A few days ago, I mentioned how my 11-year-old daughter was asked for her email address on a warranty card. I was being flip we used mine.
But the comment struck a chord with MessageMedia’s permission advocate, Derek Scruggs. “The company that asked your daughter for her email address should be careful,” he warned.
The Federal Trade Commission will begin enforcing the Children’s Online Privacy Protection Act (COPPA) in April, he added, and your web site could get in major trouble if it doesn’t get proper parental consent to collect children’s data.
The best expert on this, he said, is Elizabeth Lascoutx at the Children’s Advertising Review Unit (CARU), affiliated with the national Better Business Bureau.
We were lucky. She was in.
“The bottom line is you have to post a clear privacy policy,” she said, describing information practices and providing a contact for questions. “Once you have said what you do, the next thing is to do what you say.”
That sounds simple enough but when your target market is under 13, it can be tough to implement. Consider these guidelines:
- When you’re talking about kids under 13, if you’re going to share personal information on a child with any third party you must have prior parental permission.
- If you’re to allow a child to disclose personal information through chat or home pages, you must get prior verified permission.
- If you’re collecting information for internal use only, like email for a newsletter or a contest entry, you must notify the parent as to what you collected, why and for what purpose, giving them a chance to opt out.
How do you get that permission, especially when the child and parent share an email address? “There is no perfect answer yet,” Lascoutx admitted. So through April 21, there’s an interim standard, dubbed “email plus”: After you get a response from the parent’s email box you send a second email, acknowledging the permission and offering a second chance to opt out.
After April 21, “verified permission” systems may be required that get even messier. For instance, you could send “an email to the parent saying we’ve collected the information, would you please call this 800 number to let us know it’s OK. A trained operator should be able to tell the difference between a kid and adult.”
It all sounds a bit like a popular argument against school prayer: If it’s strong enough to do good it will do harm, and if it’s weak enough not to do harm it can’t possibly do any good. That’s why email plus is an interim standard we still have some time to come up with something livable.
Digital signatures would be the best solution, Lascoutx admitted, but few parents have them. Or we could use a system of infomediaries, specialty firms who would off-load the permission hassles from us.
Oh, and one more thing. About that warranty card I needn’t have worried. “COPPA only deals with online data collection. It doesn’t deal with offline data collection of online data. Kids have long been able to fill out box-tops or write envelopes.” After all, before mailing out that warranty card, my girl did have to ask me for a stamp.