The organization first reviews your website or service and delivers a report on your compliance or lack thereof with the law. They then help you remediate any problems and, when that process is completed, certify your site as COPPA compliant. The organization will subsequently offer monitoring and guidance going forward. All this comes at a price, of course. And the system can also be gamed in various ways: in a particularly brazen case, a Swiss game developer called Miniclip falsely claimed to be certified by a Safe Harbor organization for seven years.
In the wake of this agreement, Google shifted significant responsibility for COPPA compliance onto YouTube creators , who are responsible and legally liable for determining whether their individual videos or their channels as a whole are directed at children as defined by COPPA, although Google will also be using algorithmic techniques to seek out mislabeled videos.
This shift on Google's part sent the community of YouTube's children-directed video creators into turmoil. Videos marked as being for kids under 13 now cannot carry behaviorally targeted advertising, which cuts down ad revenue significantly, and cannot make use of YouTube features that require user login or user data, like comments, live chat, and the ability to save a video to watch later. While it's still a potentially lucrative market , it's one that's now full of unexpected minefields.
Since many creators are individual hobbyists who don't make anywhere near that much in a year from their channels, it seemed like terrifyingly high number. But as vidIQ explains , these worries are overblown. But maximum is the key word here, and the law explicitly states that the violator's revenue guides the actual assessed fines.
A trip through the FTC website demonstrates some moves to avoid:. While your YouTube video probably won't get you hit with a multi-thousand dollar fine, malfeasance on this scale will. Always be aware of your legal responsibilities — especially when it comes to kids. Here are the latest Insider stories. More Insider Sign Out. Sign In Register.
The site asked girls for their first and last names, street addresses, phone numbers, e-mail addresses and birth dates, as well as their favorite color and season without parent permission. Marking the first anniversary of COPPA, the FTC announced settlements with three Web operators for illegally collecting personally identifying information from children under 13 years of age without parental consent.
More information read the press release by clicking he re. Toysmart collected detailed personal information about its visitors, including name, address, billing information, shopping preferences, and family profiles -- which included the names and birthdates of children. When it ran into financial difficulties, it attempted to sell all of its assets, including its detailed customer databases.
Agreement enforces privacy promises, prohibits sale of customer lists except under very restricted circumstances. Read the press release here. GeoCities, agreed to settle FTC charges that it misrepresented the purposes for which it was collecting personal identifying information from children and adults. This was the first FTC case involving Internet privacy.
Understanding COPPA can be complicated, however by looking at previous violations you can find important takeaways. Here are some important points from the list of violations above:. If you are bringing children into your website, app, or game, there's a good chance COPPA applies to your organization.
Since COPPA came into force, fines for violating children's privacy online have become greater and greater. However, paying the fine is just the start of the process to repair brand damage. It takes years to build a positive brand relationship and just seconds for parents around the world to see your organization as unsafe for their children. Each violation highlights a key lesson. Complying with COPPA not only protects your organization from legal trouble, but shows that you are willing to go the extra mile to keep kids safe online.
Sign up for our Newsletter. All Rights Reserved. Below is a list of significant violations to date. Timeline of Violations. Lisa Frank, Inc. UMG Recordings, Inc. If you wish to keep your online privacy policy simple, you may include a clear and prominent link in the privacy policy to the complete list of operators, as opposed to listing every operator in the policy itself.
You must ensure, however, that your privacy policy signals parents to, and enables them easily to access, this list of operators. Therefore, you will need to disclose in your privacy policy see FAQ C. For more detailed information about activities considered support for internal operations, see FAQs J.
The Rule requires that the operator post a clearly and prominently labeled link to the online privacy policy on the home or landing page or screen of the website or online service, and at each area of the site or service where personal information is collected from children.
This link must be in close proximity to the requests for information in each such area. In the case of an app, the link to the privacy policy must be on the home page of the app. The Rule does not mandate that a privacy policy be posted at the point of purchase, such as in the app store.
