COPPA: 10 rules every business should know before July 1

Matt McDonnell is vice president of operations at Famigo.

There’s lots of talk about the Children’s Online Privacy Protection Act (COPPA), but do you really understand how the law works?

COPPA was enacted in 1998 and was enacted to protect the privacy of children under 13 years of age. COPPA charged the Federal Trade Commission (FTC) with creating the regulations necessary to implement the law.

The original act also required that the law be reviewed five years after the effective date of the regulation (April 21, 2000). This review took several years and various stakeholders were given the opportunity to comment on the proposed revisions. The revised COPPA Rule was released in December 2012 and is set to go into effect on July 1, 2013.

What follows are 10 questions that every developer should ask herself over the next couple weeks in order to conduct an internal COPPA audit and ensure compliance.

Understanding the rule

1. Did you read it

This seems obvious, but have you read the revised rule yet? It might look big and scary at first, but it’s not rocket surgery — anyone who can develop their own application can grasp the content of the revised COPPA Rule.

2. Does the rule apply to you?

Ask yourself this question: Am I operating a child-directed website or service, or do I have actual knowledge that I’m collecting, using, or disclosing personal information from a child under 13 years of age? If you have any doubt, the smart bet is to assume COPPA applies to you and read on.

3. Do you collect personal information?

According to the COPPA Rule, “Personal information is individually identifiable information about an individual collected online.” Sure, this definition is tautological, but the rule provides clarification by listing 10 kinds of personal information in the definitions of §312.2. The general idea is that personal information is any information that can be matched to a single person. Phone numbers and email addresses are obvious examples, but it’s worth going through the whole list to determine if you collect personal information, as the definition has expanded.

4. What do you collect?

It’s time to compile an exhaustive list of all the information you collect. Remember that feature you built, but never used? Make sure it isn’t still collecting information. Figuring out what you collect is perhaps the most important part of your own COPPA audit. Leave no stone unturned. After all, there’s still time to clean up your act before July 1.

5. What do you need to collect?

Now that you know what you collect, it’s time to understand why you collect it.

It’s useful to divide all the information you collect into two categories: information for the support of internal operations (defined in §312.2) and information that is disclosed to third parties. If it’s for the support of internal operations (e.g. collecting data to optimize product features) make sure you’re using the data and storing it securely. If you don’t use it, stop collecting it. If the information is disclosed to third parties, ask yourself why you’re disclosing that data in the first place. In the general interest of protecting children’s privacy, disclosure of this data should be carefully and rigorously scrutinized.

Disclosure

The primary goal of COPPA is “to place parents in control over what information is collected from their young children online.” In order to accomplish this task, it’s important for developers to think carefully about how they communicate with parents and what they communicate to parents in order to meet this goal.

6. Do you have a privacy policy?

The first step in effectively communicating with parents is to have a well-written privacy policy. This can seem like a daunting task to non-lawyers, but there are plenty of good resources to help you out.

Here are a few tools to help you get started:

• Generate Privacy Policy.com
• Better Business Bureau Start With Trust
• Rocket Lawyer

We also recommend looking at the privacy policies of developers who are doing similar work or offering similar services. What’s more important than perfect legalese is honesty and transparency.

7. How are you going to provide notice of your privacy practices?

Congratulations, you now have your very own privacy policy! Now, how are you going to tell parents about your data collection, use, and disclosure practices? The California Attorney General provides some really good guidance in Privacy on the Go: Recommendations for the Mobile Ecosystem — and as always, reread the rule.

8. Have you read the FAQ?

I’m willing to bet that you probably have questions at this point. The good news is that you’re not alone. In May the FTC released a set of FAQs to address the most common and vexing questions they had received in the months since the amended rule was released. The good news is that you’ll probably find some clarification to your questions, but be prepared to add some items to your to-do list as well.

Iteration

Developers are certainly not strangers to constant product iterations and you should get used to thinking of your privacy-related activities the same way. Children’s privacy is very important, and if you take your obligation seriously, it will require constant refinement.

9. Have you considered getting a second opinion?

Even if you consider yourself a technology and privacy guru, it’s always nice to have someone else tell you that you’ve gotten it right. There are lots of companies out there that offer a range of consulting and certification services and you can always ask your attorney. With lots of choices, make sure that you identify someone who fits your needs. The prospect of finding yourself on the wrong side of the law and the FTC is scary, but especially for small developers, it’s worth thinking about whether you’re committing too many resources to certify your compliance when you’re already following all the rules.

You might find it useful to look into the Kidsafe Seal. The KidSAFE Seal Program awards websites and technologies the “KidSAFE Seal” if they are in compliance with the five “core safety rules”:

1) Safely-designed chat and community features (if any exist)
2) Rules and educational info about online safety
3) Procedures for handling safety issues and complaints
4) Parental controls over child’s account
5) Age-appropriate content, advertising, and marketing

Other resources include COPPA Safe Harbor Programs. The following FTC-approved safe harbor programs provide businesses with the ability to self-regulate when it comes to COPPA compliance:

• Truste
• Privo
• ESRB
• Aristotle
• CARU

10. What’s next?

Not only should you constantly iterate on your own, but you’ve just gotten a second opinion from an expert. And experts, by their very nature, earn their keep by having opinions and suggestions, so it’s probably time to return to an earlier step and resume the process.

A final thought

Hopefully this 10-step guide is helpful in starting you on your journey to COPPA compliance. This information is not meant as legal advice, but it does accurately reflect a process that we’ve used ourselves and that other developers have had some success with too. If you have suggestions or care to share your own experiences please leave a comment.

With a varied past as an Outward Bound sailing instructor, elementary school teacher, and non-profit administrator, Matt does a little bit of everything at Famigo, an Austin, Texas-based startup that builds technology to protect kids and families on mobile devices. A native of Scranton, Pennsylvania, Matt holds a B.A. in Philosophy from Colgate University, an MBA from the College of Charleston, and is currently taking a leave of absence from the University of Texas School of Law. Follow Matt on Twitter @mmmcdonnell.

Image via GamesNews