The Basics of Children's Online Privacy Protection Laws
Privacy – 5 min read

The Basics of Children's Online Privacy Protection Laws

We all vaguely understand the underlying dangers presented in the age of the Internet. Online privacy—despite laws, regulations, and common misconceptions—is not a straightforward or absolute right/privilege. It takes personal accountability and some amount of effort to ensure that you are well-equipped to spot potential threats and avoid problems.

 

Children's Online Privacy

Children are early adopters and enthusiastic users of technology. Personal information relating to children and youth is particularly sensitive. They are a vulnerable segment of the population.

 

Children are surrounded by online influences and are especially susceptible to the dangers presented by the Internet. There are 2 major areas to consider when ensuring that your child is protected online:

  1. The first pertains to precautions you take at home. This includes configuring privacy settings on your devices, blocking certain websites, and actively monitoring your child’s Internet activity.
  2. The second line of protection are the steps taken by website and service providers. Many of these mandatory precautions fall under various forms of federal legislation.

 

In the United States, the Federal Trade Commission manages these concerns under a law called COPPA, or The Children’s Online Privacy Protection Act. In Canada, the Office of the Privacy Commissioner of Canada has issued guidelines that are very similar to the protections provided by COPPA but there is not actual Canadian legislation mandated to enforce these guidelines. Below is a review of the American legislation.

 

The Children’s Online Privacy Protection Act

  1. What is COPPA?
  2. Steps to Prevent Being in Violation of COPPA
  3. How to Obtain Parental Consent
  4. COPPA Obligations Post-Consent

 

1. What is COPPA?

 

The Children’s Online Privacy Protection Act was passed by Congress in 1998 and put into action in 2000. It protects the privacy of children under 13. This act protects against a child’s personal information from being collected by websites and online services.

 

Under this Act:
 

  • Commercial websites and online services cannot collect data from children under 13 for their own use or distribution to a third party.
  • Parents and guardians have sole legal control over their children's private information.
  • Parental consent is mandatory for use of a child's personal data.
  • There are certain restrictions on which types of marketing can be targeted to young Internet users.
  • There are restrictions placed on websites that make them responsible for how they target young users, and obligations on how they prevent children from accessing areas that collect personal data.

 

The personal information of young Internet users that is protected under this Act include:

  • First and last name
  • IP address
  • Physical address, including city or town and street name
  • Email address
  • Social security number
  • Telephone number
  • Images or voice recordings of the young user
  • Information collected through cookies, including hobbies, interests, groups they have joined, pages they have liked, etc
  • Any online identifier that can be traced back to the young individual

 

 

2. Steps to Prevent Being in Violation of COPPA

 

Websites and online services providers must take steps to ensure that they do not unwittingly violate a child's online privacy. If a website collects personal information, that website must ensure that the following steps are taken:

 

  1. Include a clear notice informing users that their personal information may be collected and shared. This notice must include what information may be collected, how it will be used, if it is being shared with a third party, and which third parties you share with. This however still does not protect websites from collecting data from children under 13.
  2. Include a disclaimer that asks users to verify their age.
  3. Incorporate more technicality into the website - making it harder for young children to maneuver around the site.
  4. Ensure the website isn’t being targeted towards younger audiences -- whether in search results, or on third party pages linking to your website.

 

 

3. How to Obtain Parental Consent

 

If a website is looking to collect data from young Internet users, its webmaster must take steps to ensure that it is done so legally. The only way to do it legally is to have consent from parents or legal guardians. The following steps must be taken:

 

  1. For the collection and use of a child's personal information, a website must obtain a signed legal consent form from a parent or legal guardian.
  2. Any online payment card number must verify the parent's identity.
  3. Email consent can be admissible but only in cases in which the data is not being shared with a third party.
  4. There must be a video call with the parent and only by a professional trained in the verification process.

 

 

4. COPPA Obligations Post-Consent

 

Even after parental consent has been given, under COPPA, a website still has legal obligations to uphold. These include:

 

  1. A child's personal information remains under the control of the legal parent. This means that they have the right to withdraw consent at any time.
  2. A company must have a toll-free number that parents can call to change/withdraw their consent.
  3. Parents can opt to limit their consent to not include third parties.

 

It is estimated that 62% of websites that collect personal information sell this information to a third party.

 

What does this mean for Canada?

 

As mentioned above, Canada does not currently have its own federally regulated children’s online privacy protection legislation. While there are guidelines issued by the Privacy Commissioner that are similar to that of COPPA, they are not enforced under Canadian law. This should be concerning to all Canadians as it is estimated that 62% of websites that collect personal information sell this information to a third party.

That is not to say that Canada is bereft of online privacy legislation. First enacted in 2001, the Personal Information Protection and Electronic Documents Act (PIPEDA) sets the rules for how Canadian private sector organizations must handle personal information in their commercial activities. Although businesses that cater to children fall under the Act, PIPEDA does not specifically deal with children's privacy rights nor give additional protection to children. Currently, there are proposed amendments to PIPEDA that will specifically address the special vulnerability of children but these have not yet been passed.

As a Canadian parent, you must be aware that your child’s online activities are currently being monitored by companies with a profit motive.

 

If you are a part of a school board or other educational organization, get in touch with CITI. We can protect the online privacy of your students, while educating them about it.

 

 

Learn about your IT security. Register for a free cybersecurity consultation.  Book Now Considering moving to the cloud? Find out if the cloud is right for your company.Book Now
Guide to Email Security from our Practice Safe Cyber Series Download Your Poster
Global Toronto and CreateTO City of Toronto Agencies Case Study
Learn about your IT security. Register for a free cybersecurity consultation.  Book Now
Guide to Ransomware Attacks in Canada
Considering moving to the cloud? Find out if the cloud is right for your company.Book Now
New IT Infrastructure Transforms Organization. KCI Ketchum Canada
Engage our services and get 10 hours free. It's easy to work with CITI. Become a client.Book Appointment

IT Insights from our Blog

Read more

We're here to help!

Moving to the Cloud
Cybersecurity

Is your management team asking about your IT security policies and practices? Are you worried about a cybersecurity breach? CITI’s comprehensive IT security services provide all the information your company needs to deal with current and future security situations and concerns. Learn about your IT security. Register for a free cybersecurity session.

Managed Services

There is another way to manage your IT that doesn’t require you call your IT firm. Managed IT services offer proactive care, support, monitoring and maintenance of your computer systems for a fixed monthly fee. Process-driven, less involvement, more predictable cost. Yes, Virginia, there is a way to keep your IT running smoothly that does not require you to make a call.

Pay-As-You-Go

Are you concerned about minimizing IT maintenance costs? Perhaps you’re techno savvy. Or maybe you only need an IT firm for complex IT situations. CITI can provide exactly the volume of IT services that you want and need from network troubleshooting to helping a user with a jammed printer. Our full range of services are available on a per incident basis.

Disaster Recovery

Is the stuff of your nightmares power outages? The only way to deal with a severe interruption to business operations is to plan for it. Beginning with a disaster recovery plan through implementing and maintaining failsafe, foolproof, rock-solid offsite backups, CITI has helped 100s of companies protect their most valuable asset—their data and systems.

IT Consulting

Uncertain if your company should move to the cloud? Do you have doubts about the best way to back up your data? Looking for ways to minimize your vulnerability to IT security breaches? Perhaps you’re looking for help with your annual IT budget. CITI’s IT advisory services help businesses make informed strategic and tactical decisions on information technology.

Call Us

416-603-2442