However, there is a substantial benefit in providing greater transparency about the data practices and interactive features of child-directed apps at the point of purchase and we encourage it as a best practice. In addition, if a child-directed app were designed to collect personal information as soon as it is downloaded, it would be necessary to provide the direct notice and obtain verifiable consent at the point of purchase or to insert a landing page where a parent can receive notice and give consent before the download is complete.
A link that is at the bottom of the page may be acceptable if the manner in which it is presented makes it clear and prominent.
This advice remains in effect. The Rule provides a very detailed roadmap of what information must be included in your direct notice in four specific instances. In this case, the direct notice must:. As described in FAQ C. Therefore, you may not simply link to a separate online notice. Note, however, that the Rule requires that each direct notice you send also contain a link to your online privacy policy. Unless one of the limited exceptions applies see FAQ I.
The Rule sets out a number of factors for determining whether a website or online service is directed to children. These include:. As described in FAQ E. It depends. COPPA applies to commercial websites and online services that are directed to children. If the content you post on the platform is directed to kids, and personal information is collected by you or on your behalf such as a persistent identifier used to serve targeted advertising , you will be deemed an operator of an online service that needs to comply with COPPA.
By the same token, if the platform has actual knowledge that your content is directed to children and is collecting personal information, it will also need to comply with COPPA. The Rule sets out a number of factors for determining whether a website or online service is directed to children See FAQ D. The FTC staff recognizes that the determination of whether content is child-directed will be clearer in some contexts than in others.
We can, however, provide some general guidance. Unfortunately, the FTC cannot provide an opinion on whether a specific site or service is directed to children. If you continue to have questions about whether your content is directed to children, consider contacting an attorney or consulting one of the COPPA Safe Harbor programs — self-regulatory groups that offer guidance on how operators can comply with the law.
This means that for the most part, a website or online service directed to children may not screen users for age. However, the Rule provides a narrow exception for a site or service that may be directed to children under the criteria set forth in FAQ D. If your site or service targets children under age 13, but children under 13 are not your primary audience e. You can implement an age screen; for users who indicate they are children under 13, you can ensure that you do not collect personal information from those users, or you can obtain verifiable parental consent.
Keep in mind that unlike a general audience website or service, as an operator of a website or online service directed to children, you may not block children from participating in the website or online service. As the operator, you should carefully analyze who your intended audience is, the actual audience, and in many instances, the likely audience for your website or online service.
See FAQ D. You may also get a better sense of your site or service once it has been in operation, and may need to make some changes accordingly. Instead, the Rule permits you to use an age screen in order to differentiate between users under age 13 and other users. You may decide to offer different activities, or functions, to your users depending upon age, but you may not collect personal information from users who have indicated they are under 13 without first obtaining verifiable parental consent.
In designing your age screen, you should ask age information in a neutral manner, making sure the data entry point allows users to enter their age accurately and does not default to an age 13 or over. An example of a neutral age screen would be a system that allows a user freely to enter the month and year of birth.
Avoid encouraging children to falsify age information by, for example, stating that certain features will not be available to users under age In addition, consistent with long standing Commission advice, FTC staff recommends using technical means, such as a cookie, to prevent children from back-buttoning to enter a different age.
Requiring a child to answer a question he or she is unlikely to be able to answer, without more, is inadequate for determining the age of the user. There are many children under 13, for example, that can perform complex math problems, and some users over 13 that may have difficulty with those same complex problems. You may, however, use a math problem in addition to asking the age of the user, as described in FAQ D. The Rule does not require you to inform third parties of the child-directed nature of your site or service, and doing so, without more, will not relieve you of your obligations under COPPA.
Remember, you are responsible for the collection of personal information from your users, no matter who is doing the collection; therefore, you will need to do more than simply identify yourself to third parties.
