COPPA applies not only to child-oriented Web sites but also to any commercial site where the operator knowingly collects personal information from children or information that could enable someone to contact or identify a child, including a child's name, mailing address, email address or phone number.
The Federal Trade Commission (FTC) takes COPPA violations seriously. Earlier this year, for example, Xanga.com, a social networking site on the Internet, agreed under the terms of a settlement with the FTC to pay a $1-million civil penalty for violating COPPA.
To avoid a similar fate, determine whether COPPA applies to your company, and if it does, make sure you comply with its requirements. Here are a few of the most important steps you need to take prior to collecting information about children.
Place a COPPA privacy notice on your company's Web site. COPPA requires that a "clear and prominent" link to your company's privacy notice be placed on your Web site and on any site page where information about children is collected. COPPA also requires that this notice contain specific information, including detailed contact information for the entity collecting the information, the kinds of information collected, how the information will be used, whether the information is disclosed to third parties, and the right of parents to consent to the collection of information from their children.
Provide direct notice to parents. Your company must provide direct notice to parents. In addition to including the same information contained in the COPPA privacy notice, the parental notice must explain how parents can provide verifiable consent, which is required prior to collecting personal information about a child. Further, COPPA requires that operators account for "available technology" in whatever processes they use to ensure that they have received consent from an individual verified as the parent of a child whose data is in question. Two examples of acceptable methods to indicate consent include a signed form mailed or faxed by a parent and having a parent call a toll-free number staffed by trained personnel. COPPA requires that a company's notice state, among other things, that a parent has the right to revoke consent at any time and this notice must describe the procedure for doing so.
Obtain consent for public and third-party disclosures. Your company must obtain consent before it can disclose information collected from children. Further, your company must give parents the option to revoke their consent to disclose their children's information to third parties. Finally, your company must provide to parents upon request any information it collects from their children.
You should always consult experienced counsel who can assist you in drafting the required policies and who can guide you in your compliance efforts. For more information, go to www.ftc.gov/kidsprivacy.
Next: Drafting limitations of liability in IT contracts.
Matt Karlyn, J.D., M.B.A., is a member of Foley & Lardner LLP's Information Technology & Outsourcing Practice Group in Boston. Write to him at firstname.lastname@example.org.