Welcome to WebmasterWorld Guest from 52.206.226.77

Forum Moderators: LifeinAsia

Message Too Old, No Replies

COPPA compliance

     
5:20 am on Dec 10, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member drdoc is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 15, 2002
posts:6807
votes: 0


http://www.ftc.gov/bcp/conline/pubs/buspubs/coppa.htm

Without getting into specifics -- I have pretty much realized a site I am working on needs to be COPPA compliant.

Has anyone had to deal with COPPA compliance before? Any pointers as to the approach I should take, what is reasonable and what isn't. For example, how do you stop someone who is younger than 13 from registering a username for which an e-mail address is required, without making it overly problematic for those over 13?

Never dealt with COPPA before, so I'm looking for all the pointers I can get. Where to start? How to implement requirements?

2:57 pm on Dec 10, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 17, 2001
posts:1262
votes: 0


The site you cited seems to be pretty detailed, you might also want to see [ftc.gov...]
[ftc.gov...]
4:46 pm on Dec 10, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member drdoc is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 15, 2002
posts:6807
votes: 0


Thanks, will look into those. Also, thanks to you who sent me a link to a site that has implemented a working example. It gave me some very good ideas and pointers as to how I would actually implement this.
10:48 pm on Dec 23, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Sept 17, 2002
posts:2251
votes: 0


I had been attempting a somewhat parallel discussion [webmasterworld.com] in another forum.

My concern, which I haven't seen addressed anywhere, and is keeping me from letting folks under thirteen join, is what legal exposure do I face if a child provides false parent/guardian contact details.

Other than that, from what I've seen in terms of working examples, it's pretty easy to make your website COPPA-complaint.

The main issues seem to be posting clear links to your privacy policy, not wording anything so as to entice someone to lie about their age to join, making a page where parents/guardians can review what information is on file for their child and making it easy to let them request removing or altering certain information.

I would also let them see a history of the messages their child has posted and that sort of thing so they can not only see what the child has shared with us, but can also keep tabs on what their child is saying online.

7:55 pm on Dec 31, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member drdoc is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 15, 2002
posts:6807
votes: 0


Well, as far as the FTC is concerned... you can do any of the following to verify the parent's identity:

obtaining a signed form from the parent via postal mail or facsimile;

accepting and verifying a credit card number;

taking calls from parents on a toll-free telephone number staffed by trained personnel;

email accompanied by digital signature;

email accompanied by a PIN or password obtained through one of the verification methods above.

12:24 am on Jan 1, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Sept 17, 2002
posts:2251
votes: 0


DrDoc, you know what I think about you and how much respect I have for you in general. Please keep that in mind as you read on.

All of those methods are fraught with the potential for abuse.

>>obtaining a signed form from the parent via postal mail or facsimile;

This could still be forged/faked.

>>accepting and verifying a credit card number;

Kids today have credit cards. I'm not sure if there is a minimum age limit so long as the account is secured by the parent's credit.

>>taking calls from parents on a toll-free telephone number staffed by trained personnel;

How does this prove anything? How does a non-profit hobby site afford something like this anyway?

>>email accompanied by digital signature;

Again, I have PGP and digitally sign all my e-mails. Any kid could obtain PGP and come up with a digital signature.

>>email accompanied by a PIN or password obtained through one of the verification methods above.

If the kid, or his phony parental e-mail address gets to see that PIN or password fraud is possible.

In conclusion, I am looking for something specific from the FTC about what they consider reasonable methods of verification that won't expose me to legal action. To date I've found nothing that addresses that issue.

1:59 am on Jan 1, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member drdoc is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 15, 2002
posts:6807
votes: 0


I guess what I'm saying is that there's always the risk of fraudulent information (well, unless you talk to the parent face to face, and ask to see two forms of ID for both the parent and the child). I don't think you can ever find a 100% fool proof way of verifying that the "parent" really is the parent -- and I don't think the FTC expects you to.

Just make sure you document everything. And, if issues would arise, make sure you have a policy for how to handle it (which needs to be documented on your Web site as well). As long as the child's information gets deleted (if fraud is discovered) you should be ok...

4:29 am on Jan 1, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Sept 17, 2002
posts:2251
votes: 0


>>you should be OK

That's the part that concerns me.

Even my Internet law specialist can't answer this question for me. There's no case law with regard to fraud on the part of the consumer/child to know for certain how the FTC would handle such a situation. I certainly don't want to wind up being the test case!

My best guess is that if we followed all the guidelines and still got defrauded we'd be OK. But I can't risk the huge fines the FTC has been levying against some of America's biggest corporations so I need something concrete before I do what I really want to do and let kids as young as ten join the site. The site has a natural attraction for kids who begin this hobby in their early years and many of them continue it throughout their lives so I'd like to let them participate so long as they can do it in a mature fashion, according to our TOS/AUP, and within the limits imposed by COPPA.

5:54 pm on Jan 1, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member drdoc is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 15, 2002
posts:6807
votes: 0


If you're subject to fraud, you're not the one in trouble.
If someone steals your credit card and uses it -- you don't have to pay.
If you have a store, and accept payment made on a stolen credit card -- the creditor picks up the tag.
You cannot be held responsible as long as you have acted in good faith, and done what you can (within reasonable limits) to assure that everything was correct and non-fraudulent.

DISCLAIMER: This is not to be considered legal advice (or any other advice for that matter). The above reflects only my personal opinion. I assume no responsibility for any outcome as a result of agreeing with my personal opinion.

6:43 pm on Jan 1, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Sept 17, 2002
posts:2251
votes: 0


What a wonderful way to spend New Years Day... I've spent the last three hours scouring the FTC website once again for anything that states I do not face any legal exposure if I allow someone under 13 to join my site.

In the process I found a site similar to mine that states nobody under 13 can join, and asks for a lot of required personal information. Other than that they do nothing to abide by the terms and spirit of COPPA. I had my nephew join and list his age as under 13. The site let him join, asked for no parental contact information, and let him post on their forums and provide tons more personal details via his profile page.

I filed a complaint with the FTC and now I'm going to sit back and watch what happens. I hope it will wind up being the test case I so desperately want to see but not be involved in.