A 10 Step Guide to COPPA Compliance

Wednesday, June 19, 13

Introduction

•There’s lots of talk about the Children’s Online Privacy Protection Act (COPPA), but do you really understand how the law works?  COPPA was enacted in 1998 and was enacted to protect the privacy of children under 13 years of age. COPPA charged the Federal Trade Commission (FTC) with creating the regulations necessary to implement the goals of the law.

•The original act also required that the law be reviewed 5 years after the effective date of the regulation (April 21, 2000).  This review took several years and various stakeholders were given the opportunity to comment on the proposed revisions.  The revised Coppa Rule was released in December 2012 and is set to go into effect on July 1, 2013.

•What follows are 10 questions that every developer should ask herself over the next couple weeks in order to conduct an internal COPPA audit and ensure compliance.  If you have any questions, please let us know in the comments.

Wednesday, June 19, 13

1)   Did you read the Rule?

This seems obvious, but have you read the revised Rule yet?  It might look big and scary at first, but it’s

not rocket surgery – anyone who can develop their own application can grasp the content of the

revised  COPPA Rule.

Wednesday, June 19, 13

2)   Does the Rule apply to you?

Ask yourself this question:  “Am I operating a child-directed website or service or do I have actual knowledge that I’m

collecting, using or disclosing personal information from a child under 13?”

If you have any doubt, the smart bet is to assume COPPA applies to you and read on.

Wednesday, June 19, 13

3)   Do you collect personal information?

The general idea is that personal information is any information that can be matched to a single person.  Phone numbers and email

addresses are obvious examples, but it’s worth going through the whole list to determine if you collect personal information, as the

definition has expanded.

Wednesday, June 19, 13

4)   What information do you collect?

It’s time to compile an exhaustive list of all the information you collect. Remember that feature you built,

but never used? Make sure it isn’t still collecting information.  Figuring out what you collect is perhaps the

most important part of your own COPPA audit.  Leave no stone unturned.  After all, there’s still time to clean up your

act before July 1.

Wednesday, June 19, 13

Now that you know what you collect, it’s time to understand why you collect it. It’s useful to divide all the information you collect into two categories: information for

the support of internal operations (defined in §312.2) and information that is disclosed to third parties.

If it’s for the support of internal operations (e.g. collecting data to optimize product features) make sure you’re using the data and storing it securely. If you don’t use it,

stop collecting it. 

If the information is disclosed to third parties, ask yourself why you’re disclosing that data in the first place.  In the general interest of protecting children’s privacy,

disclosure of this data should be carefully and rigorously scrutinized.

5)   What do you NEED to collect?

Wednesday, June 19, 13

6)   Do you have a privacy policy?The first step in effectively communicating with parents is to have a well-written privacy policy.  This can seem like a daunting task to non-lawyers, but there are plenty of good resources to help you out. Here are a few tools to help you get

started:

We also recommend looking at the privacy policies of developers that are doing similar work or offering similar services.  What's more

important than perfect legalese is honesty and transparency.

Wednesday, June 19, 13

7)   How are you going to provide notice of your privacy practices?

Congratulations, you now have your very own privacy policy! Now, how are you going to tell parents about your data collection, use and disclosure practices?   The California Attorney General provides some really good guidance in Privacy on the Go: Recommendations for the Mobile Ecosystem, and as always, reread the Rule.

Wednesday, June 19, 13

I’m willing to bet that you probably have questions at this point. The good news is that you’re not alone.  In May the FTC

released a set of FAQ’s to address the most common and vexing questions they had received in the months since the

amended rule was released. The good news is that you’ll probably find some clarification to your questions, but be

prepared to add some items to your to-do list as well.

8)   Have you read the FAQ?

Wednesday, June 19, 13

COPPA Safe Harbor Programs:

These FTC-approved safe harbor programs are an attempt to provide businesses with the ability to self-

regulate when it comes to COPPA compliance.

9)   Have you considered getting a second opinion?

Wednesday, June 19, 13

10) What’s next? 

Developers are certainly not strangers to constant product iterations and you should get used to

thinking of your privacy-related activities the same way. Children’s privacy is very important, and if you

take your obligation seriously, it will require constant refinement.

Wednesday, June 19, 13

A Final Thought

Hopefully this 10-step guide is helpful in starting you on your journey to COPPA compliance. This information is not meant

as legal advice, but it does accurately reflect a process that we’ve used ourselves and that other developers have had some success with too.  If you have suggestions or care to

share your own experiences please leave a comment.

Wednesday, June 19, 13