Back in 1998, Congress passed the Children’s Online Privacy Protection Act (COPPA). COPPA was designed to protect children’s privacy by requiring commercial websites to ask for a parent’s permission before collecting information from their child. Now it is 15 years later and kids use of technology has exploded. This July 1st, COPPA received a badly needed update.
To find out more about how theses changes and how the new rules can help families, I spoke with Dona Fraser from the Entertainment Software Rating Board (ESRB). Most parents know the ESRB from their ratings on video games and apps but they also have a Kids Privacy Certified Seal.
This week in PART 1 of my interview with Dona Fraser, Vice President of ESRB Privacy Certified, she explains the new rules and what parents can expect after July 1st. Next week in PART 2, she shares some tips on what to look for when choosing apps for their kids.
KidsPrivacy: Thanks for taking the time to answer a few questions. Let’s start with what do parents and kids need to know about the new COPPA rules?
Dona Fraser: COPPA has a set of rules for when and how an online service, such as a website or a mobile app, must obtain consent from a parent if users under the age of thirteen will be providing what is called “personally identifiable information,” or PII. The COPPA Rule was originally created by the Federal Trade Commission (FTC) in 1999 but online services have evolved quite a bit since then. So, late last year, the FTC issued revisions to the Rule that are more consistent with today’s technologies. For example, the Rule previously defined PII as information like name, phone number, social security number and birth date. The new Rule expands that definition (in certain cases) to include photos or videos of children, geolocation data – if specific enough to pinpoint a street or specific address – or even a device ID, which is a unique identifying code that products like smartphones have. Parents and kids should understand that there are different types of information that an online service may ask for from a child, but there are detailed rules for how that information can be collected, and it is required that parents give their consent for the collection of that information.
KP: After after July 1st, what will change for parents? Will more apps require our permission and how will they verify it?
DF: Apps that are directed to users under the age of thirteen are required to comply with COPPA. In practice that means they need to obtain what is called “verifiable parental consent,” which basically means the process of obtaining consent is stringent enough that a child could not realistically circumvent it by pretending to be the parent. The revised Rule allows new methods of giving this consent, such as via a scanned and signed consent form. To help companies meet this obligation, ESRB Privacy Certified offers its members access to the services of Veratad Technologies, which provides FTC-approved solutions for verifying people’s identity online via a seamless, virtually instant process. App users want to be able to download and use their app immediately. Forcing an app user to wait until a parent can sign, scan and mail a permission form isn’t optimal for the user experience. Veratad lets an app build in a quick, easy-to-use process that enables the parent to provide their consent, and for the app to be able to verify that it was actually the parent and not the child who gave that consent.
KP: When parents see the ESRB Privacy Certification Kids Seal on an app, what does that mean?
DF: Our seals signify that websites and apps not only meet legal requirements such as COPPA but that they are also adhering to best practices related to responsibly collecting and using people’s personal information. They are an indicator that these services can be trusted, that they are respecting and protecting their users’ privacy, and that a credible third party is certifying that their practices are above board.
KP: Does that mean our kid’s information is not shared with advertisers?
DF: In certain cases there is information that can be shared with advertisers. COPPA exempts certain types of information from these rules if it is solely used for the operation of the app. For example, some apps will collect data from a smartphone about a user’s physical location so that they can serve relevant ads. If a user lives in Michigan it’s safe to assume they don’t need ads intended for people in Texas. So long as this location information isn’t specific enough (i.e., it identifies a zip code as opposed to a specific street address) and isn’t paired with information about who the user actually is, it can be shared with an ad network to target their ads. That being said, the new COPPA Rule does require that ad networks utilized by products that are directed to children must also be COPPA-compliant and seek consent from parents if they are collecting PII.
Next week, I continue my conversation with Dona Fraser where she shares some great tips on choosing apps for kids.