In addition, Commission staff recommends that operators of child-directed websites or services signal their status to third parties and you may arrange with the third party collecting the personal information to provide adequate COPPA protections.
There are a number of questions you must find answers to before you enter into an arrangement with any entity to serve advertising to run on your child-directed sites and services. You should make informed decisions before you permit advertising to run on your sites and services. Depending on what advertising choices you make, you may be required to notify parents in your online privacy policies and in a direct notice, and obtain verifiable parental consent, before you permit advertising to occur.
Remember that the Rule holds you liable for the collection of information that occurs on or through your sites and services, even if you yourself do not engage in such collection. As the operator of a child-directed app, you must conduct an inquiry into the information collection practices of every third party that can collect information via your app. You must get verifiable parental consent before enabling children to share personal information in this manner, even through third parties on your app.
This is true unless an exception applies. However, in the situation you describe — where a child can email a painting and a message or post content on his or her social networking page through your app — no exception applies.
In the Statement of Basis and Purpose , the Commission set forth two cases where it believes that the actual knowledge standard will likely be met:. Under the first scenario, any direct communications that the child-directed provider has with you that indicate the child-directed nature of its content would give rise to actual knowledge.
In addition, if a formal industry standard or convention is developed through which a site or service could signal its child-directed status to you, that would give rise to actual knowledge.
Under the second scenario, whether a particular individual can obtain actual knowledge on behalf of your business depends on the facts. See also FAQ E. You would have no duty to investigate. It's possible, however, that you will receive screenshots or other forms of concrete information that do give you actual knowledge that the website is directed at children. If you receive information and are uncertain whether the site is child-directed, you may ordinarily rely on a specific affirmative representation from the website operator that its content is not child-directed.
For this purpose, a website operator would not be deemed to have provided a specific affirmative representation if it merely accepts a standard provision in your Terms of Service stating that, by incorporating your code, the first party agrees that it is not child directed. Such a system could provide more certainty for you. Remember, though, that you may still be faced with screenshots or other concrete information that gives you actual knowledge of the child-directed nature of the website despite a contradictory representation by the site.
If, however, such information is inconclusive, you may ordinarily continue to rely on a specific affirmative representation made through a system that meets the criteria above. It also applies to geolocation data contained in these files sufficient to identify street name and name of city or town.
Therefore, in order to offer an app without parental notice and consent, the operator must take the following steps:. An operator of a site directed to children does not need to notify parents or obtain their consent if it blurs the facial features of children in photos before posting them on its website. See Statement of Basis and Purpose , 78 Fed.
The same goes for a site that has actual knowledge it has collected the photos from children. Before posting such photos, however, the operator must also remove any other personal information they contain, such as geolocation metadata, and ensure that it is not using or disclosing persistent identifiers collected from children in a manner that violates the Rule. COPPA only covers information collected online from children. It does not cover information collected from adults that may pertain to children.
Thus, COPPA is not triggered by 1 an adult uploading photos of children on a general audience site, 2 an adult uploading photos of children in the non-child directed portion of an otherwise child-directed website e. However, operators of websites or online services that are primarily directed to children as defined by the Rule must assume that the person uploading a photo is a child and they must design their systems either to: 1 give notice and obtain prior parental consent, or 2 remove any child images and metadata prior to posting.
You are not collecting personal information simply because your app interacts with personal information that is stored on the device and is never transmitted.
The operator must, however, provide a clear online notice of its collection, use, and deletion policy regarding these audio files.
The Commission reasoned that, where an operator collects an audio file in these circumstances, there is little risk that the file will be used to contact an individual child. There are limitations on this non-enforcement policy.
First, this policy is not applicable when the operator requests information via voice that otherwise would be considered personal information under the Rule, such as a name. Second, as described above, the operator must provide clear notice of its information, use, and deletion policy for these audio files in its privacy policy. Third, the operator may not make any other use of the audio file in the brief period before the file is destroyed. In other words, if the operator is collecting other types of personal information, it must obtain verifiable parental consent.
