|
|
|||
|
|
COPPA Cabana
What Is This Page? This page is a notice, required by COPPA, related to information practices of this site regarding personal information and privacy of children. This page also provides background and impact information regarding COPPA. Other Privacy Pages On My Site General Privacy Page The general privacy page provides an overview of all of my privacy policies. Although it is lengthy and thorough, I still think it is easy to read. You might even find a bit of humor if you look for it. It also provides links to my specific privacy pages including: CIPEA Tone On Wednesday, 26.Jul.2000, Senators Spence Abraham, John McCain and John Kerry introduced the Consumer Internet Privacy Enhancement Act (CIPEA). This proposed legislation never made it into the law. But I used the law as a model to construct a privacy statement which would comply. I did it as an exercise in learning more about privacy principles. I have created a CIPEA privacy disclosure page (which I call CIPEA Tone) to clarify the the notices proposed by CIPEA (Consumer Internet Privacy Enhancement Act). All of the disclosures on the CIPEA Tone page are duplicates of disclosures on my privacy page, but they have been "organized" according to the structure of CIPEA. This page also provides background and impact information regarding CIPEA and links to other articles and resources for CIPEA. OECD Privacy Statement A long, long time ago, on 23.Sep.1980, the Organization for Economic Co-operation and Development, (OECD), issued Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. (Did you notice that date? 1980!! Privacy issues are not new.) Recently OECD created the OECD Privacy Statement Generator to help organizations create privacy statements to post on websites. I have created an OECD Privacy Disclosure page (which I call OECD Privacy-D) to stipulate how this site complies with the seven privacy principles. All of the disclosures on the OECD Privacy-D page are duplicates of disclosures on my privacy page, but they have been "organized" according to the structure of the OECD Privacy Principles. This page also provides background and impact information regarding the OECD Privacy Guidelines links to other resources for the OECD Privacy Guidelines. A Summary Understand that you have to read this entire page to obtain the complete disclosure required by COPPA. But, the important parts are:
When Did COPPA Happen? On 21.Oct.1998, the U. S. Congress passed COPPA: the Children's Online Privacy Protection Act of 1998. The act required the FTC (Federal Trade Commission) to enact rules to administer the act by 21.Oct.1999. The FTC did that and published the final rule in the Federal Register on 03.Nov.1999. The final rule became effective on 21.Apr.2000. Where Are the COPPA Rules? You can see a copy of the final rule, published by the FTC, together with a complete discussion (in beautiful, bureaucratic legalese) of the rule at www.ftc.gov/os/1999/10/64fr59888.pdf. What Sites Does COPPA Apply To? COPPA applies to
Interestingly enough, this site might fall into both categories. I'll explain more below. In addition, COPPA only applies to commercial sites, and not to not-for-profit sites. The rules state, in part,
So, is this a commercial site? I'll talk about that too. What Does COPPA Require? If COPPA applies, the website operator must:
What Is a "Child"? A child is any person less than 13 years old. What Is "Personal Information"? "Personal information" means individually identifiable information about an individual collected online, including:
Interestingly enough, one item of "personal information" that was not discussed anywhere within the federal regulations anywhere that I can find is the URL of a child's website! It seems that none of the the federal regulators nor none of the commenters considered that children might have their own websites. In addition to all the information described above, this website considers the URL of a child's website to also be "personal information". Is This Site, The Refrigerator Door, Affected? That is a good question. And there is no simple answer. As I discussed above, I would be affected if I fit either of the two criteria:
Interestingly enough, this site might fall into both categories. I'll explain more And, as I mentioned above, I would be affected only if this is a "commercial" website. Does This Site "Target" Children? I wouldn't have thought so. But consider these facts. While developing my site I sought certifications from a variety of rating services and child safety programs to indicate that my site was safe for children. (These include Excalibur Realm, RSACi, Virtuosity.com Family Friendly Site, SafeSurf, Safe for Kids, and SOS's Operation Sandbox. It turns out that the FTC may consider the fact that I tout my site as "child safe" as indicating that I "target" children. For example, the rules state:
In other words, the fact that I have all those cute little buttons posted on my Front Door saying I'm child safe, may work to convince the FTC that I'm targeting children. In contrast, if I said "Hey, my site isn't suitable for kids and only adults should come here.", then I'd be less likely of being considered "covered" by COPPA. Also, my site contains lots of factual information that a child may find of interest for doing research at school. I have, in fact, received emails from teachers either requesting information on a page they could not find or thanking me for assisting one of their students with a research project. This might also indicate to the FTC that I "target" children. What "Personal Information" Does This Site Collect? In addition to the question of whether I "target" children, the other issue is whether I have "actual knowledge" that I collect "personal information" from children. I offer three opportunities for people visiting my site to give me "personal information":
