COPPA 2.0 FAQs: Privacy Policies & Parent Notifications

Sean Bryant

COPPA 2.0 compliance is just around the corner (July 1st, 2013). Whether your site is ready or not, you need to be asking, enquiring, and doing whatever you can to come up to par with the current regulations. There is a laundry list of provision’s the FTC has put in to place, and on their behalf, have offered reasonable responses and substantial time to comply.

Over the next week, Inversoft will supply shortened versions of the ‘Business and Parents and Small Entity Compliance Guide’.

Please remember, this is merely a simplified reference. For more detailed information refer to the link at the bottom of this page.

Privacy Policies

Privacy Policies & Direct Notices to Parents

 

1. My child-directed Web site does not collect any personal information. Do I still need to post a privacy policy online?

No.  However, the FTC recommends that all Web sites/services directed to children – post privacy policies online so visitors can easily learn about the operator’s information practices.

2. What information must I include in my online privacy policy?

While the original Rule required operators to provide extensive categories of information in their online privacy notices, the amended Rule now takes a shorter, more streamlined approach… Under the amended Rule, the online notice must state the following three categories of information:

    • Name, address, telephone number, and email address of all operators collecting or maintaining personal information through the site or service…
    • Description of what information is collected from children, including whether the operator enables children to make their personal information publicly available, uses information, and the disclosure practices for such information.
    • State the procedures in place and provide the ability for the parents to review, delete and refuse the further collection of their children’s personal information.

3. May I include promotional materials in my privacy policy?

No.  The Rule requires that privacy policies must be “clearly and understandably written, complete, and must contain no unrelated, confusing, or contradictory materials.”

4. I already have a privacy policy for my children’s app. Do I have to change it to comply with the amended COPPA Rule?

It depends. Examine your procedure for collecting information to determine if you are collecting personal information this is (now) considered under the Rule… you may be required to notify parents to get consent.

5. Do I have to list the names and contact information of all the operators collecting information at my Web site?  This will make my online privacy policy very long and confusing.

If multiple operators for the site/service collect information (including plug-ins) – all names, addresses, phone numbers, and emails must be provided. However, only one designated operator is required to answer all inquires regarding any and all operators.

To keep your online privacy policy simple, a link may be provided with a complete list of all operators.

6. Do I have to disclose in my privacy policy and direct notices to parents the collection of  “cookies,” “GUIDs,” “IP addresses,” or other passive information collection technologies on or through my site?

The amended Rule defines “personal information” to include identifiers: customer number held in a cookie, IP address, a processor or device serial number, unique device identifier that can be used to recognize a user over time and across different Web sites or online services, even where such identifier is not paired with other items of personal information.

You need to disclose in your privacy policy, and in your direct notice to parents, your collection, use or disclosure of such persistent identifiers unless (1) you collect no other “personal information,” and (2) such persistent identifiers are collected on or through your site or service solely for the purpose of providing “support for the internal operations” of your site or service.

7. Where should I post links to my privacy policy?

Anywhere information is collected (home, landing page) a clearly labeled privacy policy link must be provided. It must be in close relation to the request for information in each related area.

8. Is it okay for the link to my privacy policy to be located at the bottom of the home page of my Web site?

Commission explains that ‘clear and prominent’ is a link of different font size, color, background (make it stand out). It must be easily distinguishable from other links to meet the ‘clear and prominent’ criteria. As long as you meet these requirements, it will suffice.

9. I have an app directed to children. Do I need to make sure that my privacy policy is included in the app store, at the point of purchase or download?

The Rule does not require the privacy policy to be present at the point of purchase, but is required on the home or landing screen. FTC notes – the more transparency provided the better the benefit. If you so choose to provide a privacy policy for a child directed app prior to purchase, parents will find it more useful in the decision process.

If the application collects childrens information the moment it is downloaded, notice is necessary to obtain verifiable consent at point of purchase or prior to download completion.