COPPA is designed to notify parents and give them the choice to consent. Therefore, it is not sufficient to provide such notification and choice to the child user of a website or service. If the operator intends to collect geolocation information, the operator will be responsible for notifying parents and obtaining their consent prior to such collection. COPPA does not require an operator to notify parents and obtain their consent before collecting the type of coarse geolocation services described.
However, the operator should be quite certain that, in all instances, the geolocation information it collects is more general than that sufficient to identify street name and name of city or town. COPPA applies even if the child is not asked to provide an actual street address. InMobi Pte Ltd. The Rule does not require operators of general audience sites to investigate the ages of visitors to their sites or services.
See Statement of Basis and Purpose , 64 Fed. COPPA applies to websites and online services that are directed to children under See Section D above for more information on mixed audience sites. Note that sites or services directed to children cannot use the age screen to block children under age Once you identify child visitors, you may choose to:.
COPPA does not require you to permit children under age 13 to participate in your general audience website or online service, and you may block children from participating if you so choose. By contrast, you may not block children from participating in a website or online service that is directed to children as defined by the Rule, even if the website or online service is also directed to users age 13 or older. If you choose to block children under 13 on your general audience site or service, you should take care to design your age screen in a manner that does not encourage children to falsify their ages to gain access to your site or service.
Ask age information in a neutral manner at the point at which you invite visitors to provide personal information or to create a user ID.
In addition, consistent with long standing Commission advice, FTC staff recommends using a cookie to prevent children from back-buttoning to enter a different age. See, e. Additionally, such an email may give you actual knowledge that you have collected personal information from a child e.
In such a circumstance, you would need to take steps to ensure that you are complying with COPPA, such as obtaining parental consent or immediately deleting any personal information collected from the child.
In determining whether a website or online service is directed to children, you should carefully consider the factors set forth in the Rule, including the subject matter of the game, visual content, use of animated characters or child-oriented activities and incentives, music or other audio content, age of models, presence of child celebrities or celebrities who appeal to children, language or other characteristics of the website or online service, and whether advertising promoting or appearing on the site or service is directed to children.
You should also consider any competent and empirical evidence regarding your audience composition, and who your intended audience is. The Commission considers the totality of the circumstances in determining whether a website or online service is directed to children, and no single factor is determinative.
In determining whether your site or service is mixed audience, you should consider your intended audience are you marketing to under 13 users, such as through selling related toys, for example.
You should also determine whether your site or service involves child-oriented activities, such as a dress up game, and whether you have empirical evidence as to the actual users of your video game site. If you continue to have questions about whether your content is mixed audience, consider contacting an attorney or consulting one of the COPPA Safe Harbor programs — self-regulatory groups that offer guidance on how operators can comply with the law.
The COPPA Rule applies to an operator of a general audience website if it has actual knowledge that a particular visitor is a child. Even where the child does reveal age-identifying information, if no one in your organization is aware of the post, then you may not have the requisite actual knowledge under the Rule. However, you may be considered to have actual knowledge where a child announces her age under certain circumstances, for example, if you monitor user posts, if a responsible member of your organization sees the post, or if someone alerts you to the post e.
As a general rule, operators must get verifiable parental consent before collecting personal information online from children under Certain, limited exceptions let operators collect certain personal information from a child before obtaining parental consent. These exceptions include:. If you fall outside of one of those exceptions, you must notify parents and obtain their consent.
Specific methods identified in the Rule or otherwise approved by the Commission include:. Although collecting a digit credit or debit card number alone would not satisfy the method listed in the Rule, there may be circumstances in which collection of the card number — in conjunction with implementing other safeguards — would suffice to meet the standard for verifiable parental consent.
For example, you could supplement the request for credit card information with special questions to which only parents would know the answer and find supplemental ways to contact the parent.
0コメント