Online Privacy Rights for Minors

In a previous post, I wrote about a new California law addressing online privacy rights of minors. That law (California Business & Professions Code Section 22580 to 22582), which took effect on January 1, 2015, does a couple of things. As I wrote in the previous post, the law restricts the kinds of products that can be marketed online to minors under the age of 18. The second thing the new law does is impose content-removal obligations on these website and mobile app operators. That is the subject of this post. The law protects minors who live in California, but it broadly applies to websites and mobile apps located anywhere, if they have users located in California. Since California has more than 9 million residents under the age of 18, out-of-state website and mobile app operators cannot afford to assume that the law doesn’t reach them.

These new content-removal obligations apply to websites and mobile apps that are directed at minors, and also at any websites or mobile apps where the operator has actual knowledge that minors are using it. The operators of these websites and apps must permit minors who are registered users to remove or, if the operator prefers, request and obtain removal of, content or information posted by that registered user. The operator also must notify minors who are registered users that they have these content-removal rights, and provide clear instructions on how to go about getting content or information removed. The operator also has to notify the minors who are registered users that the removal does not ensure complete or comprehensive removal of the content or information.

The operator (or a third party) does not have to erase or eliminate the content or information in any of the following circumstances:

  1. If any other provision of state or federal law requires keeping that content or information.
  2. If the content or information was stored on or posted to the website or mobile app by a third party other than the minor, including content or information that was posted by the minor that the third party has republished or reposted.
  3. If the operator anonymizes the information posted by the minor, so that the minor cannot be individually identified.
  4. If the minor does not follow the instructions on how to obtain the removal of the content.
  5. If the minor has received some kind of compensation for posting the content.

An operator will be considered in compliance with its obligations if it makes the content no longer visible to registered users or the public, even if the content still remains on the operator’s servers. Also, the operator will be in compliance if it removes the content, and then the content remains visible because a third party has reposted it.

If you are operating a website or mobile app directed at minors, or if you know that minors are using your website or app, now is a good time to start implementing procedures to comply with this new law. You will need to set up a mechanism for minors to remove content themselves, or you will need a mechanism for minors to request that you remove the content. You will also need notice provisions. While you might try to implement these changes only with respect to minors who are in California, it may be easier to grant the same rights to minors no matter where they live. Finally, this new law will also require changes to your website’s (or app’s) terms of use and privacy policy.

Follow me on Twitter @PaulHSpitz


FTC Slaps Yelp on Children’s Online Privacy

Head in HandsYou might think that only companies that operate websites directed at children need to worry about complying with COPPA, the Children’s Online Privacy Protection Act. A recent case involving Yelp, the online review site, however, shows that websites that aren’t specifically geared towards children need to worry about COPPA, too. Yelp recently reached an agreement with the Federal Trade Commission to settle charges that it had violated COPPA. Yelp agreed to pay $450,000 in civil penalties.

So what happened to bring the wrath of the FTC down on Yelp, every retailer’s favorite review site? The FTC claimed that Yelp had collected personal information from children over a four-year period that began when Yelp’s mobile app launched in 2009. According to the FTC, when users registered with the Yelp site and entered a date of birth showing that they were under the age of 13, Yelp collected the person’s name, e-mail address, and location. COPPA requires that prior to collecting such information from children under the age of 13, a website operator must notify the child’s parent or guardian and get the parent or guardian’s express consent. The FTC claimed that Yelp did not take these actions with respect to thousands of registered users, even though Yelp could tell from the registration information that they were triggering COPPA. The FTC also claimed that Yelp failed to implement or properly test its apps to ensure that children under the age of 13 could not register.

In addition to paying a $450,000 penalty, Yelp agreed to delete the information it had collected about children who had registered, and to comply with COPPA going forward.

Why is the Yelp case important? There are two reasons:

• First, the settlement shows that COPPA applies to mobile apps, in addition to conventional websites.
• Second, the case shows that website and app operators need to worry about COPPA, even if their site or app isn’t directed specifically at children. If your website or app is collecting personal information about users, you need to consider whether some of those users might be under the age of 13. If you are collecting information about children under the age of 13, COPPA applies. So you have two options at this point. You can develop COPPA compliance procedures, or you can implement software tools to block users under the age of 13 from registering and providing personal information.

