Embed Size (px)
DESCRIPTION
Famigo helps you understand the COPPA regulations and best practices to comply with the regulations.
Citation preview
How to comply with COPPABy: Gen Li
Disclaimer
This is not a legal advice. You must not rely on the information on this slide as an alternative to legal advice from your attorney or other professional legal services provider. If you have any specific questions about any legal matter you should consult your attorney or other professional legal services provider. You should never delay seeking legal advice, disregard legal advice, or commence or discontinue any legal action because of information in this presentation.
What is COPPA?
A type of meat?
A restaurant’s name?
!
COPPA• The Children’s Online Privacy Protection Act (COPPA) was
enacted by Congress in 1998. COPPA required the Federal Trade Commission (FTC) to issue and enforce regulations concerning children’s online privacy. The FTC’s amended Rule became effective on July 1, 2013.
• COPPA’s primary goal is to ensure that parents have control over what information is collected from their young children online.
• The Rule only covers developers that:(1) that operate mobile apps that are directed to children under 13 and collect, use or disclose personal information from children, and
(2) those who have actual knowledge that they are collecting, using, or disclosing personal information from children under 13.
What does “personal information”
include?(5) a telephone number;
(6) a social security number;
(7) a persistent identifier;
(8) a photograph, video, or audio file, where such file contains a child’s image or voice; or
(9) geo-location information sufficient to identify street name and name of a city or town.
(1) first and last name;
(2) a home or other physical address including street name and name of a city or town;
(3) online contact information;
(4) a screen or user name that functions as online contact information;
If you are covered, what should you do?
• Post a clear and comprehensive privacy policy• Send direct notice to parents• Obtain verifiable parental consent from parents• Provide sufficient security to collected personal
information• Allow parents to review collected information
Post a clear and comprehensive Privacy Policy
What does “comprehensive” mean?Your privacy policy needs to include the following information:• The developer and related operators’ personal information.
Including: (1) name, (2) address, (3) telephone number and (4) email address.
• A description of the types of information the developer collects from children, and how the developer uses the information.
• A statement that parents can review or delete their children’s personal information and prevent future collection.
For example:
What does “clear” mean?The amended Rule requires the developer to post the privacy policy link in a clear and prominent location on the website or on the landing page.
A“clear and prominent” link must stand out and be noticeable to the site’s visitors. The link is likely to be “clear and prominent” if it is in a larger font size and in all caps in a color that contrasts with the background.
For example:
Send a direct notice to parents
What needs to be in the notice?1. If the notice is used to obtain a parent’s verifiable consent
prior to the collection of a child’s personal information, then you must:
• State that you have collected the parent’s online contact information from the child, and that it is only used to obtain the parent’s consent;
• State that the parent’s consent is required for the information collection;• List the personal information that is going to be collected if there is consent;• Include a hyperlink to your privacy policy;• State how the parent can grant verifiable parental consent; and• State that if the parent does not provide consent within a reasonable amount of
time, then you will delete the parent’s online contact information.
2. If the notice is to provide a parent information about the child’s online activities and does not involve personal information collection, then :
• State that you have collected the parent’s online contact information from the child, and that it is used to obtain the parent’s consent;
• State that the parent’s online contact information will not be used or disclosed for any other purpose;
• State that the parent can prevent the child from using the app and may require you to delete the online contact information, and how the parent can do so, and
• Include a hyperlink to your privacy policy.
• For example:
How to send a notice?
Based on section 312.4 (b) of the amended Rule, you must make reasonable efforts, taking into consideration the available technology, to ensure that a parent or child receives the direct notice.
There is no absolute standard about what counts as a proper way to send a direct notice, and you need to make your own decision based on the available technology and information.
For example:
Obtain verifiable parental consent from parents
Obtain verifiable parental consent from parents
• Existing approved verifiable parental consent methods
• Alternative “Email-plus” method
Existing approved verifiable parental consent
• Provide consent through mail or fax;
• Provide information about a credit card or a debt card;
• Call a toll-free telephone;
• Send consent via video-conference;
• Checking a government-issued identification.
Alternative “Email-plus” method
If you will only use the personal information for internal purposes, then you can use the next two steps:
First: send an email to the child’s parent, and the parent can manifest his consent in the returning email
Second, after receiving the email consent, you need to either (1) make a confirmation phone call, fax or letter to the parent; or (2) send a confirmation message via the parent’s online contact information within a reasonable amount of time.
Provide sufficient security to collected personal information
Provide sufficient security to collected personal information
• COPPA requires developers to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.
• If there is an industry security standard, FOLLOW IT!
For example:
Allow parents to review collected information
Allow parents to review collected information• Based on section 312.6 of the COPPA Rule, upon a parent’s
request, the developer must grant the parent access to the collected personal information.
For example:
For more detailed information, please see......
Famigo’s “COPPA for Newbies” blog series:• http
://www.famigo.com/blog/2013/09/coppa-for-newbies-your-privacy-policy/
• http://www.famigo.com/blog/2013/08/coppa-for-newbies-who-is-covered-by-this-rule/
• http://www.famigo.com/blog/?p=3653• http://www.famigo.com/blog/2013/10/coppa-for-newbies-
what-do-we-need-to-get-from-the-parents/