According to the rules, if I have "actual knowledge" that the information comes from a child (someone younger than 13) then I would also be subject to COPPA, even if I don't "target" children. Let's look at each of these three individually and see what COPPA says. If a child emails me and asks me a question, s/he may or may not disclose age. If the child does not disclose age, then I have no reason to be concerned. But if I do learn age, and if it is less than 13, then I am permitted by COPPA to answer, once. This particular event is covered by a specific exception. But it also requires that I delete all records of the child (e.g., the email address). [What doesn't seem to be specified anywhere in the act is what happens if my seven year old niece writes me an email. Does the fact that I operate a website suddenly make my online communication with my family subject to federal law? Do I need to solicit formal approval from my brother and keep a written record? I act on the presumption that COPPA does not cover personal email I receive from children I know personally.] Signing Up for My Email/Ezine Lists This also discloses "personal information": the email address. Now, prior to COPPA I wouldn't have ever known that the subscriber was a child. Thus I would never have "actual knowledge" and wouldn't have been concerned. Cool, huh. The less I know, the easier it is. Signing the Guestbook Wow. Turns out this one is a real Pandora's Box. All the information in the Guestbook is optional. I even added the Guestbook at the request of people writing me. Yet, the fact that a child might disclose "personal information" in my Guestbook might make me subject to COPPA. Now, if I never read my Guestbook, I'd never have "actual knowledge" and I'd be ok. And, if I somehow "knew" that the poster was under 13 and deleted the post before it actually posted I'd be ok. But, I only review my Guestbook when I have time. By the time I review it, some 12 year old could have signed it, said they were 12, given their email address, name, phone number and any other "personal information" they want. So, looks like on this one I am subject to COPPA. Applying to a Webring Webrings are communities of websites, united by a common interest and organized into a circular "ring" of mutual links, together with some technology to make it all work. Links on each page permit you to go from site to site, to travel the entire webring, eventually returning to the page from which you started. Links also permit you to access the list of member sites and to join the webring. (This definition is from my Webring FAQ, part of the Webring Section of my website.) This information is fundamental to the operation of a webring. It can't work without it. Is This a "Commercial" Website? Consider again the language from the rules:
I use this site to promote my professional speaking business. I use this site to promote my consulting business. I use this site to host my resume. I use this site to obtain thirty cents of revenue when you sign up for some newsletters on my Links page. I link to booksellers and participate in their affiliate program to receive some revenue if people buy a book. Although making money is not the primary purpose of this site, I wouldn't want to argue in a court of law that I am not commercial. And, I am not a not-for-profit organization, so I'm going to presume I am covered. Obtaining Parental Permission COPPA requires that if I "target children" or if I have that "actual knowledge" that I am collecting "personal information" from children that (except for a couple special cases), I must obtain parental permission to collect and maintain that information. Man. What a pain. Modify forms to ask for parent contact info. Then contact parents through the mail. Then get the info. And institute some system to keep out 12 year olds that haven't been "approved". Of course, I'd need a system to let parents inspect the records. And don't forget to keep all the files for government audits and inspections. Or, subscribe to one of the commercial services that has sprung up to make a lot of money helping websites comply with COPPA. All that might make sense for a big commercial site. But, why oh why would I want to worry about that. I don't. There's no point. None. Zip. Zero. Surely It Isn't That Difficult to Comply Consider these quotes from the media about compliance costs:
Solution: No Solution The only solution that makes sense for me is to not collect "personal information" from children. Overall Policy My overall policy is simple:
That Seems Extreme. Yep. They have. Sites that have stopped serving children include:
Or consider:
And one more:
I include a number of links at the end of this page to articles about COPPA. Some of these describe the actions sites are taking. And they also describe the problems of encouraging children to lie. (That's what we call a "teaser"; it is supposed to keep you reading.) How Has This Site Implemented This Policy? I have implemented this policy in two ways.
