Children’s Online Privacy Protection Act

Overview

Children’s Online Privacy Protection Act of 1998 (COPPA), 15 U.S.C. § 6501, et seq., addresses the collection, use, and disclosure of personal information about children collected from children through websites or other online services. The regulation that implements COPPA (16 CFR Part 312) was issued in November 1999 by the Federal Trade Commission (FTC) and became effective in April 2000. It was further revised and updated in January 2013 (with a minor technical change in December 2013). NCUA is granted enforcement authority under the Act for federal credit unions. Highlights of the act include:

Full text of COPPA can be found here. FTC regulations that implement COPPA can be found here.


Associated Risks

Compliance risk can occur when the credit union fails to implement the necessary controls to comply with COPPA.

Transaction risk can occur when the credit union does not have adequate internal controls in place and as a result suffers a loss.

Reputation risk can occur when the credit union incurs damaging publicity as a result of failure to comply with COPPA.

Strategic risk can occur when the credit union incurs fines as a result of failure to comply with COPPA.

Examination Objectives

  • To assess the quality of the credit union’s compliance management policies and procedures for implementing COPPA, specifically, for ensuring consistency between the notice about policy and practice and what it actually does.
  • To determine the degree of reliance that can be placed on the credit union’s internal controls and procedures for monitoring compliance with COPPA.
  • To determine the credit union’s compliance with COPPA, specifically, in meeting the following requirements:
    • Privacy Notice- Providing, on the website or online service, a clear, complete, and understandable written notice of its information-collection practices with regard to children that describes how the credit union collects, uses, and discloses the information;
    • Parental Consent- Obtaining, through reasonable efforts and with limited exceptions, verifiable parental consent prior to the collection, use, or disclosure of personal information from children;
    • Right of Parental Review- Providing a parent, upon request, with the means of reviewing the personal information collected from his or her child and the means with which to refuse its further use or maintenance, complying with any direction or request of a parent concerning his or her child’s personal information;
    • Prohibition of Child Conditioning- Limiting collection of personal information for a child’s online participation in a game, prize offer, or other activity to personal information that is reasonably necessary for the activity; and,
    • Confidentiality- Establishing and maintaining reasonable procedures to protect the confidentiality, security, and integrity of the personal information collected from children.
  • To initiate effective corrective actions when violations of law are identified or when policies or internal controls are deficient.

Examination Procedures

Initial Procedures

  1. From direct observation of the credit union’s website or online service and through discussions with appropriate management officials, ascertain whether the operator is subject to COPPA by determining if it operates a website or online service that:
    1. Is directed at children that collects, uses, or discloses personal information from children; or,
    2. Knowingly collects or maintains personal information from children.

Note: Stop here if the operator does not currently operate a website that is directed to children or does not knowingly collect personal information about children. In these cases the operator is not subject to COPPA, and no further examination for COPPA is necessary.

  1. Determine if the operator is participating in an FTC-approved self-regulatory program (§ 312.11).
    1. If it is, obtain a copy of the program and supporting documentation, such as reviews or audits that demonstrate the credit union’s compliance with the program. If the self-regulatory authority (SRA) determined that the operator was in compliance with COPPA at the most recent review or audit or has not yet made a determination, no further examination for COPPA is necessary. If, on the other hand, the SRA determined that the operator was not in compliance with COPPA and the operator has not taken appropriate corrective action, continue with the remaining procedures.
    2. If the operator is not participating in a FTC-approved self-regulatory program, continue with the remaining procedures.
  2. Determine, through a review of available information, whether the credit union’s internal controls are adequate to ensure compliance with COPPA. Consider the following:
    1. Organization chart, to determine who is responsible for the credit union’s compliance with COPPA;
    2. Process flowcharts, to determine how the credit union’s COPPA compliance is planned for, evaluated, and achieved;
    3. Policies and procedures that relate to COPPA compliance;
    4. Methods of collecting or maintaining personal information from the website or online service;
    5. List of data elements collected from any children and a description of how the data are used and protected;
    6. List of data elements collected from any children that are disclosed to third parties, and any contracts or agreements with those third parties governing the use of that personal information;
    7. Complaints regarding the treatment of data collected from a child; and,
    8. Internal checklists, worksheets, and other review documents.
  3. Review applicable audit and compliance review material, including workpapers, checklists, and reports, to determine whether:
    1. The procedures address the COPPA provisions applicable to the operator;
    2. Effective corrective action occurred in response to previously identified deficiencies;
    3. The audits and reviews performed were reasonable and accurate;
    4. Deficiencies, their causes, and the effective corrective actions are consistently reported to management or members of the board of directors; and,
    5. The frequency of the compliance review is satisfactory.
  4. Review, as available, a sample of complaints that allege the inappropriate collection, sharing, or use of data from a child to determine whether there are any areas of concern.
  5. Based on the results of the foregoing, determine the depth of the examination review, focusing on the areas of particular risk. The procedures to be employed depend on the adequacy of the credit union’s compliance management system and the level of risk identified.

