Let’s Chat: COPPA

Twitter. I promised a rant on twitter. I promised a rant due on Thurs. It’s Sunday.

My apologies for the lateness and the possible lack of DRAGON FIRE that I was spittin’ on Thursday.  Indeed I was angry, and it had to do with weird (if not troubling and disappointing) rumors spread about COPPA.  But like the fear-mongering such rumors create – a tantrum is not what is needed here either. Clarity is what is needed.

So, my dear poppets – lemme share the facts about COPPA: Past, Present, and Future…


COPPA is the only “real” legislation we have to enforce/protect children under the age of 13.  COPPA stands for: Children’s Online Privacy Protection Act.  It was created to stop marketers from collecting and exploiting personally identifiable information from children.  What is personally identifiable information (or PII)?

First name / last name, phone number, email address, social security number, home address.

It’s also to good to consider the following PII:

School name, instant message clients, usernames for other sites, sister/brother/parents/teacher full names, zip code, small town + states, after school activity locations. – These are not held as stringently as the first group, but they’re equally as important since you can locate any child regarding this information. Basically: if I can find you easily with the info you provide… that could be argued as PII.

Remember this tip for the kiddies and yourself: Tangible/Open Air (non computer) life = Clark Kent, Online life = Superman.

COPPA is upheld by the FTC, who regularly posts announcements on their page: http://www.ftc.gov/.  There is a program governed by the FTC called “Safe Harbor”, and it is upheld by four organizations (CARU, ESRB, TRUSTe, Privo).  If you wish to be a part of the Safe Harbor program – you will get aid in meeting regulations, suggestions for “going beyond” and being better than bare minimum, and you will have legal representation if your compliance comes into question.  I have had the privilege to work with CARU and the ESRB (whom I am very happy to work with now), and I know the fine folks at Privo.  I would definitely suggest that any company or individual wishing to learn more about Safe Harbor reach out to these companies.

At one point they tried to make additional legislation: COPA (Children’s Online Protection Act) and DOPA (Deleting Online Predators Act) – both of which have been dismissed due to First Amendment (COPA) and sheer impossibility due to variables (the latter).


How is COPPA being used?  Well, no longer just a deterrent for Marketers, it is the sole legislation for anyone collecting any information regarding children under 13. But why would someone need to collect info from kids?

1. Newsletters
2. Registration for games
3. submitted in conversation (chat), pictures, audio, etc (basically – UGC, “User Generated Content”)

I exist in the epicenter of business, safety, entertainment, common sense, community, and I’m telling you… there is no real arguable reason to collect PII from children.  The decision regarding the sharing of any such PII information belongs to the parents. Ahh, now there’s the rub – how do parents make/enact/provide/receive that permission?? Lemme get to that in a sec.

What I forgot to mention in the “Past” section is that – COPPA legislation pinpoints 4 acceptable ways to gain PERMISSION to collect PII: a fax with a parents signature, valid credit card, phone call acceptance, and email-plus.  Naturally there are problems with all four methods.