In particular, I have implemented these policies through directed changes and statements on the various affected pages of my site (e.g., my email/ezine lists (e.g., Snippets and TestZine), my Guestbook page, my webrings pages and my page providing email addresses). Implications for My Email/Ezine Pages I now ask the visitor their age. If the visitor clicks the "12 or younger" button, I tell the visitor I cannot subscribe him/her. If the visitor clicks the "13 or older" button, I tell the visitor how to subscribe. In addition, if a visitor lies about being "13 or older", subscribes and I subsequently discover it, I unsubscribe them. I have also posted prominent information about COPPA and prominent links to this page. Implications for My Guestbook Page I ask the visitor their age. If the visitor clicks the "12 or younger" button, I tell the visitor not to give me "personal information". Also, in that case, I use a special version of the form on which I removed the parts of the that asked for "personal information". If the visitor clicks the "13 or older" button, I give the visitor the "complete" subscription form. I have also posted prominent information about COPPA and prominent links to this page. On the actual "form" which accepts Guestbook data, I have, to the extent I can, included links to this page. The actual "form" does not reside on my site and my ability to include such links is severely limited. However, I've done everything I can there to include such information. Implications for My Webrings Pages Overall First, I have established a policy of not accepting webring members who are younger than 13 (or, in the case of webrings on the RingSurf system, younger than 14). If I discover a member who violates these provisions, I delete the membership. RingSurf For my RingSurf based webrings, I enforce these provisions by asking for age as part of the join process. I have also posted prominent information about COPPA and prominent links to this page each of my webring data collection pages for my RingSurf webrings. Ringlink For my webrings using the Ringlink system, I cannot easily inquire about age during the signup process (because I cannot easily modify the system), so I have modified the confirmation email to inquire about age. WebRing.com For my webrings within the WebRing.com system, I rely on the WebRing.com system to prescreen. Currently, that system will not create an account for someone less than 13 years old. (Note that the WebRing.com system does not provide information about this. And, it does not even provide an error message if an individual less than 13 years old attempts to create an account. It even provides a confirmation page to say that the account is created. But, in fact, account creation does not occur in such cases and attempts to log in with such an account will fail.) General Site Changes Finally, I have posted links to this page in the left menu column on every page in my webrings sections, even on pages that do not collect information. Implications for My Email Contact Page I have posted prominent information about COPPA and prominent links to this page from my page providing email addresses. And, I have posted links to this page in the left menu column on that same page. This information states my policy of complying with the "one time use" exception for email from children under 13. Can Children "Cheat"? Absolutely. The law may even encourage it. (See the Widstrom quote on this page above.) Despite hours of hearings, tens, maybe hundreds of thousands of tax dollars spent in legislating the act and finalizing the rules, despite hundreds of thousands of dollars being spent on sites to comply, nothing in the act, and nothing in the rules, deals with the ingenuity of children. The 12 year old (and 10 and 8 and 6 and 4) are smarter than anyone at the FTC or the U. S. Congress wants to admit. It will take children about five minutes to figure out that admitting they are under 13 means they either have to wait for their parent's permission, or, even worse, that they can't do some things. And it will only take another five minutes to figure out that a website cannot verify their answers and that there is no penalty for "lying". Also, some children will use a second email address (theirs or a friend's) to "forge" their parents' permission. Nothing in the act, the rules or the implementations will stop children from "cheating". Parents must act to help with this issue. As an example, on my site, if a child posts an entry on my Guestbook, and says s/he is "13", then I proceed relying on that. If a child sends me an email and says s/he is "13", then I proceed relying on that. Isn't That a Bit Cynical? I don't think so. Consider these quotes from articles about children's reactions to the law.
