“If you are developing a website or a mobile app directed to children under the age of 13, you need to be familiar with The Children’s Online Privacy Protection Act (or COPPA.)”
FTC: Personal Liability a Possibility, Large Advertisers a Target, Focus on COPPA At the annual conference of the National Advertising Division, Federal Trade Commission attorneys and Commissioners spoke about pressing issues in the industry.Among the highlights: executives may be held personally liable when companies engage in false advertising, enforcement of the Children’s Online Privacy Protection Act will remain a priority, and large advertisers are on the FTC’s radar.
Privacy is a serious concern for everyone, from school administrators to parents. Simply clicking “I Agree” or signing up for a new service can mean that you are consenting to provide a company with a wide range of your personal information without a clear understanding of what they will do with it. Where children are concerned, privacy protection is even more important. Fortunately, there are legal safeguards in place to help protect the privacy of our young ones.You may have heard of the Children’s Online Privacy Protection Act of 1998 COPPA. But do you know what it is and how it protects children’s privacy?
Good stuff about what’s changed with this summer’s FAQs and other info.
The FTC has been busy this summer! In addition to releasing a few online marketing and privacy reports, the nation’s consumer watchdog also issued several updates to the current mac-daddy of U.S. online privacy laws – the Children’s Online Privacy Protection Act (COPPA). The changes are mostly cosmetic and language-oriented – out with “legalese,” in with “plain English” type of adjustments.
Nevertheless, there are a few items worth reviewing.
If you’re a parent, you know that kids under 13 need special accounts designed to protect their unique privacy and safety needs under the Children’s Online Privacy Protection Act COPPA. COPPA requires online companies to seek verifiable consent from a parent or guardian and protect young users’ privacy and safety online more stringently than adult accounts. It’s designed to keep our young users safer on the Internet and provide their parents piece of mind regarding their children’s online anonymity.
Last week, California enacted bills SB 1177 and AB 1584, strengthening student privacy protections in the State.
Eleven months ago I filed a complaint with the FTC over some bizarre informal polices in place at YouTube and twitter. Mostly these involve ther resurrection of deleted accounts of children under 13 when parents give their consent. While this form of quasi-compliance may be admirable, it is not in line with the law because it does not follow the notification requirements as outlined in the COPPA Rule (notification must be direct such as e-mail but also must be present on the site or child directed parts of the site).
Twitter recently has taken this a step further by formally instituting a non-delete policy for children under 13 except in cases where a parent complains. COPPA is violated when personally identifiable information (PII) is coupled with actual knowledge of a child’s age being under 13 unless there is verified parental consent and notification. In the case of twitter is actual knowledge is revealed when the age is included in a tweet or bio.
Twitter is a general audience website and is not required to ask user’s age (age gate) or patrol tweets or other content to discover and terminate accounts of those underage. However, all sites including twitter are required to act if they inherit actual knowledge which basically means that if the site finds out a kid is on there that shouldn’t be, they must stop collecting personally identifiable information unless they have parental permission. Twitter however has reversed this by stating that it’s OK to collect PII from a child until a parent tells them not to. The actual knowledge standard in regards to children under 13 is covered in Complying with COPPA: Frequently Asked Questions (A GUIDE FOR BUSINESS AND PARENTS AND SMALL ENTITY COMPLIANCE GUIDE) in answer G1 which states:
1. Am I responsible if children lie about their age during the registration process on my general audience website?
The Rule does not require operators of general audience sites to investigate the ages of visitors to their sites or services. See 1999 Statement of Basis and Purpose, 64 Fed. Reg. 59888, 59892. However, operators will be held to have acquired actual knowledge of having collected personal information from a child where, for example, they later learn of a child’s age or grade from a concerned parent who has learned that his child is participating on the site or service.
It is interesting that the grade a child is in is enough to cause a problem under the actual knowledge standard. The question remaining may be is a parent the only one that can be concerned or is this just one example? To put it another way, can a stranger who is a concerned citizen rat out a child that is under 13? The answer comes in direct correspondence to me from an FTC spokesperson:
As to your specific question, whether an operator has actual knowledge they have collected personal information from a child is fact specific, but it is not the case that they can only get that actual knowledge from a parent. There are cases where operators may learn they have collected personal information from children from a school or teacher or other third party.
Office of Public Affairs
Some sites, especially Google go through great length to not acquire actual knowledge. Google for instance has no age violation reporting mechanism and you cannot flag a YouTube video based upon age. Twitter comes close to Google by not having a formal policy available online to report minors and by having a formal policy offline to take no action when they do receive a report unless that report comes from a parent. In reality though there is no easy way to report an age violation even if you are the parent. Inf act, it may be impossible.
The safety/privacy issues that can be reported on twitter are located here. Age violations are not listed as a reportable issue but there’s a clue on he page on how to turn in under 13s. The way to do it is simply by e-mailing email@example.com. The following is a walk through of the process of first reporting and then being rejected.