  • Fax = expensive, not “earth” friendly, and who really owns a fax anymore? Not to mention – kids attempt to sign and fax themselves (the wily things they are). You lose more customers than you gain when you expect them to stop at KINKOS to fax something out – too much time, so long future customer.
  • Valid Credit Card = No one wants to put their digits in (and they had the 1 dollar charge, despite the fact we dismiss the charge), kids as young as 9 are toting their parent’s credit cards, it’s an opportunity to collect PII inadvertently from a child (AGE GATE MEMBERSHIP, pls), and kids have been known to take the card from mom’s purse (the cheeky things they are). Strangely enough – for parents who do not have any intention on purchasing a membership – they don’t really want to put in any CC information. Do I blame them?  Nope.  Too many “but what if my kid can access my number” or “But I don’t want to tricked into paying” or “Ugh, I have stuff to do. Dinner is almost ready. I don’t want to do this now, let’s go eat.”  deterrent!
  • Phone Call Acceptance = Heavy lifting on the part of CS, expensive call services, and how do you determine an adult’s voice if the adult happens to be squeaky?  Or a child who has low tones?  And, kids attempt to call in pretending to be parents (the sneaky things the are). One of the easier methods “in theory” – parents can just pick up and dial and say “yes” or whatever. No biggie. Except that – parents can’t make those phone calls if they’re at work, and sadly, from what I’ve heard, more kids call in than actual parents.
  • Email Plus = The least rigid, most used, least reliable method.  You request the parent’s email during the kid registration, you send a “Welcome” email that includes a click-through link that will open up UGC possibilities, the adult visits the link and chooses to allow or not allow UGC, and 24 hours later the parent gets another email reminding them that they did this (in case kids invade the family email, they will be caught “unawares” by the follow-up – or at least that’s the theory). The problem is that – a certain percentage of kids are putting their own email into the Parent Email slot, and trump the whole parent connection.

Personally, I lean towards Email Plus as a method these days.  As I said – I’m in the epicenter of a lot of needs.  My first and foremost goal is: SAFETY, followed by ENTERTAINMENT (kid style), and then the business, etc.  Granted Email Plus isn’t the “safest” – but that’s why I have POLICY AND PROCEDURE. I have moderation toolsets and staff, and, well me (cue chip on shoulder, my apologies).  We work behind the scenes during the live existence of the game to ensure that privacy remains active, despite the audience themselves. AND TRUST – this ain’t no walk in the park.

Children DO NOT understand what they should / should not speak about, nor do they get (en masse, I’m talking about now) why they should / should not speak.  So… you can pretty much guarantee that kids will attempt to share SOMETHING – the way around collecting this is:

  • Pre-screening & scrubbing content,
  • Filters that block anything close to PII (heavy, heavy black lists, or CLEVER dictionary chat that also reads phrases),
  • Filters that jedi-mind-trick the user (have you tried chatting with another user in Club Penguin? Only like 25-30% of what you try to say actually shows up to the public – this lowers frustration from users while safety guarding them from the public),
  • Scripted chat (Poptropica is still uber-popular and there isn’t an ounce of open or filtered chat
  • Post-hoc moderation – LIVE 24/7 staff on the look out for kids who figured out “work arounds” (like toe tree fort hive stick stephen for two three four five six seven)
  • Reporting mechanisms for kids to pinpoint those who are cheating the system

You don’t have to have all of them… but it’s a big decision to make, and not lightly either. Get council (from someone not selling you a product, please).

Once I have my front-line and behind-the-scenes methods in place – my next goal is to make sure kids come in and play the game… that they’re active and enjoying it.  If I don’t have kids on my site, I have no audience: no money, no sustainability, no kids to protect, no job.  And where does that leave kids?  Instead of at Disney World with the families and the attention to detail and overpopulated staff, they’re at Six Flags with the gangs and high school peer pressure (seriously, have you BEEN to a Six Flags in the last ten years? What is up with that? Um, NO, I don’t want to watch fourteen year olds try to make babies while I’m in line to ride on Batman, thank you. And no, I didn’t bring my Latin Kings sweatshirt today, darn I don’t fit in).

I do not, not, not recommend “Email Plus” for who has no intention of truly backin’ up the LIVE safety on their site.

If you do not have valid parental sign off for your online experience: you cannot allow UGC of any kind unless it’s screened first by staff and scrubbed of possible PII.  That means: usernames, chat, forum threads, forum posts, blog comments, guest books, comment walls, upload pictures, upload video, upload audio.  Basically: anything a user can submit needs to go through filters and screening.  Anything considered PII needs to be scrubbed.

What’s good policy?  Well, even when you GET the “valid parental permission” – you still filter the content, and you still have staff moderating.  This is YOUR brand and YOUR audience.

