator
  • OKgamer fo' life
  • *****
  • Posts: 4310
  • Gender: Male
    • View Profile
    • http://okgamers.com
  • SEN ID: XianghuaALPHA
  • XBL ID: XianghuaALPHA
Re: Coppa Compliance requested per X_A
« Reply #1 on: May 20, 2008, 08:40:17 pm »

Thanks for doing all this research!  After some things calm down, I'll actually be able to pay attention to this!



X A

Oklahoma doesn't have to "suck"
OKGamers.com - spread the word. 
OKgamers.com - our goals

New to the site?  Welcome to OKgamers.com!  Let us know how you found us!

Offline bartsimpson8

  • OKgamer Evangelist
  • *****
  • Posts: 153
  • Gender: Female
    • View Profile
Re: Coppa Compliance requested per X_A
« Reply #2 on: May 23, 2008, 01:01:02 pm »
Ok.So Im 13 will be 14 in August is there anything I need to do with this act like a parent signature?
I do not have ADD its just that oh hey look a bunny!

Offline X_A

  • X A - Lead OKGamer Evangelist
  • Administrator
  • OKgamer fo' life
  • *****
  • Posts: 4310
  • Gender: Male
    • View Profile
    • http://okgamers.com
  • SEN ID: XianghuaALPHA
  • XBL ID: XianghuaALPHA
Re: Coppa Compliance requested per X_A
« Reply #3 on: June 06, 2008, 02:11:33 am »

Okay, I FINALLY have time now lol - has Rislone / anyone else looked at this and had any thoughts?



X A

Oklahoma doesn't have to "suck"
OKGamers.com - spread the word. 
OKgamers.com - our goals

New to the site?  Welcome to OKgamers.com!  Let us know how you found us!

Offline Rislone

  • OKgamers T.O.
  • OKgamer fo' life
  • *****
  • Posts: 1115
  • Gender: Male
    • View Profile
  • XBL ID: eighty8keyes
Re: Coppa Compliance requested per X_A
« Reply #4 on: June 06, 2008, 05:26:18 pm »
I have a while back but haven't had the time to do anything with it or form any kind of thoughts on it.
GT: Eighty8keyes Haloez and anything else I might be playing.

Offline Winged_Human

  • OKgamers Supporters
  • Official OKgamer
  • ****
  • Posts: 84
  • Gender: Male
    • View Profile
Re: Coppa Compliance requested per X_A
« Reply #5 on: June 09, 2008, 10:37:55 pm »
I think it is definatly something that should  be considered seeing as how we're a very family frienly, we might be taken more seriously if we were to take in and become compliant with this type of thing.  I unfortunatly don't know how to code or even design a website so I couldn't really help there.   But again, I think this is something that should be looked at.
Death borne on angels wings.