Is Your Promotion Ready for the COPPA Rule Changes? We Are.
In December the FTC issued amendments to the COPPA (Children’s Online Privacy Protection Act) Rules. We posted a link to the FTC’s FAQ page in April to our social media channels and we have received a few inquiries since then about whether this impacts our business since the changes are set to go into effect on July 1, 2013.
So what are we doing right already?
1. We already age-gate any promotion open or advertised to children 12 and under.
One of the big stories in the news about the COPPA changes are that many web sites that did not previously consider themselves to be covered by COPPA now are. This includes mobile applications and web sites that are intended for “teens” or adults. These sites and the services and vendors that they work with (like ad networks) are scrambling to meet the COPPA deadline to change their data collection practices.
Our Marden-Kane standard practice on any promotion that involves a prize or concept that would appeal to children is that we age-gate. We do this even if the promotion is not open to children under 13. Age-gating involves asking for a date of birth, and no other personally identifying information or tip-offs that you have to be 13 or older. If the user enters a date of birth that makes them under 13, then we use a cookie to prevent the user from entering if the promo is not open to children under 13. If it is, we collect minimal, non-identifying information and contact a parent to supply us with consent and any personal information necessary to contact them if they win.
2. We don’t collect any personally identifiable information from children 12 and under – even according to the “new” definition of personally identifiable information.
The amended COPPA Rule defines “personal information” as:
- First and last name;
- A home or other physical address including street name and name of a city or town;
- Online contact information;
- A screen or user name that functions as online contact information;
- A telephone number;
- A social security number;
- A persistent identifier that can be used to recognize a user over time and across different Web sites or online services;
- A photograph, video, or audio file, where such file contains a child’s image or voice;
- Geolocation information sufficient to identify street name and name of a city or town; or
- Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above.
Marden-Kane does not collect this data from children, never has and never will. Period.
We do collect some of this information from their parents, but we only collect the information that is reasonably necessary to determine and contact promotion winners – and always from a parent and not from a child.
3. We give the parent the ability to grant their child permission to enter sweepstakes and contests – or not – with email plus.
Another clarification made by the COPPA Rule amendment is that you must:
Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children.
And you must:
Provide parents access to their child’s personal information to review and/or have the information deleted.
The standard we have always used has been email plus. Email plus using the old standards was to send an initial email to parents to request parental permission for the collection of information, followed by a second email to confirm consent after a “reasonable” amount of time. The industry standard of “reasonable” time was after 24 hours.
In both of those emails we also provide a way to contact MK either by mail or email or link to a form online to remove their child’s name and information from our database.
The Email plus method is still an approved method of consent in the revised COPPA rules. The new standard as explained in the COPPA FAQ’s is:
“Email plus” allows you to request (in the direct notice sent to the parent’s online contact address) that the parent indicate consent in a return message. To properly use the email plus method, you must take an additional confirming step after receiving the parent’s message (this is the “plus” factor). The confirming step may be:
- Requesting in your initial message to the parent that the parent include a phone or fax number or mailing address in the reply message, so that you can follow up with a confirming phone call, fax or letter to the parent; or
- After a reasonable time delay, sending another message via the parent’s online contact information to confirm consent. In this confirmatory message, you should include all the original information contained in the direct notice, inform the parent that he or she can revoke the consent, and inform the parent how to do so.
4. We have never collected geolocation data.
Another big point of contention right now is that it was clarified in the original Rule that collecting geolocation data is expressly forbidden. Many web sites and applications have been collecting this information and have big problems as they now have to change the way their sites and applications work AND go back and get permission from parents of the minors they may have collected this data from.
The COPPA FAQ’s specifically state:
If you have collected geolocation information and have not obtained parental consent, you must do so immediately. Although geolocation information is now a stand-alone category within the definition of personal information, the Commission has made clear that this was simply a clarification of the 1999 Rule. The definition of personal information from the 1999 Rule already covered any geolocation information that provides information precise enough to identify the name of a street and city or town. Therefore, operators are required to obtain parental consent prior to collecting such geolocation information, regardless of when such data is collected.
Marden-Kane has never collected geolocation data from children – and won’t in the future.
We made that a standard years ago, and we stuck to it.
Good thing, too, because many sites and especially mobile applications have come under fire for not having their Privacy Policies accessible. The clarified COPPA standard is that you MUST:
There is no specification that it must be on every page, but it must be on the home page. And we will continue to push that it be on every page as the Marden-Kane standard.
6. We do not require any entrants 12 and under to sign up for an email list – it’s always the parent who makes that decision and it is always an option.
This has always just been common sense her at Marden-Kane. You don’t let a child decide if he wants to be on an email list (or if his parent can be added to a list!) This decision is always left up to the parent to make. We also recommend to our clients that they not make it a requirement to enter a promotion, and we have never had a client insist otherwise.
Good thing because COPPA now makes it clear that you must:
Give parents the opportunity to prevent further use or online collection of a child’s personal information.
7. We never sell or share information to third parties other than the Sponsor of a promotion.
This is the COPPA rules clarification on sharing with third parties: Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents).
Marden-Kane is a promotional marketing company that runs promotions on behalf of our clients. As such, we do not collect data for our own use but on behalf of our clients. We disclose in every promotion that data is being collected and used by the Sponsor and not by MK. This means that unlike many of our competitors, we don’t put entrants, especially children 12 and under, on a Marden-Kane email list that is sold or shared with anyone other than the promotion sponsor.
8. After the promotion is over, the opt-in lists are sent to the client and data is destroyed securely when it is no longer needed.
The final two MUSTS in the COPPA FAQ’s state:
Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security.
Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use.
Our MK Security Policy is that we store data for up to a year unless a winner’s information has to be stored longer for IRS purposes OR the client requires it to be kept longer. We shred and securely dispose of all records using best security practices. This has been in place since we first started running COPPA compliant promotions. We review our policies and practices annually to ensure that the highest safety standards are met.
At Marden-Kane we are ready for the next COPPA compliant promotion!
Let us know if you need help with yours.
- McMillion$ and the Importance of Instant Win Game Security
- How to Run a Legal Scavenger Hunt
- 5 Ways a Sweepstakes Can Help Your New Business Marketing Goals
- No Purchase Necessary for Running a Sweepstakes
- Can You Run an Instagram Stories Sweepstakes?