How Do Big Sites Comply? For example, go to the Disney site to join their club at / disney.go.com/sign-in/index.html. Notice that the child gets to "choose". If the child chooses "less than 13", the parent's email is asked for and the parent is solicited for permission. If the child chooses "13-18", the parent email is asked for but the parent is only notified. If the child indicates "adult", no parental information is asked for. However, again, notice that there is no way to ensure that the child answers "correctly". What Does COPPA Require of This Site?
General Requirement 1
General Requirement 2
General Requirement 3
General Requirement 4
General Requirement 5
In the sections below, I will review each of these requirements and how I comply with these requirements. General Requirement 1
COPPA requires that I post a notice. That is what this page is for. This page is the notice. Now, COPPA also specifies a boatload of requirements about the notice. In particular, COPPA requires:
Notice Requirement 1
Notice Requirement 2
Notice Requirement 3
Notice Requirement 4
Notice Requirement 5
Notice Requirement 6
Notice Requirement 7
Notice Requirement 8
Notice Requirement 9
Notice Requirement 10
Notice Requirement 11
Now, let's review each of these requirements and how I comply with each one. Notice Requirement 1
I have had this notice reviewed by colleagues to confirm that it is clear and understandable. I have worked to ensure that it is complete, in compliance with both the letter of the law and implementing rules. And nothing in this notice is unrelated to the notice, nothing is confusing and certainly nothing is contradictory. I have even included additional explanatory and supplementary material related to COPPA. In other words, I've done more than any other site I've been able to find. Notice Requirement 2
As I have indicated earlier, I cannot with certainty determine which category this site falls into. And there are no provisions for the FTC to review my site and tell me. And I'm not planning to contract with one of the legal firms doing such reviews and pay them $10,000 fee for such a review. So I have elected to comply with "all" the requirements. I have posted a link on the home page of my site. I have posted a link on the page for subscriptions to my email/ezine lists (e.g., Snippets and TestZine). I have posted a link on the page for my Guestbook. I have posted a link in the "menu column" of every page in the webrings section of my site. And I have posted a link on the page providing email addresses to contact me. I have used text links, the FTC Website Kidz Privacy graphic (such as the one at the top of this page) and my own COPPA Child Privacy graphic to make each of these links distinctive. Notice Requirement 3
To assist with this labeling, I have used text links, the FTC Website Kidz Privacy graphic (such as the one at the top of this page) and my own COPPA Child Privacy graphic to make each of these links distinctive. Notice Requirement 4
I have placed this link immediately beneath the other navigation bars on the page. I have used larger type and a different color to clearly distinguish the link. And I have used a graphic supplied by the FTC. And, on the other pages (e.g, Guestbook, my email/ezine lists (e.g., Snippets and TestZine), webrings and my page providing email addresses, I've done the same.) Notice Requirement 5
On all such pages (e.g, Guestbook, my email/ezine lists (e.g., Snippets and TestZine), webring data collection pages and my page providing email addresses) I've included the graphic links in the left-hand navigation column and also at the bottom of the page in a prominent location. Notice Requirement 6
I am the only operator. The information required by the notice is:
Notice Requirement 7
I do not collect any "personal information" from children, unless such information is submitted by the child in contravention of stated policies of this site. Whenever I obtain "actual knowledge" that "personal information" has been collected from a child, such information is promptly deleted. Children, in violation of the stated policies of this site, could submit as "personal information" all items listed by the FTC (see above), their website URL (which I consider to be "personal information" but the FTC didn't list), plus anything and everything else. This is because the forum for submitting such information permits free form text entry. Notice Requirement 8
I do not collect any "personal information" from children, unless such information is submitted by the child in contravention of stated policies of this site. Whenever I obtain "actual knowledge" that "personal information" has been collected from a child, such information is promptly deleted. I do not "use" such information. Period. "Personal information" submitted by "non-children" is used to:
Notice Requirement 9
I do not collect any "personal information" from children, unless such information is submitted by the child in contravention of stated policies of this site. Whenever I obtain "actual knowledge" that "personal information" has been collected from a child, such information is promptly deleted. I do not "use" such information. Period. "Personal information" submitted by "non-children" is disclosed to:
No contractual obligations currently exist to maintain the confidentiality, security and integrity of "personal information" from children because I do not collect any "personal information" from children. Oh, and one other thing: since I have the obligation to advise you that the parent has the option to consent to the collection and use of their child's "personal information" without consenting to the disclosure of that information to third parties, let me formally advise you that the parent has the option to consent to the collection and use of their child's "personal information" without consenting to the disclosure of that information to third parties. Notice Requirement 10
