I have previously written about the compliance provisions of the Children’s Online Privacy Protection Act (COPPA) ("The Children's Online Privacy Protection Act") but now wish to expand on the issues related to the need for the site owner to obtain what the statute refers to as “verifiable parental consent.”

        Initially, there must be a procedure in place by which the site owner notifies the parent of the child (as defined in the act) that the site owner wishes to collect information about that child and what the site owner intends to use that information for and whether or not the site owner intends to provide that information to third parties.  This notice to the parents must track the same language as the notice on the site itself and must state that the parent must consent to this gathering, use and dissemination of information.  This latter requirement is the issue about obtaining such consent and is discussed below.

        The notice must be in writing and written in clear and understandable language and not contain any “unrelated or confusing information.”

        The notice can be sent via email or by regular mail.

        The site owner must make “reasonable efforts (taking into consideration available technology)” to obtain such consent and this must be done and such consent must be obtained before the information is collected.

        At the present time and until April, 2002, the Federal Trade Commission, the governmental body charged with administering COPPA, has adopted what it refers to as a “sliding scale” of what kind of verifiable parental consent will be required.  This determination is based upon what kind of information is sought from the child and how that information is to be used.  The Commission will review these methods to determine if the technology has progressed to the point where the verification can be obtained by different means.

        If the site intends to use the information solely for internal purposes such as merely communicating with the child about site updates and other such purposes, then the current policy allows for the parental consent to be in the form of email, regular postal mail or even via telephone.  In such a situation, the parent can consent to the gathering of such information for these limited purposes only.

        On the other hand, if the site owner desires to make the child’s information more publicly available, such as by posting the information to chat rooms or by making that information available to third parties, then the policies require that the parent provide a signed consent sent either through the snail mail or by fax or by a digitally encoded signature on an email.  Such consent can also be provided by having the parent provide a credit card number that the site owner then verifies through the issuer or by having the parent call a toll-free number that is handled by the site owner’s personnel who have been trained in the mandates of the statute and policies.

        If the site’s policy changes and a use different from that for which consent was obtained is contemplated, then a new verified consent from the parent must be obtained.  So, for example, if the original use was purely internal and now the site desires to have a chat room available to the child or wishes to provide the information to third parties, the entire procedure must be done all over again, this time following the standards for the more stringent verification of parental consent.  This additional consent must be obtained even if the original consent was to disseminate the information to third parties but now the site wishes to materially expand the kinds of third parties to whom the information was provided.

        At any time, a parent may notify the site that the parent wishes to have the site delete the child’s information and thereafter the site may not use that information.  If the site has provided that information to third parties, the site must notify such third parties to also delete that child’s information.  This latter requirement should be set forth in the license between the site and such third party.

        The FTC regulations provide for a number of exceptions which allow a site operator to collect a child’s email address only without obtaining the parent’s consent in advance.  Note that the consent is still required but may be obtained after this limited information is obtained by the site.

    Such prior parental consent is not required:

• if the site allows the child to participate in games, homework help and electronic postcards (all 3 mentioned specifically by the guidelines);
• when the site collects the child’s or the parent’s email address for the purpose of seeking this consent;
• the site collects the child’s email address for the purpose of merely responding to a singular request from the child and then that email address is deleted; or
• the site collects a child’s name or online contact information to protect the security or liability of the site or to respond to law enforcement and does not use it for any other purpose.

        Finally, the site must provide the parent with access to the information the child has provided and must have a procedure in place to verify that the person to whom they provide this information is in truth the parent of the child.  Such procedures can include obtaining verification via snail mail, fax or email with a digitally encrypted signature or a PIN number, credit card information or via a toll-free number staffed by trained personnel.  To the extent that the site acts “in good faith” to obtain this verification, then the site is excused from liability for inadvertent disclosure of the child’s information to a party who is not the parent.  Site operators should be extremely cautious in giving out such information.

        In truth, COPPA presents significant legal issues for sites that fall within its scope.  Failure to comply with the letter of COPPA and these regulations may result in significant fines as well as liability to the child and the child’s parents.  As a result, sites that are directed to children, as defined in the act and regulations, should be very careful about establishing a valid compliance policy.

© 2000 Ivan Hoffman