Despite millions of parents' concern over children surfing the Internet, sub-$500 PCs are making the Net more accessible to kids. This includes kids between the ages of 4 and 12, who spend about $24 billion a year in the U.S. and convince others to spend on them another $188 billion. Add those together and you have opportunities galore for small businesses ... opportunities to have direct contact with kids, whose minds are so vulnerable one moment yet so persuasive the next.
Enter government regulation. To address concerns over privacy and security, Congress enacted the Children's Online Privacy Protection Act ("COPPA"). Of particular importance to small businesses is a COPPA provision that requires operators of web sites and online services to obtain verifiable parental consent before children may be permitted to provide certain identifying information. Obtaining this consent could be very time-consuming and expensive.
The act doesn't go into effect until the FTC completes its rules, providing businesses with specific guidelines (you can keep up on this process by visiting the FTC site, http://www.ftc.gov). However, now is a good time to start gearing up for some changes. Here's a glimpse at the federal law so your biz can be ahead of the game.
WHO WILL BE REGULATED?
Will you be expected to comply with COPPA? Here's a checklist to help you answer this question.
First, determine if you're one of the people who is governed by COPPA. "Operators" of certain web sites and online services, as well as some people working with these operators, are governed by this Act.
With the exception of non-profit organizations, an "operator" is any person or company who:
- Operates an Internet web site or an online service; AND
- Collects or maintains personal information; AND
- That personal information comes from, or is about, the users or visitors to the web site/online service; AND
- The web site or online service is operated for commercial purposes; AND
- This commercial purpose involves commerce across state lines, from a state to foreign countries, or with/between U.S. territories.
COPPA also governs:
- Anyone who collects or maintains the personal information on behalf of the operator of the web site or online service; OR
- Anyone who offers products or services for sale through that web site or online service.
Second, determine if the site or service is covered by the Act. It governs those commercial sites or services that are "directed to children" (i.e., targeted to children) under the age of 13. This includes:
- Sites/services whose entire site/service is directed to children or only that portion of the site/service that is directed to children;
- Sites/services whose operators have actual knowledge that they are collecting personal information from a child.
COPPA excludes from the regulations those sites or services that solely refer or link to commercial web sites or services directed to children by using directories, links, references, pointers, indexes, etc.
Third, determine if you are collecting or maintaining "personal information." The Act concerns information that is "individually identifiable information" about the child that is collected online. It includes any of the following:
- A first and last name;
- A home or other physical address;
- An e-mail address;
- A telephone number;
- A social security number; or
- Any other information that the FTC determines permits the physical or online contacting of a specific child.
If COPPA governs your activities, then you must comply with certain information collection practices.
The FTC is required to draft rules by October 1999 that cover such things as Notice, Consent, Access, and Security.
The rules will:
- Require operators to provide NOTICE on the site regarding what information is collected, how it's being used, and what their disclosure practices are for such information;
- Require operators to obtain CONSENT - verifiable parental consent - for the collection, use, or disclosure of the personal information;
- Require operators to provide, upon the parent's request (upon proper identification of the parent), ACCESS to the specific types of personal information collected from the child, the opportunity to refuse to permit the operator's further use or maintenance in retrievable form of personal information from that child, and a reasonable means for the parent to obtain any personal information collected from that child;
- Require the operator to establish and maintain reasonable SECURITY procedures to protect the confidentiality, security, and integrity of the personal information;
- Prohibit operators from conditioning participation in a game, the offering of a prize, or participating in any other activity on the child disclosing more personal information than is reasonably necessary to participate in the activity.
There are exceptions to the requirement to obtain this consent. The FTC rules will describe them in detail.
TO COMPLY OR NOT TO COMPLY
How can a small business avoid the expense of coming up with sufficient guidelines and notices to comply with this Act? The answer lies in COPPA.
Congress and the FTC are encouraging self-regulation. Therefore, the rules will include provisions that will deem a person to be in compliance if:
- Guidelines issued by marketing and online industries (or other persons) are approved by the FTC; and
- You comply with those guidelines.
Once COPPA goes into effect (probably around April 2000), failure to comply with the rules will be considered to be unfair trade practices. The FTC as well as the attorney general of any state may enforce compliance with the regulations.
The easiest way to follow the rules will probably be to follow approved industry guidelines. So keep checking the FTC site from time to time. I'm sure some guidelines that will work for you will be approved before the law goes into effect.