The Federal Trade Commission’s (FTC) Children’s Online Privacy Protection Act (COPPA) is a statute that requires websites to obtain consent from parents before collecting any personal information from children under 13, says Mamie Kresses, FTC senior attorney in the advertising practices division. As part of the congressional legislation, the FTC created the Children’s Online Privacy Protection Rule in 1999, which went into effect in 2000, which enforces and outlines what websites need to do to abide by COPPA.
In December 2012 the FTC announced amendments to the rule to take into account new technological developments and behaviors; these amendments, which will go into effect July 1, 2013, expanded “personal information” and modified the approval process for obtaining parental consent.
This affects companies like Nimbus Games, a mobile game publisher for children primarily between the ages of four to nine. Its products are app-based, but Nimbus acquires email addresses through an online registration form and uses the contact information to distribute e-newsletters and contest notifications, says CEO Andy Hieke.
Although the registration tab addresses parents, and the company’s privacy policy asks those under 13 not to submit any information, Hieke admits that there’s no way for Nimbus to determine whether an email address belongs to a child.
In the event that the company detects a child’s email address, the information is deleted, Hieke says.
Kresses says age screening may assist Nimbus Games’ age-identifying predicament. The original COPPA Rule stipulates that age screening is optional for a general audience site, accessible to all Internet users, but not geared specifically for children.
By contrast, sites designed for children 12 or younger cannot age screen and must uniformly treat all visitors as if they were all under the age of 13. Hence, parental permission must be obtained before any information is collected for all online users.
The rule’s new regulations provide a limited exception for websites that are generally meant for children, but that also target other audiences.
“If your target audience includes parents, older siblings, and children…the rule now allows for you to age screen on those types of sites so that you only have to get notice and consent for kids who have indicated that they’re under 13,” Kresses explains.
To get children to be more honest about their age, Kresses recommends a “neutral” age screening page without a blatant age limit—for instance, a message that demands a user be 13 or older might tempt children to lie to access online content.
The emergence of mobile app marketplaces adds another dimension to privacy considerations for underage consumers. Hieke says that Nimbus Games can’t prevent underage consumers from downloading its mobile games because consumers purchase through third-party retailers, like Apple’s App Store or Google Play.
Ultimately, because consumers are, from Hieke’s standpoint, “completely oblivious” about their privacy rights, he feels it’s the company’s job to “handhold” consumers from the get-go when educating them about company products and services.
