COPPA, and Not “The Copa”

The Children’s Online Privacy Protection Act (COPPA) is the topic of the day, and not the Italian word for “cup” or the famous nightclub in NYC that was the topic of the late seventies’ song by Barry Manilow. Now that summer is in full swing, I was listening to Yacht Rock radio (as I always do in the summer) thinking about a topic for my next blog and well, the song came on. So, anyway, moving on to COPPA…

First, a refresher. COPPA was put in place more than 25 years ago, in 1998, to allow parents (or guardians) to control what information is collected online about their children that are under 13 years of age. COPPA imposes certain requirements on operators of websites or online services directed to children under 13, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under the age of 13.

Credit unions must comply with COPPA if any of the following apply:

  • If the credit union’s website/online service is directed to children under 13 and the credit union collects personal information from them it must comply with COPPA.
  • If the credit union’s website/online service is directed to children under 13 and the credit union allows others to collect personal information from them the credit union must comply with COPPA.
  • If the credit union’s website/online service is directed to a general audience but the credit union knows that it collects personal information from children under 13, the credit union must comply with COPPA.

From an NCUA examination perspective credit unions will want to ensure that a credit union’s policy and procedures are in line with what’s “in practice.”   Complying with COPPA includes the following:

  • COPPA Privacy Notice: Providing, on the website or online service, a clear written notice that meets the requirements of COPPA. The privacy policy must detail the credit union’s information-collection practices with regard to children that describes how the credit union collects, uses, and discloses the information;
  • Obtain Parental Consent:   Prior to the collection, use, or disclosure of personal information from children the credit union must obtain, through reasonable efforts and with limited exceptions, verifiable parental consent;
  • Right of Parental Review:  Providing a parent, upon request, with the means of reviewing the personal information collected from his or her child and the means with which to refuse its further use or maintenance, complying with any direction or request of a parent concerning his or her child’s personal information;
  • Prohibition of Child Conditioning: Limiting collection of personal information for a child’s online participation in a game, prize offer, or other activity to personal information that is reasonably necessary for the activity; and
  • Confidentiality: Establishing and maintaining reasonable procedures to protect the confidentiality, security, and integrity of the personal information collected from children.

Earlier this year, the Federal Trade Commission (FTC) issued a Notice of Proposed Rulemaking (NPRM) to modernize COPPA given the ever changing digital landscape that we live in today.  The proposed modifications issued in the NPRM are intended to clarify the scope of COPPA and strengthen the protection of personal information collected from children. Modifications included such things as a separate consent for each type of data use collected; enhanced security requirements and stricter data retention timing requirements. The comment period closed in March, but it is my understanding that it could take some time before a final rule is issued.

Resources:

COPPA Resources from the FTC

NCUA Compliance Management COPPA Resources

Federal Compliance Research and Analysis Manager
America's Credit Unions