Compliance Corner: Fourth Quarter 2003

If Your Institution's website has a Place for Kids...Think: COPPA

by Robert Snarr, Supervising Examiner

Is your institution's website interactive? Does it have a page oriented towards children or does it have links to offer children online participation in games, prize offerings, or other activities?

If so, your institution's compliance program should include adequate mechanisms to comply with the Children's Online Privacy Protection Act of 1998, otherwise known as COPPA (15 USC 6501). On November 3, 1999, the Federal Trade Commission (FTC) issued a regulation, the Children's Online Privacy Protection Rule (16 CFR 312), to implement COPPA.¹ This rule became effective on April 21, 2000.

Financial institutions are subject to COPPA if they operate a website(s) or online service(s) directed to children or have actual knowledge that they are collecting or maintaining personal information from a child online. To ensure that financial institutions comply with its provisions, COPPA grants federal financial regulatory agencies such as the Federal Reserve with the authority to enforce COPPA at the institutions they supervise. Accordingly, on October 3, 2003, the Board of Governors of the Federal Reserve System released formal procedures for its bank examiners to use in assessing state member banks' compliance management policies and procedures regarding COPPA.

First, this article reviews the general provisions of COPPA. Then, specific examination procedures are discussed in further detail.

General Provisions of COPPA
COPPA provides definitions of the terms "child," "children," and "personal information," and contains notification and parental consent requirements. Some of the general provisions of COPPA are as follows.

Child or Children mean individuals under the age of 13.

Personal Information means individually identifiable information about an individual collected online, including first and last names, home address, e-mail address, telephone number, social security number, or any combination of information that permits physical or online contact.

The FTC's COPPA regulation requires an operator of a website or online service directed to a child, or any operators who have actual knowledge that they are collecting or maintaining personal information from a child, to:

Provide a clear, complete, and understandably written notice on the website or online service detailing their information collection practices with respect to children, and describing how the operator collects, uses, and discloses the information.

Obtain, through reasonable efforts and with limited exceptions, verifiable parental consent prior to the collection, use, or disclosure of personal information from children.

Provide a parent, upon request, with the means to review the personal information collected from his/her child and to refuse to permit its further use or maintenance.

Limit collection of personal information for a child's online participation in a game, prize offer, or other activity to information that is reasonably necessary for the activity.

Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of the personal information collected from children.

website Notification Requirements
If a financial institution offers a website or online service directed to children, then the institution must post a link to a notice of its information practices with respect to children on its home page and everywhere on the site or service where it collects personal information from any child. If the institution offers a general audience website that has a separate children's area, the institution must post a link to its notice on the home page of the children's area.

The notice links must be placed in a clear and prominent place on the institution's website home page or online service. A financial institution can satisfy the clear and prominent requirement by, for example, using a larger font size in a different color on a contrasting background. A link in small print at the bottom of a home page or a link that is indistinguishable from other adjacent links does not satisfy the clear and prominent guidelines.

At a minimum, the website notice must include all of the following disclosures:

The name, address, telephone number, and e-mail address of the financial institution or any website operators that collect or maintain information from any children through the website or online service. If a financial institution has designated one entity or party to respond to inquiries regarding various operators, then the disclosure of the name, address, telephone number, and e-mail address of the designated entity, together with disclosed names of any other operators, will suffice.

The types of personal information that may be collected from children and how the information is collected.

How the financial institution or any other website operator uses or may use the personal information.

Whether or not the institution or any other website operator discloses collected information to other parties. If the institution or other website operator discloses information that it collects, then the notice must state the purposes for which the information is used and whether the other parties have agreed to maintain the confidentiality, security, and integrity of the information. In addition, the notice must disclose that the parent has the option to consent to the collection and use of the information without consenting to the disclosure of the information to other parties.

That the institution or other website operator may not require as a condition of participation in an activity that a child disclose more information than is reasonably necessary to participate in such activity.

That a parent can review his or her child's personal information, have it deleted, and refuse to allow any further collection or use of the child's information, and state the procedures for doing so.

Parental Consent Notification Requirements
The FTC's COPPA regulation requires a financial institution or other website operator to obtain verifiable parental consent prior to any collection, use, or disclosure of personal information from children. In this regard, the institution or web site operator must make reasonable efforts to provide a parent with notice of the institution or operator's information practices with respect to children.

Any notice seeking parental consent must include both of the following disclosures:

That the operator wishes to collect personal information from the parent's child.

That the parent's consent is required for the collection, use, and disclosure of the information obtained.

The notice must also inform a parent as to how the parent can provide consent. Methods that a financial institution may use to obtain verifiable parental consent include:

Obtaining a signed consent form from a parent through postal mail or facsimile.

Accepting and verifying a credit card number.

Taking a parent telephone call through a toll free telephone number staffed by trained personnel.

Receiving an e-mail accompanied by a digital signature.

Allowing an e-mail accompanied by a PIN or password obtained through one of the preceding verification methods.

The Sliding Scale Approach. When the regulation became effective on April 21, 2000, it included the so-called sliding scale approach for obtaining parental consent, predicating the required method of consent upon the nature of the usage of a child's personal information. If the child's personal information is to be used for internal purposes, including usage by an operating subsidiary or affiliate of the institution, then a less rigorous method of consent is required.² Conversely, if the institution discloses the information to external parties, there is the presumption that a child's privacy is at greater risk, and hence a more rigorous or reliable method of consent is required. At present, for purposes of the regulation, the more reliable methods include the methods that are listed in the preceding bullet points. Initially, the sliding scale approach was to be phased out by April 21, 2002, as policy makers anticipated ongoing technical developments that would provide for more reliable methods of identity verification. The phase-out has since been extended to April 21, 2005.

Other Parental Consent Provisions. The regulation allows a parent to permit a website operator to collect and use information about a child while prohibiting the operator from disclosing the child's information to external parties. In addition, should a material change occur in the institution's existing practices regarding the collection, use, or disclosure of a child's personal information, the regulation requires the institution or website operator to send the parent a new notice requesting parental consent.

Exceptions to Parental Consent Requirements. Currently, the regulation permits exceptions to the prior parental consent requirement when a financial institution is collecting information for any of the following purposes:

A parent or child's name or other online contact information solely to obtain consent or to provide notice. If the institution or website operator has not obtained parental consent after a reasonable time from the date of the information collection, the operator must delete such information from its records.

A child's online contact information solely to respond on a one-time basis to a specific request from the child, if the information is not used to recontact the child, and is deleted by the operator.

A child's online contact information to respond more than once to a specific request of the child (for example, a request to receive a monthly on-line newsletter), provided the parent is notified and allowed to request that the information not be used further.

A child's name and online contact information to be used solely to (i) protect the child's safety, (ii) protect the security of the web site, (iii) take precautions against liability, or (iv) respond to judicial process, law enforcement agencies, or an investigation related to public safety.

Other Requirements
The regulation stipulates that, upon a parent's request, a financial institution or website operator must provide the parent with a description of the types of personal information collected from a child and the means for a parent to review the information. In this regard, the institution or operator must have mechanisms in place to ensure that the person making a request is actually the child's parent.

The regulation allows parents to refuse to permit an operator to continue to use or to collect their child's personal information in the future and to instruct the institution or operator to delete the information. Should a parent refuse permission, the institution or operator may terminate its service to that child.

The regulation requires institutions and operators to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from any child.

The regulation provides for a "safe harbor" from the requirements of COPPA. To receive a safe harbor, the institution or operator must establish, with the approval of the FTC, a COPPA self-regulatory program. The self-regulatory program must have guidelines requiring that the institution or operator implement requirements that are substantially similar to the requirements of §§312.2 - 312.9 and that provide for the same or greater protections for a child. Also, the self-regulatory program must include an effective, mandatory mechanism for assessing the institution or operator's overall compliance with the program and COPPA, and the program's structure should include appropriate incentives to ensure program compliance.

Federal Reserve System COPPA Examination Procedures
at State Member Banks
The Division of Consumer and Community Affairs of the Federal Reserve System issued examination procedures for COPPA on October 3, 2003 for immediate use by Federal Reserve System examiners. The procedures establish four examination objectives, as follows:

To assess whether or not the institution's policies and procedures as disclosed in its COPPA notices are consistent with its actual practices regarding activities that are subject to COPPA.

To determine the reliance that can be placed on the institution's internal controls and procedures with respect to monitoring its compliance with COPPA.

To determine the extent of the institution's compliance with various notification provisions, parental consent provisions, and other requirements and restrictions of COPPA.

To initiate appropriate corrective action when violations of COPPA are identified, or when the institution's COPPA-related policies or internal controls are deficient.

Under the procedures, examiners must first determine through observation or discussion with management whether the institution operates a website that is directed to children or knowingly collects information about children. If not, then no further examination for compliance with COPPA is necessary.

If the institution does operate a website directed to children or knowingly collects information about children, and thus is subject to COPPA, examiners will then determine if the institution participates in a FTC-approved self-regulatory program. If so, examiners will request written documentation of the program and any supporting documentation of reviews or audits regarding the institution's compliance with the program. If the self-regulatory authority (SRA) has determined during the most recent audit or review that the institution is in compliance with COPPA, or if the SRA has not yet made a determination, examiners will not proceed further with the COPPA-related examination procedures. However, if the SRA has determined that the institution is not in compliance with COPPA and the institution has not taken appropriate corrective action, then examiners will proceed with the COPPA examination.

In assessing the institution's compliance with COPPA, the examination procedures instruct examiners to determine if the institution's internal controls are adequate to ensure compliance. In this regard, examiners will consider the following, as applicable:

Organization charts showing responsibility for COPPA compliance.

Process flow charts showing how COPPA compliance is ensured.

Methods of collecting and maintaining children's personal information obtained through a website.

Any complaints regarding the treatment of data collected through a website.

Examiners will also review any applicable audits, compliance reviews, workpapers, checklists, or other reviews completed by or on behalf of the financial institution related to its compliance with COPPA. Based on the results of these reviews, examiners will determine the depth that should be given to any ongoing review of the institution's compliance with COPPA, focusing on areas of identified risk.

After assessing the control environment, examiners will assess the institution's compliance with specific provisions of the act and regulation. Examiners will follow verification procedures to confirm or test for the following:

That the institution's website notice contains all of the requisite information and that the information is clearly and prominently displayed.

That the institution has established reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from a child.

That any data collected, used, or shared by the institution is done so in accordance with the institution's website notice.

That the institution obtains parental permission prior to its collection, use, or sharing of information from children.

That any data collected, used, or shared by the institution is done so in accordance with parental consent.

That the institution maintains reasonable procedures for verifying that the person providing parental consent is actually the child's parent.

That the institution maintains reasonable procedures to provide, upon a parent's request, a description of the specific types of personal information collected from a child.

That the institution maintains reasonable procedures to allow a parent to review any personal information collected from a child.

That the institution does not condition a child's participation in a game, prize offering, or any activity upon the child's disclosure of more personal information than is reasonably necessary to participate in the activity.

Upon concluding a review of COPPA compliance, examiners will summarize any regulatory violations, other findings, and supervisory concerns. Examiners will discuss any violations or concerns with management, identifying appropriate action or measures management should take to address the violations or concerns and obtaining management's commitment to implement corrective action.

Summary
Financial institutions must comply with COPPA and the FTC regulation implementing COPPA if they operate a website(s) or online service(s) directed to children or have actual knowledge that they are collecting or maintaining personal information from a child online. COPPA subjects website operators, including financial institutions, to various requirements with respect to notifications on websites and parental consent regarding information collected from children. Accordingly, financial institutions that are subject to COPPA should have compliance programs that provide for adequate mechanisms to comply with COPPA, including sufficient management oversight, internal controls, compliance reviews, and staff training. In addition, financial institutions in the Third Federal Reserve District are encouraged to consult with their primary federal regulator and appropriate legal counsel for additional guidance with respect to COPPA.

If you have any questions regarding COPPA or the Federal Reserve Bank of Philadelphia's approach to ensuring state member bank compliance with COPPA and the FTC's implementing rule, please contact Supervising Examiners Robert Snarr or John Fields through the Regulations Assistance Line at (215) 574-6568.

¹ The Children's Online Privacy Protection Rule .
² Financial institutions or website operators that use a child's personal information internally may use e-mail to obtain parental consent, provided the institution or operator takes additional steps to verify that a parent is the person providing consent. This could include methods such as confirming receipt of consent by e-mail, letter, or telephone call. Operators that use such methods must also provide notice that the parent can revoke consent.

The views expressed in this article are those of the author and are not necessarily those of this Reserve Bank or the Federal Reserve System.

Compliance Corner: Fourth Quarter 2003

If Your Institution's website has a Place for Kids...Think: COPPA

In This Issue

Contact Us