Is your institution's website interactive? Does it have a page oriented towards children or does it have links to offer children online participation in games, prize offerings, or other activities?
If so, your institution's compliance program should include adequate mechanisms to comply with the Children's Online Privacy Protection Act of 1998, otherwise known as COPPA (15 USC 6501). On November 3, 1999, the Federal Trade Commission (FTC) issued a regulation, the Children's Online Privacy Protection Rule (16 CFR 312), to implement COPPA.1 This rule became effective on April 21, 2000.
Financial institutions are subject to COPPA if they operate a website(s) or online service(s) directed to children or have actual knowledge that they are collecting or maintaining personal information from a child online. To ensure that financial institutions comply with its provisions, COPPA grants federal financial regulatory agencies such as the Federal Reserve with the authority to enforce COPPA at the institutions they supervise. Accordingly, on October 3, 2003, the Board of Governors of the Federal Reserve System released formal procedures for its bank examiners to use in assessing state member banks' compliance management policies and procedures regarding COPPA.
First, this article reviews the general provisions of COPPA. Then, specific examination procedures are discussed in further detail.
General Provisions of COPPA
COPPA provides definitions of the terms "child," "children," and "personal information," and contains notification and parental consent requirements. Some of the general provisions of COPPA are as follows.
The FTC's COPPA regulation requires an operator of a website or online service directed to a child, or any operators who have actual knowledge that they are collecting or maintaining personal information from a child, to:
Website Notification Requirements
If a financial institution offers a website or online service directed to children, then the institution must post a link to a notice of its information practices with respect to children on its home page and everywhere on the site or service where it collects personal information from any child. If the institution offers a general audience website that has a separate children's area, the institution must post a link to its notice on the home page of the children's area.
The notice links must be placed in a clear and prominent place on the institution's website home page or online service. A financial institution can satisfy the clear and prominent requirement by, for example, using a larger font size in a different color on a contrasting background. A link in small print at the bottom of a home page or a link that is indistinguishable from other adjacent links does not satisfy the clear and prominent guidelines.
At a minimum, the website notice must include all of the following disclosures:
Parental Consent Notification Requirements
The FTC's COPPA regulation requires a financial institution or other website operator to obtain verifiable parental consent prior to any collection, use, or disclosure of personal information from children. In this regard, the institution or web site operator must make reasonable efforts to provide a parent with notice of the institution or operator's information practices with respect to children.
Any notice seeking parental consent must include both of the following disclosures:
The notice must also inform a parent as to how the parent can provide consent. Methods that a financial institution may use to obtain verifiable parental consent include:
The Sliding Scale Approach. When the regulation became effective on April 21, 2000, it included the so-called sliding scale approach for obtaining parental consent, predicating the required method of consent upon the nature of the usage of a child's personal information. If the child's personal information is to be used for internal purposes, including usage by an operating subsidiary or affiliate of the institution, then a less rigorous method of consent is required.2 Conversely, if the institution discloses the information to external parties, there is the presumption that a child's privacy is at greater risk, and hence a more rigorous or reliable method of consent is required. At present, for purposes of the regulation, the more reliable methods include the methods that are listed in the preceding bullet points. Initially, the sliding scale approach was to be phased out by April 21, 2002, as policy makers anticipated ongoing technical developments that would provide for more reliable methods of identity verification. The phase-out has since been extended to April 21, 2005.
Other Parental Consent Provisions. The regulation allows a parent to permit a website operator to collect and use information about a child while prohibiting the operator from disclosing the child's information to external parties. In addition, should a material change occur in the institution's existing practices regarding the collection, use, or disclosure of a child's personal information, the regulation requires the institution or website operator to send the parent a new notice requesting parental consent.
Exceptions to Parental Consent Requirements. Currently, the regulation permits exceptions to the prior parental consent requirement when a financial institution is collecting information for any of the following purposes:
The regulation stipulates that, upon a parent's request, a financial institution or website operator must provide the parent with a description of the types of personal information collected from a child and the means for a parent to review the information. In this regard, the institution or operator must have mechanisms in place to ensure that the person making a request is actually the child's parent.