I do not collect any "personal information" from children, unless such information is submitted by the child in contravention of stated policies of this site. Whenever I obtain "actual knowledge" that "personal information" has been collected from a child, such information is promptly deleted. However, since I must disclose that I am prohibited from conditioning a child's participation in an activity on the child's disclosing more "personal information" than is reasonably necessary to participate in such activity, let me state clearly and unequivocally that I am prohibited from conditioning a child's participation in an activity on the child's disclosing more "personal information" than is reasonably necessary to participate in such activity. Notice Requirement 11
I do not collect any "personal information" from children, unless such information is submitted by the child in contravention of stated policies of this site. Whenever I obtain "actual knowledge" that "personal information" has been collected from a child, such information is promptly deleted. But, I'm working hard to be absolutely compliant. So, because they insist that I must disclose that the parent can review and have deleted the child's personal information, and refuse to permit further collection or use of the child's information, and state the procedures for doing so let me say with all the conviction I can express that that the parent can review and have deleted the child's personal information, and refuse to permit further collection or use of the child's information. The procedure for doing so is simple: do nothing. If the parent does nothing, I will automatically delete any "personal information" submitted by a child in contravention of stated policies of this site. Further, if the parent does nothing, no further information will be collected, unless, of course, posted by a child in contravention of the stated policies of this site. But, if the parent of a child discovers that a child, through the use of deceit and deception and fraud and in contravention of the stated policies of this site has concealed their "childishness", and, in so doing has submitted "personal information", the parent may let me know by, provide sufficient information to ensure that they are the parent of that child, and make their request. General Requirement 2
I do not collect any "personal information" from children, unless such information is submitted by the child in contravention of stated policies of this site. Whenever I obtain "actual knowledge" that "personal information" has been collected from a child, such information is promptly deleted. Thus, I won't be requesting any verifiable parental consents. General Requirement 3
I do not collect any "personal information" from children, unless such information is submitted by the child in contravention of stated policies of this site. Whenever I obtain "actual knowledge" that "personal information" has been collected from a child, such information is promptly deleted. Because I do not collect any personal information from children, unless such information is submitted by the child in contravention of stated policies of this site, and because whenever I obtain "actual knowledge" that "personal information" has been collected from a child, such information is immediately deleted, there is generally no way for a parent to review the information collected. For a parent to refuse to permit further use or maintenance, the parent should do nothing. If the parent does nothing, I will automatically delete any "personal information" submitted by a child in contravention of stated policies of this site. Further, if the parent does nothing, no further information will be collected, unless, of course, posted by a child in contravention of the stated policies of this site. But, if the parent of a child discovers that a child, through the use of deceit and deception and fraud and in contravention of the stated policies of this site has concealed their "childishness", and, in so doing has submitted "personal information", the parent may let me know by, provide sufficient information to ensure that they are the parent of that child, and make their request. General Requirement 4
I don't. And, in compliance with Notice Requirement 10, I've explicitly disclosed this on this notice page. General Requirement 5
I did and do. I delete the information. Can you think of anything more secure? Summary My overall policy is simple:
Site Rating Systems I have strongly mixed feelings about the use of rating systems instead of parental supervision and monitoring. My opinions are not clearly formed. While I work on these opinions, I've chosen to go ahead and list my site as being family safe, child safe, etc.
Links On My Site
Links Across the Net
Law.com Most of the Law.com links shown require a subscription. (Note that at least one does not require a subscription and is free.) However, Law.com offers a free 30-day trial subscription and the option to bill. Using this option web visitors can, on a one time basis, access the site to see these articles, as well as search for other articles and read new articles for 30 days without charge. |
Privacy Statement
Center for Media Education: COPPA, The First Year, A Survey of Sites
|
This page created: before Wed, 16.Aug.2000
Last updated: |
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|