Verification Procedures

  1. Review the notice describing the credit union’s information practices with regard to children to determine whether it is clearly and prominently placed on the website and contains all information required by the regulation. (§ 312.4)
  2. Obtain a sample of data collected from children, including data shared with third parties, if applicable, and determine whether:
    1. The operator has established and maintained reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from a child; (§ 312.3 and § 312.8)
    2. Data are collected, used, and shared in accordance with the credit union’s website notice; (§ 312.3 and § 312.4)
    3. Parental permission was obtained prior to the use, collection, or sharing of personal information, including consent to any material change in such practices; and, (§ 312.5(a))
    4. Data are collected, used, and shared in accordance with parental consent. (§ 312.5 and § 312.6)
  3. Through testing or management’s demonstration of the website or online service and a review of a sample of parental consent forms or other documentation, determine whether the operator has a reasonable method for verifying that the person providing the consent is the child’s parent. (§ 312.5(b)(2))
  4. Review a sample of parental requests for personal information provided by their children, and verify that the operator:
    1. Provided, upon request, a description of the specific types of personal information collected; (§ 312.6(a)(1))
    2. Complied with a parent’s instructions concerning the collection, use, maintenance, or disclosure of his or her child’s personal information; (§ 312.6(a)(2))
    3. Allowed a parent to review any personal information collected from the child; and, (§ 312.6(a)(3))
    4. Verified that the person requesting personal information is a parent of the child; (§312.6(a)(3))
  5. Through testing or management’s demonstration of the website or online service, verify that the operator does not condition a child’s participation in a game, offering of a prize, or another activity on the child’s disclosure of more personal information than is reasonably necessary to participate in the activity. (§ 312.7)

CHILDREN’S ONLINE PRIVACY PROTECTION ACT
(COPPA)
CHECKLIST

General Requirements

General Requirements
Item Description YES NO N/A
1 Does the credit union’s website or online service include a notice of what information is collected from children, how it uses the information, and its disclosure practices for the information? (§ 312.3(a))      
2 Does the credit union’s website or online service credit union’s obtain verifiable parental consent prior to any collection, use and/or disclosure of personal information from children? (§ 312.3(b))      
3 Does the credit union’s website or online service provide a reasonable means for a parent to review personal information collected from a child and refuse to allow its further use? (§ 314.3(c))      
4 Does the credit union’s website or online service not require a child to participate in a game, offer a prize, or other activity in return for disclosing more personal information than is reasonably necessary to participate in the activity? (§ 314.3(d))      
5 Did the credit union establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children? (§ 312.3(e))      