Follow me on Twitter @PaulHSpitz

Children’s Online Privacy Compliance – Part 2

In my last post, I discussed how to determine if your website or mobile app collects personal information from children under the age of 13, which would make it subject to the Children’s Online Privacy Protection Act (COPPA). In today’s post, I’ll discuss posting a privacy policy that complies with COPPA. Such a policy has to clearly describe how personal information collected from children under age 13 is handled. Not only must this privacy policy describe how you handle the information, it has to describe the information handling practices of others that collect personal information through your site or app (such as plug-in services or advertising networks). 
In a previous post, I discussed general principles for privacy policies. For example, you should provide a prominent link to your privacy policy on your website, ideally using a larger font or different color. Companies subject to COPPA need to go further, by posting a link to the privacy policy wherever they collect personal information from children under the age of 13. For example, if your website is designed for a general audience, but you have a separate section for kids, there should be a link to the privacy policy on the homepage, as well as on the main page for the kids’ section.To comply with COPPA, your privacy policy must include three things:

  1. A list of all operators collecting personal information;
  2. A description of the personal information collected and how it is used; and
  3. A description of parental rights.

List of Operators

You will need to provide a list of all operators, including third parties, that collect personal information from kids. The list must include the name and contact information for each operator. If you have several operators collecting information, you can provide contact information for only one, as long as that operator agrees to respond to all inquiries from parents about your site or service’s practices. You will still have to list the names of all the other operators, however.

Description of Personal Information Collected

The policy must also describe:

  • The types of personal information collected from children (such as name, address, e-mail address, hobbies, etc.)
  • How the information is collected (for example, is it collected actively by filling out a form, or passively, through cookies?)
  • How the information will be used (marketing to the child, notifying winners of contests, allowing the child to make information publicly available through a forum or chat room, etc.)
  • Whether any personal information is disclosed to third parties, and if so, what kinds of third parties and how they use the information.

Description of Parental Rights

Finally, the policy must describe the rights parents have with respect to your collection of personal information:

  • That you won’t require a child to disclose any more information that is reasonably necessary to participate in an activity
  • That parents can review their child’s personal information, and direct you to delete it, and refuse to allow any further collection or use of personal information from their child
  • That parents can agree to the collection and use of their child’s personal information, but still refuse to allow disclosure to third parties unless that is a part of the service (for example, social networks)
  • The procedures parents need to follow to exercise these rights.

As the various requirements for a privacy policy show, you must put a great deal of thought into how your website or service operates, in order to make the proper disclosures. In addition, there is a substantial amount of programming involved, so that parents can properly exercise their rights to delete personal information or limit its collection and use.

In the next installment, I will discuss the issues of parental notification and consent.

Follow me on Twitter @PaulHSpitz

Children’s Online Privacy Compliance – Part 1

Today I start a multi-part series on compliance with the Children’s Online Privacy Protection Act, commonly known as “COPPA.” COPPA is a federal law governing the online privacy rights of children under the age of 13, passed in 1998 and updated in 2013. The Federal Trade Commission is the federal agency with enforcement authority under COPPA. This installment will discuss how to determine if your company has a website or online service that collects personal information from children under the age of 13 (for clarity’s sake, we will call these children “COPPA Kids,” to distinguish them from children ages 13 and up). Future installments will cover the requirements of a COPPA-compliant privacy policy, parental notification requirements, parental consent requirements, and reasonable procedures to protect the security of COPPA Kids’ personal information.
How do you know if your company has a website or online service that collects personal information from COPPA Kids? Start by asking four questions:

1. Is your website or online service directed at COPPA Kids and you collect personal information from them?

2. Is your website or online service directed at COPPA Kids and you let others collect personal information from them?

3. Is your website or online service directed to a general audience, but you actually know that you collect personal information from COPPA Kids?

4. Is your company running an ad network or plug-in, or a similar type of service, and you actually know that you collect personal information from users of a website or online service directed at COPPA Kids? (this makes you one of the “others” referred to in Question 2).

If the answer to any of the four questions is yes, your company is subject to COPPA.

Let’s break it down a little further. First, you will notice that I used the phrase “website or online service” several times. COPPA and the FTC define this phrase very broadly. It includes:

  • Standard websites, obviously, and this being 2014, you should know what they are
  • Mobile apps that send or receive information online, such as network-connected games, social networking apps, or apps that deliver behaviorally-targeted ads
  • Internet-enabled game platforms
  • Plug-ins
  • Advertising networks
  • Internet-enabled location-based services
  • Voice-over-internet-protocol (VoIP) services

Next, how do you know if your site or service is directed at COPPA Kids? The FTC will look at a variety of factors to decide if a website or online service is directed to COPPA Kids. Factors could include one or more of the following:

  • the subject matter or the website or service, 
  • visual and audio content, 
  • the use of animated characters,  
  • the use of child-oriented activities and incentives, 
  • the age of models, 
  • the use of child celebrities or celebrities who appeal to kids (that includes you, Justin Bieber, and you too, Katey Perry), 
  • ads directed to children, and 
  • other evidence about the age of the actual or intended audience.