BTW: If anyone comes to you and tells you that a toolset will solve all your problems and that it will replace human staff – you better get your warning flag up.  THEY’RE SELLING YOU. Gross.


So, about two months ago I had the EXTREME privilege to sit on a stage at the Engage! Expo conference in NYC with Phyllis Marcus.  Phyllis is from the FTC and had been commissioned to look into behaviors in virtual worlds.  She has an interesting report here regarding the behaviors that were found.

When I spoke with her – the majority of my questions were around: How, when, what.  This was just an initial peek for the FTC into behaviors, and much of what they found was from first time viewing.  We talked a fair bit about COPPA, and what was next for the FTC.

Both Congress (on April 29th) and the FTC (June 2nd roundtable) are re-examining safety and privacy – and what that means from their standpoint.  Okay, their standpoint… but what about OUR standpoint, what will that mean for us?

  2. Talks are beginning: People are looking to open up conversation, reassess, get feedback about COPPA
  3. If changes are made to any part of COPPA it will not be immediate
  4. If COPPA does receive some changes, adds, tweaks, deletes – it will have a “Goes into Effect” date
  5. If there is a “Goes into Effect” date – companies will have a GRACE PERIOD in which to react
  6. But most importantly: NOTHING HAS BEEN PUT INTO LAW YET.  And regardless of any rumors regarding: “So and so said this” or “I heard that the FTC has already decided” – etc.  Stop perpetuating rumor that scares others into reacting.

IF COPPA changes, it will probably change due to parent verification – either attempting to find better methods of verification or deleting old methods of verification considered ineffective.

This shouldn’t affect any LIST (be it black, white, etc) that you have on your site.  As long as kids who ARE NOT PARENT VERIFIED are set to default “Scripted Chat” (or pre-written chat) you’re fine.  DO NOT ALLOW KIDS TO CHAT (filters or no) WITHOUT VALID PARENT VERIFICATION.  How to do that? Talk to company offering the Safe Harbor program.  Lawyers know a lot – but they’re NOT workin’ on this side of the biz daily, and it’s basically they’re job to be paranoid about the law (not necessarily how kids are using it). With the exception of a handful (@steph3n , @amymms , @mikepink , Liisa Thomas – yes two i’s, and Jim Dunstan, etc), I’d be mindful.  Don’t overreact because of fear.  Be proactive in finding out how, why, when, what it means to address kids online, to collect information, and to safeguard kids online (people to follow: @annecollier , @joipod , @twizznerd , @amymms , @tlittleton , @larrymagid , @shapingyouth , @chasestraight to name just a small handful, there are many more).

You have the parent’s permission – now it’s about upholding that parent’s permission and your brand and the safety of your audience.  Robust chat filters are great – THERE IS NO ONE SINGLE COMPANY SELLING THE ONLY APPROVED LIST THAT FOLLOWS THE LAW.  If you hear that? That’s bullshit.  Straight up. Someone is scaring you into buying a product, and that just breaks my heart…

I would LOVE LOVE LOVE LOVE to get into a discourse about my hopes, intentions, and goals for our industry.  I have met some really amazing, dedicated, SMART people – and together we’re continually trying to improve.  But when people come in and say things to “sell”?  That. Just. Guts. Me.  I know I live in the country of capitalism… but that doesn’t mean I have to support it.

I’ve put a LOAD of information in here.  My apologies for a lengthy, not so cheeky, probably boring post.  But let’s be honest – I needed to ramble on this topic.  Clarity is good.  If you don’t believe me, or wish to dispute any claims I’ve made… please feel free to GOOGLE COPPA YOURSELF, and/or talk to lawyers AND safe harbor folks.  Heck, place some comments, questions at the beep and we can walk/talk through it together. 🙂

  1. Reg
    April 26, 2010 at 3:37 pm

    Incredible article Iz – detailed, factual and still shows how passionate you are in the space. Thanks for taking the time to put pen to paper on this one.

