Manage Learn to apply best practices and optimize your operations.

The Essential Lawyer: Protecting Children's Privacy on the Web

Failing to comply with the children's online privacy law can be costly. Don't be a casualty.

Given the power of the Internet, companies and individuals have the ability to collect substantial personal information, from Social Security numbers to shopping preferences. While much of this information gathering is perfectly legal, the Children's Online Privacy Protection Act (COPPA), a law that regulates the online collection of personal information of children under the age of 13, requires that particular care be taken when collecting information from children. COPPA aims to protect children's privacy and to enable parents to protect the privacy of their children online.

COPPA applies not only to child-oriented Web sites but also to any commercial site where the operator knowingly collects personal information from children or information that could enable someone to contact or identify a child, including a child's name, mailing address, email address or phone number.

The Federal Trade Commission (FTC) takes COPPA violations seriously. Earlier this year, for example,, a social networking site on the Internet, agreed under the terms of a settlement with the FTC to pay a $1-million civil penalty for violating COPPA.

To avoid a similar fate, determine whether COPPA applies to your company, and if it does, make sure you comply with its requirements. Here are a few of the most important steps you need to take prior to collecting information about children.

Place a COPPA privacy notice on your company's Web site. COPPA requires that a "clear and prominent" link to your company's privacy notice be placed on your Web site and on any site page where information about children is collected. COPPA also requires that this notice contain specific information, including detailed contact information for the entity collecting the information, the kinds of information collected, how the information will be used, whether the information is disclosed to third parties, and the right of parents to consent to the collection of information from their children.

Provide direct notice to parents. Your company must provide direct notice to parents. In addition to including the same information contained in the COPPA privacy notice, the parental notice must explain how parents can provide verifiable consent, which is required prior to collecting personal information about a child. Further, COPPA requires that operators account for "available technology" in whatever processes they use to ensure that they have received consent from an individual verified as the parent of a child whose data is in question. Two examples of acceptable methods to indicate consent include a signed form mailed or faxed by a parent and having a parent call a toll-free number staffed by trained personnel. COPPA requires that a company's notice state, among other things, that a parent has the right to revoke consent at any time and this notice must describe the procedure for doing so.

Obtain consent for public and third-party disclosures. Your company must obtain consent before it can disclose information collected from children. Further, your company must give parents the option to revoke their consent to disclose their children's information to third parties. Finally, your company must provide to parents upon request any information it collects from their children.

You should always consult experienced counsel who can assist you in drafting the required policies and who can guide you in your compliance efforts. For more information, go to

Next: Drafting limitations of liability in IT contracts.

Matt Karlyn, J.D., M.B.A., is a member of Foley & Lardner LLP's Information Technology & Outsourcing Practice Group in Boston. Write to him at

This was last published in January 2007

Dig Deeper on Small-business IT strategy

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.