The regulation allows parents to refuse to permit an operator to continue to use or to collect their child's personal information in the future and to instruct the institution or operator to delete the information. Should a parent refuse permission, the institution or operator may terminate its service to that child.
The regulation requires institutions and operators to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from any child.
The regulation provides for a "safe harbor" from the requirements of COPPA. To receive a safe harbor, the institution or operator must establish, with the approval of the FTC, a COPPA self-regulatory program. The self-regulatory program must have guidelines requiring that the institution or operator implement requirements that are substantially similar to the requirements of §§312.2-312.9 and that provide for the same or greater protections for a child. Also, the self-regulatory program must include an effective, mandatory mechanism for assessing the institution or operator's overall compliance with the program and COPPA, and the program's structure should include appropriate incentives to ensure program compliance.
Federal Reserve System COPPA Examination Procedures
at State Member Banks
The Division of Consumer and Community Affairs of the Federal Reserve System issued examination procedures for COPPA on October 3, 2003, for immediate use by Federal Reserve System examiners. The procedures establish four examination objectives, as follows:
Under the procedures, examiners must first determine through observation or discussion with management whether the institution operates a website that is directed to children or knowingly collects information about children. If not, then no further examination for compliance with COPPA is necessary.
If the institution does operate a website directed to children or knowingly collects information about children, and thus is subject to COPPA, examiners will then determine if the institution participates in a FTC-approved self-regulatory program. If so, examiners will request written documentation of the program and any supporting documentation of reviews or audits regarding the institution's compliance with the program. If the self-regulatory authority (SRA) has determined during the most recent audit or review that the institution is in compliance with COPPA, or if the SRA has not yet made a determination, examiners will not proceed further with the COPPA-related examination procedures. However, if the SRA has determined that the institution is not in compliance with COPPA and the institution has not taken appropriate corrective action, then examiners will proceed with the COPPA examination.
In assessing the institution's compliance with COPPA, the examination procedures instruct examiners to determine if the institution's internal controls are adequate to ensure compliance. In this regard, examiners will consider the following, as applicable:
Examiners will also review any applicable audits, compliance reviews, workpapers, checklists, or other reviews completed by or on behalf of the financial institution related to its compliance with COPPA. Based on the results of these reviews, examiners will determine the depth that should be given to any ongoing review of the institution's compliance with COPPA, focusing on areas of identified risk.
After assessing the control environment, examiners will assess the institution's compliance with specific provisions of the act and regulation. Examiners will follow verification procedures to confirm or test for the following:
Upon concluding a review of COPPA compliance, examiners will summarize any regulatory violations, other findings, and supervisory concerns. Examiners will discuss any violations or concerns with management, identifying appropriate action or measures management should take to address the violations or concerns and obtaining management's commitment to implement corrective action.
Financial institutions must comply with COPPA and the FTC regulation implementing COPPA if they operate a website(s) or online service(s) directed to children or have actual knowledge that they are collecting or maintaining personal information from a child online. COPPA subjects website operators, including financial institutions, to various requirements with respect to notifications on websites and parental consent regarding information collected from children. Accordingly, financial institutions that are subject to COPPA should have compliance programs that provide for adequate mechanisms to comply with COPPA, including sufficient management oversight, internal controls, compliance reviews, and staff training. In addition, financial institutions in the Third Federal Reserve District are encouraged to consult with their primary federal regulator and appropriate legal counsel for additional guidance with respect to COPPA.
If you have any questions regarding COPPA or the Federal Reserve Bank of Philadelphia's approach to ensuring state member bank compliance with COPPA and the FTC's implementing rule, please contact Supervising Examiners Robert Snarr or John Fields through the Regulations Assistance Line at (215) 574-6568.
The views expressed in this article are those of the author and are not necessarily those of this Reserve Bank or the Federal Reserve System.