Skip to main content
Compliance

Children's Online Privacy Protection Act of 1998

PURPOSE

The Children’s Online Privacy Protection Act of 1998 (COPPA) is designed to regulate and prevent deception around “the collection, use, and/or disclosure of personal information from and about children on the Internet” and to give parents control over what information is gathered from their young children online.

HISTORY

COPPA was signed into law on October 21, 1998, and the regulations implementing COPPA went into effect on April 21, 2000. In January 2013, the Federal Trade Commission (FTC) amended COPPA regulations to respond to changes in online technology. These revised regulations took effect on July 1, 2013.

APPLICABILITY TO BYU–HAWAII

COPPA applies to “the operator of any website or online service” that collects or maintains personal information about visitors if the website is directed to children or if the operator “has actual knowledge that it is collecting personal information from a child[.]” For purposes of COPPA, a child is anyone under age thirteen. The website or online service must be offered for commercial purposes (such as selling products or services). Non-profit entities are typically not covered by COPPA, unless they “operate for the profit of their commercial members.” However, the FTC encourages non-profit entities to comply with COPPA.

In determining whether a website or online service is directed to children, the FTC considers criteria such as subject matter, visual and audio content, the age of models, language, advertising, information regarding the age of the audience, and use of animated characters. Importantly, a website for general audiences must still comply with COPPA if the site operator has actual knowledge that the site collects any personal information from a child under age thirteen.

BYU–Hawaii operates commercial websites and online applications that may be directed at or collect information from children. Although BYU–Hawaii is a nonprofit entity that may otherwise be exempt from COPPA requirements, certain units of BYU–Hawaii operate for profit, such as the BYU–Hawaii Store, and therefore may make the university and some of its websites subject to the law. Even if it was determined that BYU–Hawaii is not subject to COPPA, the FTC recommends that exempt sites still comply with the law in order to protect children who access their websites.

REQUIREMENTS

COPPA regulates the gathering of personal information online from anyone under age thirteen; this includes asking or encouraging a child to submit information, allowing a child to publicly publish personal information, and passively tracking a child’s activities online. The law includes requirements regarding privacy policies, parental consent, and storage of children’s information after it is collected.

Personal Information

Personal information is defined as any of the following information collected from a child, even if the information pertains to someone other than the child:

  • Full name
  • Address
  • Email address
  • Telephone number
  • Social security number
  • Any other identifier that can be used to contact a person (either physically or online)

Personal information can also include any other information collected about the child or his or her parents if that information is combined with a piece of personal information. The FTC also interprets personal information to include photographs, video, and audio files containing a child’s image or voice, geolocation information (if specific enough to locate a city and street name), any persistent identifier that can be recognized over time or across websites (such as an IP address), and online usernames that can be used to contact the child.

Notices to Parents

COPPA requires website operators to send direct notices to parents before collecting, using, or disclosing personal information collected from children. The following are different types of direct notices that may be necessary, depending on the circumstances.

1. Notice to Obtain Parent’s Affirmative Consent to the Collection, Use, or Disclosure of a Child’s Personal Information
2. Voluntary Notice to Parent of a Child’s Online Activities Not Involving the Collection, Use or Disclosure of Personal Information
3. Notice to a Parent of Operator’s Intent to Communicate with the Child Multiple Times
4. Notice to a Parent in Order to Protect a Child’s Safety

Direct notices must contain specific components that are unique to each type of notice. In addition to other components, each notice must contain a statement of what information was collected from the child and why.

A website operator that collects personal information from children under age thirteen must also provide notice on its website of the operator’s information collection and disclosure practices. Any direct notice to a parent must contain a link to this online notice. The online notice must meet specific requirements and include the following information:

1. Contact information (name, address, telephone number, and email address) for all site operators that collect or maintain children’s personal information through the website. (Alternatively, the notice may list contact information for a single operator who will respond to parental inquiries on behalf of all of the site operators who collect children’s personal information.)

2. A description of the information the website operator collects from children, how the operator uses this information, the operator’s information disclosure practices, and whether the operator allows children to make their personal information publicly available.

3. A statement that parents can review or delete their child’s personal information and prevent further collection or use. The statement must also include instructions for how to take action.

Additionally, a clearly labeled and prominent link to the notice must be posted on the home page of the operator’s website and at each area where personal information from children is collected. The FTC recommends differentiating the link through font size or contrasting colors.

All notices, both direct and online, must be “clearly and understandably written, complete, and must contain no unrelated, confusing, or contradictory materials.”

Parental Consent

A website operator must obtain parental consent before collecting, using, or disclosing personal information from children. Consent must be received by a means that reasonably ensures the individual giving consent is the child’s parent. The following are acceptable ways to verify consent:

  • Having a parent sign a consent form and submit it by mail, fax, or electronic scan;
  • Requiring a parent to use a credit or debit card in connection with a monetary transaction;
  • Having a parent call a toll-free number and speak with trained personnel;
  • Having a parent contact trained personnel by video conference; or
  • Checking a parent’s government-issued ID against databases of these IDs to verify the parent’s identity.

Other methods of verifying consent may be used if approved by the FTC. If information to be gathered will not be disclosed, the website operator may seek consent by email, but only if other steps are taken to confirm that consent was actually given. Confirmatory steps may be a follow-up email, a postal letter, or a telephone call. Operators using this method must give notice that the parent can revoke consent given in response to an email from the operator.

Prior parental consent is not needed when contact information is collected from the child for the sole purpose of obtaining consent to gather information, to inform the parent about the child’s participation on the site, to respond to a single, specific request from a child, to protect the safety of a child participant on the website, to protect the security of the website, to take precautions against liability, to respond to judicial process, or to provide information to law enforcement. If the information is collected to protect the child’s safety, the parental notice must still be sent after the information is collected.

Right to Review

The parent has the right to review information collected from the child upon request. The parent also has the right to review a description of the categories of personal information collected. The parent may, at any time, refuse to permit the further collection or usage of information and require that information already gathered be deleted.

Information Confidentiality and Security

Website operators must employ reasonable procedures to maintain the confidentiality, security, and integrity of information collected from children. If children’s personal information is released to service providers or third parties, the operator must obtain assurances that service providers and third parties are capable to and will maintain the information’s confidentiality, security, and integrity.

Information Retention

Any personal information collected from children may be retained “only as long as is reasonably necessary to fulfill the purpose for which the information was collected.” After this time period has passed, the operator must delete collected information in a way that reasonably prevents the information from being accessed without authorization.

Safe Harbor Programs

Industry groups and other entities may create self-regulatory program guidelines and seek the FTC’s approval of these guidelines. In order to be approved, the program it must require website operators to provide the same or greater confidentiality and security protections and follow the same data retention policies stipulated under COPPA. The program must also include a mandatory mechanism to independently assess operators’ compliance, and provide for acceptable disciplinary actions against program participants that fail to comply with requirements. The FTC must seek public comment in the Federal Register on all applications before they can be approved. Safe harbor program applications will be approved or denied within 180 days of when the application was filed.

Penalties

Violations of COPPA are treated as unfair or deceptive acts and practices, and website operators that violate COPPA are liable for up to $16,000 per violation.