  2. Alicia B
    April 27, 2010 at 1:24 am

    Hi Izzy,

    I’m working on a thesis project which entails both a paper and mutlimedia project. My topic is social networking and privacy, specifically focusing on COPPA and if it has/hasn’t kept pace with new social networking platforms. Would you be able to answer some questions pertaining to this topic? Any help is greatly appreciated. Thank you.

  3. April 27, 2010 at 7:02 pm

    Hi Izzy,

    Great post as always! As you know, I am one of those paranoid lawyers advising youth Internet and media companies on COPPA issues. I also founded and ran a safe social network for kids for many years so I get the business side of these issues too. I agree 100% that many people overreact to what COPPA requires, i.e., they think it is more difficult to comply with the law than it really is. If your website fails to comply, however, the downside can be severe — if a website operator is found to violate COPPA, it can be subject to fines of up to $11,000 per violation. Some notable enforcement actions include Iconix Brand Group, Inc. ($250K civil penalty) and Xanga.com ($1 million civil penalty). There is almost always a smart, practical way to comply with COPPA without compromising kids enjoyment of your online service and your business objectives. For example, for my own business, we successfully used credit card verification (the most reliable method for obtaining verifiable parental consent under FTC regs) and our market research showed it made parents feel good and did not significantly deter member registration. As you pointed out, the first question to ask is: do you really need personal information from kids under 13? If you don’t need it, don’t collect it! If you do need it, then get “verifiable parental consent.” Izzy, you provided a great summary of four methods for obtaining verifiable parental consent. I would only add that how the site uses personal information determines which method you MUST use. For example, if you collect personal information for internal use only (e.g., collect email to send a e-newsletter and never share with third party), then “e-mail plus” is great. If, on the other hand, you are going to disclose children’s personal information to third parties (bad news!) or make it publicly available through operation of an online service such as a social networking site, a blog hosting service, chat rooms, message boards, or e-mail accounts, then you must use one of the “more reliable methods” to obtain verifiable parental consent. The more reliable methods include credit card in connection with a transaction (e.g., charge $1/refund $1), print-and-send/fax, toll-free telephone number, or e-mail with digital signature. And I agree 100% that website operators should be wary of a tool set that solves all problems. If you operate an online service for kids, you really need to spend time carefully thinking about how kids may use the service and what you can do to keep them safe and protect their privacy. For example:

    — should you moderate some or all user generated content (text, video, image, etc,) before posting? We did this and, in three years, we rejected ONE piece of content as inappropriate.
    — should you use text filters to block bad language and personal information (e.g., block email and telephone number formats and links)
    — should you implement a “report abuse” process? If so, what are your internal policies for responding to abuse?

    Izzy, thanks for all your great work in this area.


  4. May 3, 2010 at 2:54 am

    Hi Izzy,

    Thanks for your work on this and of course we safe harbors appreciate your plug for sites to use our programs in conjunction with their attorneys. I want to thank you for your commitment to kids and to the businesses that serve them. You did a really good job of pointing out a ton of information that people need to hear, digest and make decisions on how to proceed.

    I was really glad to see the post by Brian Anderson. He certainly clarified some really important points and it was especially interesting to hear from him given his early experience/stake in the space. I certainly hope that my perspective and comments will provide additional clarification. Privo is 1 of 4 of the existing safe harbors. I am the co-founder and I have been in the space since 2000. I have developed/ built identity verification services and had those methods acknowledged by the FTC as reasonable methods for processing VPC.

    Izzy, you said in your post “COPPA HAS NOT CHANGED” and you are right on with that statement. COPPA is painfully clear on this point. If personal information is collected and shared with a 3rd party (which includes the ability to share PII publicly) and the PII is not stripped in advance of sharing the PII then the site operator must obtain a more reliable method of verifiable parental consent in advance of the disclosure. There is NO exception for email plus. Either a site does or does not allow for the disclosure of the PII. Regardless of how much post moderation, policies and best practices are employed the ability to share PII requires a more reliable VPC than email plus.