Direct Notice to Parent and Notice on Website or Online Service

Direct Notice to Parent and Notice on Website or Online Service
Item Description YES NO N/A
6 Does the operator make reasonable efforts to ensure that a parent of the child receives the notice? (§ 312.4(b))      
7 Does the operator make reasonable efforts, taking into account available technology, to ensure that the parent of a child receives direct notice of the operator’s practices with regard to the collection, use, or disclosure of personal information from the child? (§ 312.4(c))      
7(a) Where an operator seeks to obtain a parent’s verifiable consent prior to collection, use, or disclosure of a child’s personal information, does the direct notice: N/A N/A N/A
7(a)(i) State that the operator has collected the parent’s online contact information from the child, and, if such is the case, the name of the child or the parent, in order to obtain the parent’s consent;      
7(a)(ii) State that the parent’s consent is required for the collection, use, or disclosure of such information, and that the operator will not collect, use, or disclose any personal information from the child if the parent does not provide such consent;      
7(a)(iii) Set forth the additional items of personal information the operator intends to collect from the child, or the potential opportunities for the disclosure of personal information, should the parent provide consent;      
7(a)(iv) Contain a hyperlink to the operator’s online notice of its information practices (i.e., its privacy policy);      
7(a)(v) Provide the means by which the parent can provide verifiable consent to the collection, use, and disclosure of the information; and      
7(a)(vi) State that if the parent does not provide consent within a reasonable time from the date the direct notice was sent, the operator will delete the parent’s online contact information from its records? (§ 312.4(c)(1))      
7(b) Where an operator voluntarily seeks to provide notice to a parent of a child’s online activities that do not involve the collection, use, or disclosure of personal information, does the direct notice: N/A N/A N/A
7(b)(i) State that the operator has collected the parent’s online contact information from the child in order to provide notice to, and subsequently update the parent about, a child’s participation in a website or online service that does not otherwise collect, use, or disclose a child’s personal information;      
7(b)(ii) State that the parent’s online contact information will not be used or disclosed for any other purpose;      
7(b)(iii) State that the parent may refuse to permit the child’s participation in the website or online service and may require the deletion of the parent’s online contact information, and how the parent can do so; and      
7(b)(iv) Provide a hyperlink to the operator’s online notice of its information practices? (§ 312.4(c)(2))      
7(c) Where an operator intends to communicate with the child multiple times via the child’s online contact information and collects no other information, does the direct notice: N/A N/A N/A
7(c)(i) State that the operator has collected the child’s online contact information from the child in order to provide multiple online communications to the child;      
7(c)(ii) State that the operator has collected the parent’s online contact information from the child in order to notify the parent that the child has registered to receive multiple online communications from the operator;      
7(c)(iii) State that the online contact information collected from the child will not be used for any other purpose, disclosed, or combined with any other information collected from the child;      
7(c)(iv) State that the parent may refuse to permit further contact with the child and require the deletion of the parent’s and child’s online contact information, and how the parent can do so;      
7(c)(v) State that if the parent fails to respond to this direct notice, the operator may use the online contact information collected from the child for the purpose stated in the direct notice; and      
7(c)(vi) Provide a hyperlink to the operator’s online notice of its information practices? (§ 312.4(c)(3))      
7(d) Where the operator’s purpose for collecting a child’s and a parent’s name and online contact information is to protect a child’s safety and the information is not used or disclosed for any other purpose, does the direct notice: N/A N/A N/A
7(d)(i) State that the operator has collected the name and the online contact information of the child and the parent in order to protect the safety of a child;      
7(d)(ii) State that the information will not be used or disclosed for any purpose unrelated to the child’ safety;      
7(d)(iii) State that the parent may refuse to permit the use, and require the deletion, of the information collected, and how the parent can do so;      
7(d)(iv) State that if the parent fails to respond to this direct notice, the operator may use the information for the purpose stated in the direct notice; and      
7(d)(v) Provide a hyperlink to the operator’s online notice of its information practices? (§ 312.4(c)(4))      
8 Does the notice on website or online service state: N/A N/A N/A
8(a) The name, address, telephone number, and e-mail address of all operators collecting or maintaining personal information from any children through the website or online service, or the same information for one operator who will respond to all inquiries along with the names of all operators; (§ 312.4(d))      
8(b) A description of what information the operator collects from a child, including whether the operator enables children to make their personal information publicly available; (§ 312.4(d))      
8(c) How the information is or may be used; and, (§ 312.4(d))      
8(d) That a parent may review and have the child’s personal information deleted, may refuse to permit further collection or use of the child’s information, and is provided with the procedures for doing so? (§ 312.4(d))      
8(e) If the information is disclosed to third parties, determine whether: N/A N/A N/A
8(e)(i) The third parties have agreed to maintain the confidentiality, security, and integrity of the information (§ 312.8); and,      
8(e)(ii) The parent has the option to consent to the collection and use of the information without consenting to the disclosure of the information to third parties. (§ 312.5(a))      
8(f) That the operator is prohibited from conditioning a child’s participation in an activity on the disclosure of more information than is reasonably necessary to participate in such activity. (§ 312.7)      

Parental Consent

Parental Consent
Item Description YES NO N/A
9 Does the operator obtain the consent of the parent prior to any collection, use, or disclosure of personal information from any children, outside the exceptions listed in section 312.5(c)? (§ 312.5(a)(1))      
10 If changes to the policy on collecting, using, or disclosing data on children occurred, does the operator request and review updated consent forms or documentation and determine whether parental permission is still in effect? (§ 312.5(a))      
11 Does the operator have a reasonable method for verifying that the person providing the consent is the child’s parent? (§ 312.5(b))      

Right of Parent to Review Personal Information Provided by a Child

Right of Parent to Review Personal Information Provided by a Child
Item Description YES NO N/A
12 Does the operator respond to parental requests to review information provided by their children by providing:      
12(a) A description of the specific types of personal information collected (§ 312.6(a)(1))      
12(b) The opportunity for the parent to refuse to permit the further use or collection of personal information and to direct the operator to delete the child’s personal information (§ 312.6(a)(2))      
12(c) Procedures for reviewing any personal information collected from the child (§ 312.6(a)(3))      
12(d) Adequate procedures to ensure that those persons requesting information are parents of the child in question (§ 312.6(a)(3))      

Prohibition against Conditioning a Child’s Participation on Collection of Personal Information

Prohibition against Conditioning a Child’s Participation on Collection of Personal Information
Item Description YES NO N/A
13 Does the operator refrain from conditioning a child’s participation in a game, the offering of a prize, or another activity on the child’s disclosure of more personal information than necessary to participate? (§ 312.7)      

Confidentiality, Security, and Integrity of Personal Information Collected from a Child

Confidentiality, Security, and Integrity of Personal Information Collected from a Child
Item Description YES NO N/A
14 Does the operator maintain reasonable policies and procedures for protecting a child’s personal information from loss, misuse, unauthorized access, or disclosure? (§ 312.8)