Here’s a snippet of the role player’s bio:
One of the reasons I am convinced that this person is a role player (an adult on twitter pretending to be a child) is because the boy on the left side of the avatar is the son of a photographer that I am familiar with. The photo is 4 years old and was lifted from flickr. Flickr and a certain Russian photo site are popular places to shop for avatars for fake kids. This person known as “Seb” has more than 1000 followers with at least one verified as being 12. Plenty of others appear to be under 13 but they are also likely role players. If your kid has any level of popularity on YouTube or twitter, role players are likely to find them. As far as the real kids following him, that is mostly due to complimentary follow-backs which is where someone follows someone that followed them as a courtesy. Children should be warned to be cautious of this on twitter because a follow-back means the parties can contact each other privately (direct message).
The first step for reporting an underage kid is to e-mail the details to firstname.lastname@example.org. When I do this I mention COPPA and actual knowledge in the subject line:
Sent: Tuesday, September 30, 2014 7:13 AM
To: Twitter Support
Subject: ACTUAL KNOWLEDGE 12 YEAR OLD / COPPA
@****** says on his profile that he’s 12. I believe he’s an adult and his photos of “himself” are stolen from a professional photographer in the Netherlands. Either way he’s in violation and a termination would go a long way to help kids.
He is in violation of your terms of service and you are collecting PII from a 12 year old without parental consent which is against COPPA once it’s pointed out to you.
Thanks for your consideration.
That’s step one. A report will not be accepted though until you respond to an auto-response e-mail making sure you understand what the “privacy” address is for. That is step two. Step three is the rejection:
From: Twitter Support [mailto:email@example.com]
Sent: Tuesday, September 30, 2014 7:14 AM
Subject: Case# 06442421: FW: ACTUAL KNOWLEDGE 12 YEAR OLD / COPPA
******* This is an AUTOMATED response from our support system. *******
Thanks for your request. This email address is for the following issues only:
• Reports of underage users
• Report of deceased users
• Requests for own account information
If you have one of these privacy-related questions, you must reply to this email in order to open a ticket for review. All unconfirmed emails will not be read or responded to.
Twitter Trust & Safety
This e-mail shows you that the e-mail address I used is appropriate for these reports. However, unless you are a parent this process is not for you. And if you are a parent the next step is also not for you.
Here’s the official reply that comes next. This is a canned message but outlines their formal policy on this matter:
From: Twitter Support [mailto:firstname.lastname@example.org]
Sent: Tuesday, September 30, 2014 3:44 PM
Subject: Case# 06442421: FW: ACTUAL KNOWLEDGE 12 YEAR OLD / COPPA –
Thanks for bringing this to our attention. However, we require the individual directly involved or someone legally authorized to act on their behalf to report this issue.
If this is someone with whom in you’re in contact, please encourage them to file a report here: https://support.twitter.com/forms.
Once we’re in touch with the individual, we’ll be able to provide them with the information they need to resolve the issue.
I find this surprising. A good ticketing system would have already brought up the bio in question and the account could be suspended faster than reading and replying to the e-mail. To add further insult, the “forms” URL above doesn’t included a way to report underage kids even if you are the parent. In short, twitter states you must be 13 in order to use their service, doesn’t provide a way to report illegal children, tells you when you reach the right place and then puts you on a street that leads to nowhere.
The only time I report a violation is when I feel that a real flesh and blood child is in danger and the suspect purports their age to be under 13. In this case I did (and still do) think children are at risk because of this account. This is the second report I have done in past 30 days with the same result.
It is clear to me that twitter’s posture on this is against COPPA and against the best interests of families and twitter itself. There is no logical reason for twitter not to respond to these requests as it is against their TOS. Twitter can ignore COPPA and follow their own TOS and go a long way in protecting children on the service.
Arlington, VA – October 1, 2014 –The Internet Keep Safe Coalition (iKeepSafe) announced today the launch of its safe harbor program under the Children’s Online Privacy Protection Act (COPPA). The program is one of seven approved by the Federal Trade Commission (FTC).
The FTC has approved iKeepSafe’s application to become a safe harbor under COPPA and the agency’s COPPA Rule. iKeepSafe’s program in partnership with PlayWell, LLC, will support operators of website and online services in being good stewards of children’s data, and provide parents and teachers with added comfort that the products that carry the iKeepSafe Safe Harbor program seal have been evaluated for compliance with COPPA.
Perhaps the best take away here is that if you need an age gate to make sure you have a third party watching your back. This is not a place to make a mistake as the Yelp case shows.
Make sure you have a strong business need to age screen to begin with. Age gates are not mandatory under COPPA and one way to make sure you don’t violate the Rule is not to have one.
The Federal Trade Commission (FTC) has made good on its promise to actively enforce the recently amended Children’s Online Privacy Protection Act (COPPA). Here is what you should know about the latest enforcement actions against Yelp and TinyCo and how these might affect your business.
There have been a lot of articles about Yelp’s COPPA settlement lately but this is an important one as it addresses neutral age-gates which even some of the big players miss.
The Federal Trade Commission FTC announced last week that Yelp – the online service through which consumers can read and write reviews about local businesses – has agreed to pay $450,000 to settle the FTC’s charges that Yelp knowingly and without verifiable parental consent VPC, collected personal information from children under the age of 13 through its mobile app in violation of the federal law, the Children’s Online Privacy Protection Act COPPA.