    Part of the confusion is that the sliding scale allows for exceptions to parental consent, parental notice with no affirmative consent, parental consent with email (internal collection and use of data only) and “more reliable” methods SUCH as PIN# obtained through a reliable method, print/fax form, phone or credit card transaction. The use of the data dictates the level of “verifiable” consent that must be obtained.

    The very important nuance that I have not heard anyone mention is that a reliable VPC method can meet the Rule requirements if it is “reasonable in light of available technology”. I would argue that we are all required to use reasonable methods in light of available technology and that means the methods that were once OK will definitely OBSOLETE at some point to make way for better methods. It does not take a Rule review for that to happen. Industry should be looking for and employing better methods as they are discovered and made available. Most of us reading this post and working in the online space are tech savvy and I think it is crazy to believe that in a DECADE new methods have not emerged. Industry simply needs to get on with it and find efficient, effective and cost sensitive methods that don’t hamper conversion or threaten privacy. We need a level playing field because we all know that VPC will affect conversion. We also know that email plus is not reliable and that is why it was never intended for sharing data by disclosing UGC.

    In 2006 the FTC acknowledged in its 5 year review of COPPA that infomediaries are processing a high level of VPC using Driver’s License and last 4 digits of SSN in conjunction with name and a combination of address or DOB information. I would argue that a SKYPE video and snap shot of the adult would be a high level or that short codes from a cell that is registered to a major carrier as the primary number would be reasonable. The point is that the methods are not limited to the handful listed over a decade ago.

    Technically, until something in COPPA is changed, if a site uses email plus to process VPC for UGC that is not stripped of PII in advance (pre-moderation by a human or technology) then that site is not in compliance and the email plus VPC is of no use as it relates to COPPA compliance. I do believe that processing email consent is a good business practice and demonstrates an attempt by the site to involve the parent but I do not know a lawyer that would sign off on it nor do I know a safe harbor that would knowingly sign off.

    Over the last few years a number of VERY large media players have implemented “pre-determined words” or “white chat” etc. and have taken the stance that using this technology provides the same cover that pre-moderation of UGC would provide. There is NO FAQ on this through the FTC website. A number of us have tried to get a clear answer from the FTC. Izzy, you yourself point out that kids do indeed share their PII when these filters are in place which simply makes the case that full VPC would be required. However, the fact is this. The FTC has allowed and NOT pursued companies who claim to use sophisticate dictionary chat (whether home grown or purchased) to qualify as as good as pre-moderation.

    The four safe harbors have to decide if their respective certification can be provided under these circumstances. This was a really tough decision for me and for Privo. However, as you point out a high level of VPC is an obstacle and I refuse to allow the BIG guys to have this HUGE advantage and force the little guys to do a better job than the major companies are doing. Until such time that the FTC decides that Dictionary Chat does not meet the Rule requirements for NO VPC then Privo will issue its cert with pre-moderation whether human or sophisticated technology is in place and will as a best practice require at least notice and opt out to the parent.

    There are changes coming and they will include covering things like mobile marketing and global positioning, expansion of PII to include unique identifiers like static IP address or tracking cookies. That would mean that a user name and password that allows a site to target it advertisements and to add additional meaningful data through an IP could become covered under COPPA.

    Currently if any data (gender, likes and dislikes etc.) is tied to even 1 piece of PII it all becomes PII and is subject to COPPA.

    I agree with the commenter who said compliance is attainable and companies should not be scared nor should they hide behind an age gate when kids know to lie about their age. We simply can’t stand up and look in the mirror and say this can’t be done.

    COPPA is not a safety law it is a privacy law about the collection, use and disclosure of PII from children. Hopefully compliance adds to the safety measures that a site attracting children would need to do.

    Thanks for allowing me to provide my 2 cents:)

  1. May 15, 2011 at 3:35 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: