The Basics of Children's Online Privacy Protection Laws

We all vaguely understand the underlying dangers presented in the age of the Internet. Online privacy—despite laws, regulations, and common misconceptions—is not a straightforward or absolute right/privilege. It takes personal accountability and some amount of effort to ensure that you are well-equipped to spot potential threats and avoid problems.

Children are surrounded by online influences and are especially susceptible to the dangers presented by the Internet. There are 2 major areas to consider when ensuring that your child is protected online:

1. The first pertains to precautions you take at home. This includes configuring privacy settings on your devices, blocking certain websites, and actively monitoring your child’s Internet activity.
2. The second line of protection are the steps taken by website and service providers. Many of these mandatory precautions fall under various forms of federal legislation.

In the United States, the Federal Trade Commission manages these concerns under a law called COPPA, or The Children’s Online Privacy Protection Act. In Canada, the Office of the Privacy Commissioner of Canada has issued guidelines that are very similar to the protections provided by COPPA but there is not actual Canadian legislation mandated to enforce these guidelines. Below is a review of the American legislation.

1. What is COPPA?

The Children’s Online Privacy Protection Act was passed by Congress in 1998 and put into action in 2000. It protects the privacy of children under 13. This act protects against a child’s personal information from being collected by websites and online services.

Under this Act:
 

• Commercial websites and online services cannot collect data from children under 13 for their own use or distribution to a third party.
• Parents and guardians have sole legal control over their children's private information.
• Parental consent is mandatory for use of a child's personal data.
• There are certain restrictions on which types of marketing can be targeted to young Internet users.
• There are restrictions placed on websites that make them responsible for how they target young users, and obligations on how they prevent children from accessing areas that collect personal data.

The personal information of young Internet users that is protected under this Act include:

• First and last name
• IP address
• Physical address, including city or town and street name
• Email address
• Social security number
• Telephone number
• Images or voice recordings of the young user
• Information collected through cookies, including hobbies, interests, groups they have joined, pages they have liked, etc
• Any online identifier that can be traced back to the young individual

2. Steps to Prevent Being in Violation of COPPA

Websites and online services providers must take steps to ensure that they do not unwittingly violate a child's online privacy. If a website collects personal information, that website must ensure that the following steps are taken:

1. Include a clear notice informing users that their personal information may be collected and shared. This notice must include what information may be collected, how it will be used, if it is being shared with a third party, and which third parties you share with. This however still does not protect websites from collecting data from children under 13.
2. Include a disclaimer that asks users to verify their age.
3. Incorporate more technicality into the website - making it harder for young children to maneuver around the site.
4. Ensure the website isn’t being targeted towards younger audiences -- whether in search results, or on third party pages linking to your website.

3. How to Obtain Parental Consent

If a website is looking to collect data from young Internet users, its webmaster must take steps to ensure that it is done so legally. The only way to do it legally is to have consent from parents or legal guardians. The following steps must be taken:

1. For the collection and use of a child's personal information, a website must obtain a signed legal consent form from a parent or legal guardian.
2. Any online payment card number must verify the parent's identity.
3. Email consent can be admissible but only in cases in which the data is not being shared with a third party.
4. There must be a video call with the parent and only by a professional trained in the verification process.

4. COPPA Obligations Post-Consent

Even after parental consent has been given, under COPPA, a website still has legal obligations to uphold. These include:

1. A child's personal information remains under the control of the legal parent. This means that they have the right to withdraw consent at any time.
2. A company must have a toll-free number that parents can call to change/withdraw their consent.
3. Parents can opt to limit their consent to not include third parties.

It is estimated that 62% of websites that collect personal information sell this information to a third party.

What does this mean for Canada?

As mentioned above, Canada does not currently have its own federally regulated children’s online privacy protection legislation. While there are guidelines issued by the Privacy Commissioner that are similar to that of COPPA, they are not enforced under Canadian law. This should be concerning to all Canadians as it is estimated that 62% of websites that collect personal information sell this information to a third party.

That is not to say that Canada is bereft of online privacy legislation. First enacted in 2001, the Personal Information Protection and Electronic Documents Act (PIPEDA) sets the rules for how Canadian private sector organizations must handle personal information in their commercial activities. Although businesses that cater to children fall under the Act, PIPEDA does not specifically deal with children's privacy rights nor give additional protection to children. Currently, there are proposed amendments to PIPEDA that will specifically address the special vulnerability of children but these have not yet been passed.

As a Canadian parent, you must be aware that your child’s online activities are currently being monitored by companies with a profit motive.

If you are a part of a school board or other educational organization, get in touch with CITI. We can protect the online privacy of your students, while educating them about it.