The February 2007 FTC Report to Congress, “Implementing the Children’s Online Privacy Protection Act” (COPPA) provides a good look into the compliance actions and failures of numerous organizations to appropriately comply with this law designed to protect the privacy of children under 13 years of age.
Let’s look first at the Executive Summary.
“I. EXECUTIVE SUMMARY
In 1998, Congress enacted the Children’s Online Privacy Protection Act (‚ÄúCOPPA‚Äù or ‚Äúthe Act‚Äù) to address privacy and safety risks created when children under 13 years of age (‚Äúchildren‚Äù) use the Internet. To protect children, the Act imposes requirements on operators of websites or online services directed to children, and other operators with actual knowledge that they have collected personal information from children. The Act generally mandates that such operators must provide notice of their privacy policies; obtain verifiable parental consent prior to collecting personal information from children; allow parents to review and delete personal information that their children have provided; and establish and maintain reasonable procedures to protect the security of personal information collected from children.
The Act required the Federal Trade Commission (‚ÄúCommission,‚Äù ‚ÄúFTC,‚Äù or ‚Äúagency‚Äù) to promulgate a rule implementing COPPA. In 1999, the Commission issued its Children’s Online Privacy Protection Rule (‚ÄúCOPPA Rule‚Äù or ‚Äúthe Rule‚Äù), which closely tracks the language and requirements of the Act. The Rule became effective in April 2000.
Both the Act and the Rule mandate that the Commission commence, within five years of the Rule’s effective date, a review of the Rule’s effectiveness that addresses the effect of COPPA’s implementation on practices relating to the collection, use, and disclosure of information from children online, children’s ability to obtain access to online information of their choice, and the availability of websites directed to children. The Commission is required to submit a report to Congress setting forth the results of its review. This report fulfills that requirement.
The FTC commenced this mandatory review of the Rule in 2005, along with its periodic regulatory review to determine whether the Rule should be modified. Based on the information the Commission received during this review, and its extensive experience in enforcing the Rule, the FTC concludes:
• No changes to the Act or Rule are necessary at this time.
• The Act and the Rule have been effective in helping to protect the privacy and safety of young children online. The proliferation of general audience websites, however, that may appeal to younger audiences, highlights the need for supplemental solutions, such as age verification technologies, that can provide additional measures of security for children as they increasingly engage in online activities.
• The Commission should continue law enforcement efforts by targeting significant violations and seeking increasingly larger civil penalties, when appropriate, to deter unlawful conduct.
‚Ä¢ The FTC’s substantial, ongoing, commitment to business education has facilitated voluntary compliance with the Rule within the online industry.
‚Ä¢ COPPA’s innovative approach of allowing a ‚Äúsafe harbor‚Äù from law enforcement action for website operators that comply with a Commission-approved COPPA self-regulatory program has been a cost-effective means of promoting Rule compliance.
• The Commission should continue to educate consumers, including parents and children, about privacy and security risks online generally, and about COPPA specifically, to increase awareness of these risks and actions that consumers can take to decrease them.
• The Act and the Rule do not appear to have adversely affected the number of websites directed to children or the ability of children to access online information of their choice.
‚Ä¢ The agency’s approach thus far has proven effective in applying the flexible standards of the COPPA Rule to new online services, such as social networking sites. Education and enforcement challenges may present themselves, however, as, for example, the means by which children access the Internet increasingly move from stand-alone computers to mobile devices.
The FTC believes that its integrated program of rulemaking, law enforcement, and outreach to businesses and consumers during the Rule’s first five years has encouraged a culture of privacy and safety without imposing undue costs on website operators. The Commission expects that its approach to COPPA can continue to provide these protections, even in the dynamic online environment. The Commission recognizes that the online environment changes rapidly in response to technological change, and that the agency must respond accordingly and in a timely fashion. The FTC will remain vigilant in monitoring technological and other developments to ensure that the Rule continues to provide robust protections for children without imposing undue costs.”
Indeed, there must be protections for children online. It is unrealistic to expect children under 13 will not be using the Internet. Even with the most diligent parental oversight, there must be ways to prevent children from being exploited and victimized.
I have a 7-year-old and a 9-year-old, and I keep a very close eye on their online activities. However, I do not hesitate to investigate suspicious or inappropriate activities on sites that made promises to keep such actions from happening.
I like the recommendation to seek “increasingly larger civil penalties, when appropriate, to deter unlawful conduct.” Looming large fines are a good deterrent for online sites to play by the rules and not go beyond the bounds of what is appropriate with children’s information.
It is also good to emphasize the need for ongoing education to parents and children about the privacy and security risks of being online.
The report provides a chronology of the penalties applied for COPPA noncompliance, starting in 2001 with:
“On April 21, 2001, the FTC announced its first three COPPA cases. The Commission’s complaints alleged that Monarch Services, Inc. and Girls Life, Inc., operators of Girlslife.com; Bigmailbox.com, Inc., and Nolan Quan, operators of Bigmailbox.com; and Looksmart Ltd., operator of Insidetheweb.com, violated COPPA by collecting personal information such as name, home address, telephone number, and email address from children under 13 years of age without parental consent. To settle the Commission’s charges that they violated COPPA, the companies together paid a total of $100,000 in civil penalties.”
And most recently with:
“Most recently, on September 7, 2006, the Commission filed its latest civil penalty action for violations of COPPA and the Rule against operators of the social networking website Xanga.com. In its complaint, the Commission alleged that Xanga’s operators collected, maintained, and disclosed the personal information of over one million children under 13 by creating over 1.7 million separate online accounts for those children on its general audience website. The Commission’s settlement requires Xanga’s operators to comply with the Rule, delete all personal information collected in violation of the Rule, and pay civil penalties of one million dollars ($1,000,000), the largest civil penalty amount obtained by the Commission in a COPPA Rule violation case.”
If they indicate larger penalties are in store for future COPPA violators, then we will likely be seeing multi-million fines along with other required penalty-related activities.
If you have a website that is directed at children, or even just collects personal information from website visitors, read this report. It contains some very good tips, recommendations and discussions of sites that did wrong things with regard to collecting information from children.
Tags: awareness and training, children's privacy, COPPA, corporate governance, FTC, Information Security, IT compliance, noncompliance penalty, policies and procedures, privacy