What are the kinds of “personal information” that might trigger COPPA? Some items are pretty obvious, while others should get your immediate attention:

  1. Full name 
  2. Home or other physical address, including street name and city 
  3. Online contact information, such as an email address or other identifier that permits someone to contact a person directly – these include instant messaging (IM) names, VoIP names, and video chat names
  4. Screen name or user name where it functions as online contact information
  5. Telephone number
  6. Social Security number
  7. A persistent identifier that can be used to recognize a user over time and across different sites, including a cookie number, IP address, processor or device serial number, or a unique device identifier
  8. A photo, video, or audio file containing a COPPA Kid’s image or voice
  9. Geolocation information sufficient to identify a street name and city
  10. Other information about the COPPA Kid or parent that is collected from the child and combined with one of these other identifiers

Finally, what does it mean to “collect?” First, you are collecting personal information if you request, prompt, or encourage the submission of such information, even if it is optional. Second, you are collecting if you let information be made publicly available (for example, an open chat or posting function), unless you take reasonable measures to delete all or virtually all personal information before the postings are public and delete all information from your records. Third, you are collecting information if you passively track a COPPA Kid online.

Those are the basics for determining if your website or online service is subject to COPPA. If you have applied the above factors and determined that COPPA applies, then you will need a privacy policy that complies with COPPA. I will cover that subject in the next installment.

Follow me on Twitter @PaulHSpitz

Privacy Policy 101

The massive data breach at the big box retailer Target that happened in late 2013 has focused a great deal of attention on privacy issues. Just this month, Target’s CEO lost his job as a result of that data breach and how it was handled. While Target’s data breach was caused by someone hacking into Target’s in-store point-of-sale systems, the incident has implications for anyone operating a website or a web-based business. If you or your company operates a website, you need to understand and deal with these same privacy issues. You will need to have a privacy policy, either separately or as part of your terms of service. The kind of website you operate will dictate how detailed and extensive your privacy policy needs to be. For example, a simple blog where you write about your interest in Venezuelan cuisine will probably need a much simpler policy than an e-commerce website or a gaming website.

Whatever kind of website you operate, you want your privacy policy to do three things. First, you need to notify visitors as to the kinds of personal information you will be collecting. Second, you need to notify visitors as to how that information will be used. Third, you should inform visitors as to how they can opt out of the collection and use of any personal information.

There are two basic types of information a website can collect. The first type is aggregate information. This is the kind of information websites collect when the user isn’t registered or logged in, and his or her identity isn’t known. It is essentially anonymous information, and includes things like IP addresses and cookie information. IP addresses are numbered based on location, so by collecting IP addresses, a website operator can tell that a user may be from California, or Ohio, or New York. Cookies, which are small pieces of code left on a user’s computer, can tell the website operator where a visitor goes next. If the website operator collects enough aggregate information, it can use data mining to fine tune advertising and promotions that appear on its site. Even though aggregate information is anonymous, a website operator must disclose that it collects such information. In addition, the operator must give visitors an option to switch off cookies, although the website can still tell visitors that switching off cookies might cause an inferior user experience. The website operator also should disclose how aggregate information might be shared with third-parties — for example, for mobile apps and various analytics companies.

The second type of information a website can collect is personally identifiable information. This might include a visitor’s name, address, e-mail address, age, credit card number, social security number, and other information that a visitor provides when he registers or logs in. The website operator must disclose the nature of personally identifiable information collected, and the kinds of uses to which it is put. It is also advisable to discuss how such information is safeguarded (although not in such detail that might compromise the safeguards).

Privacy issues are particularly important when it comes to children. There is a federal law, the Children’s Online Privacy Protection Act (or COPPA), which applies directly to this area. COPPA prohibits the collection of information from children under the age of 13 without parental consent. If you operate a website targeted at children – for example, an educational website or a game website – you will want to ensure that your website complies with COPPA. Even if your website doesn’t target minors, you may want to include a provision in your terms of service that all users must be 18 years of age or older.

Once you start collecting information, whether it is aggregate information or personally identifiable information, you need to safeguard that information. If there is a data breach, you may need to report the data breach to various state agencies. Since each state has different requirements, this can be an expensive proposition. When companies do suffer a data breach, they frequently offer their customers an identity theft protection service, free of charge, for a period of time. This can be quite expensive for companies, too. As the Target data breach has shown, however, failing to deal with data breaches in a straightforward, diligent way can have serious consequences for the business in terms of loss of customers, management turnover, and possible exposure to lawsuits.

Follow me on Twitter @PaulHSpitz