10. I operate a general audience Web site that contains a specific children’s section.  May I post a single privacy policy for the entire site that combines information about my children’s and general information practices, or must I have a separate privacy policy for children’s data?

Commission noted that “operators are free to combine the privacy policies into one document, as long as the link for the children’s policy takes visitors directly to the point in the document where the operator’s policies with respect to children are discussed, or it is clearly disclosed at the top of the notice that there is a specific section discussing the operator’s information practices with regard to children.”

11. I know that the amended Rule made some changes to the direct notice that must be sent to parents before I collect personal information from children.  What are those changes?

There are four instances where a direct notice is required or appropriate under the Rule:

  1. Where an operator seeks to obtain a parent’s verifiable consent prior to the collection, use, or disclosure of a child’s personal information.  In this case, the direct notice must:
    • State that the operator has collected the parent’s online contact information from the child, and, if such is the case, the name of the child or the parent, in order to obtain the parent’s consent;
    • State that the parent’s consent is required for the collection, use, or disclosure of such information…
    • Set forth the additional items of personal information the operator intends to collect from the child…
    • Contain a hyperlink to the operator’s online notice of its information practices (privacy policy)
    • Provide the means by which the parent can provide verifiable consent to the collection, use, and disclosure of the information
    • State that if the parent does not provide consent within a reasonable time from the date the direct notice was sent, the operator will delete the parent’s online contact information from its records.
  2. Where an operator voluntarily seeks to provide notice to a parent of a child’s online activities that do not involve the collection, use or disclosure of personal information. In this case, the direct notice must:
    • State that the operator has collected the parent’s online contact information from the child in order to provide notice to, and subsequently update the parent about, a child’s participation…
    • State that the parent’s online contact information will not be used or disclosed for any other purpose
    • State that the parent may refuse to permit the child’s participation in the Web site or online service and may require the deletion of the parent’s online contact information, and how the parent can do so
    • Provide a hyperlink to the operator’s online notice of its information practices.
  3. Where an operator intends to communicate with the child multiple times via the child’s online contact information and collects no other information. In this case, the direct notice must
    • State that the operator has collected the child’s online contact information from the child in order to provide multiple online communications to the child
    • State that the operator has collected the parent’s online contact information from the child in order to notify the parent that the child has registered to receive multiple online communications from the operator
    • State that the online contact information collected from the child will not be used for any other purpose, disclosed, or combined with any other information collected from the child;
    • State that the parent may refuse to permit further contact with the child and require the deletion of the parent’s and child’s online contact information, and how the parent can do so;
    • State that if the parent fails to respond to this direct notice, the operator may use the online contact information collected from the child for the purpose stated in the direct notice; and
    • Provide a hyperlink to the operator’s online notice of its information practices
  4. Where the operator’s purpose for collecting a child’s and a parent’s name and online contact information is to protect a child’s safety and the information is not used or disclosed for any other purpose. In this case, the direct notice must:
    • State that the operator has collected the name and the online contact information of the child and the parent in order to protect the safety of a child
    • State that the information will not be used or disclosed for any purpose unrelated to the child’s safety
    • State that the parent may refuse to permit the use, and require the deletion, of the information collected, and how the parent can do so
    • State that if the parent fails to respond to this direct notice, the operator may use the information for the purpose stated in the direct notice
    • Provide a hyperlink to the operator’s online notice of its information practices

12. When I send a direct notice to parents, may I send them a simple email containing a link to my online privacy policy?

No. The intention of the changes made to the Rule is to help ensure that the direct notice functions as an effective “just-in-time” message to parents about an operator’s information practices, while also directing parents online to view any additional information contained in the operator’s online notice.

13. I have an app directed to children. At what point in the download process should I send parents my direct notice?

Send parents the direct notice prior to the collection of any personal information from the child. Exception – you collect the parent’s online contact information to send the parent direct notice.

Other means of notice: Through the app itself by providing a notice of collection to obtain parent’s consent and ‘reasonably’ ensures delivery of notification to the parent.

For more information on Privacy Policies & Parental Notification click here.

Tags:
None