This friday (April 21, 2000) COPPA goes in to effect in the United States. Under COPPA (FTC Rule 16 C.F.R Part 312) web sites can not collect any information from Children under the age of 13 with out "verifiable parental consent" or face a $10,000 fine for each child.
The statute defines "verifiable parental consent" as "any reasonable effort (taking into consideration available technology) ... to ensure that a parent of a child ... authorizes the collection, use, and disclosure" of a child's personal information.
<font color=red> I strongly suggest that everyone read the rules. </font color=red> <A HREF="http://www.ftc.gov/opa/1999/9910/childfinal.htm " target="_new">http://www.ftc.gov/opa/1999/9910/childfinal.htm </A>
I am posting this message in WISHLIST because I think we need a way to check a users age on account setup. If that users is under 13, the account setup needs to end.
-Ken Torbeck <font color=blue>WWW.INFOSITE.</font color=blue><font color=red>ORG</font color=red> Special Needs & disAbilities Info. Center
This shouldn't be too tough. I can get another minor release put out that can have an age check on new user signup and if the age is under 13 then it won't send out the new user confirmation or create the account and come back with an error message.
We would need to associate this with a Disclaimer as well probably. I believe Eileen had something before so if someone knows where that is or if someone can write one up that would cover everybody on this I can work on getting the code changed and a release put out.
Could the text of the confirmation message be stored in an include file, maybe with a few tag or markup options like "[boardname], [RegIPNumber], [password], etc".
I think it would make easier for including the required privacy statements. I really feel stupid I missed that this one was coming before now. -Ken Torbeck <font color=blue>WWW.INFOSITE.</font color=blue><font color=red>ORG</font color=red> Special Needs & disAbilities Info. Center
How to Comply With The Children's Online Privacy Protection Rule <A HREF="http://www.ftc.gov/bcp/conline/pubs/buspubs/coppa.htm" target="_new">http://www.ftc.gov/bcp/conline/pubs/buspubs/coppa.htm</A>
Full text of rules <A HREF="http://www.ftc.gov/os/1999/9910/64fr59888.pdf" target="_new">http://www.ftc.gov/os/1999/9910/64fr59888.pdf</A>
<img border="0" title="" alt="[Mad]" src="images/icons/mad.gif" /> I have attached a copy of the rule. -Ken Torbeck <font color=blue>WWW.INFOSITE.</font color=blue><font color=red>ORG</font color=red> Special Needs & disAbilities Info. Center
- an operator collects a child's or parent's email address to provide notice and seek consent; - an operator collects an email address to respond to a one-time request from a child and then deletes it;
<font color=white>Our legal department tells me this will let us send an email with our privacy statement, telling the users that a parent needs to contact the site to turn on the account.</font color=white>
-Ken Torbeck <font color=blue>WWW.INFOSITE.</font color=blue><font color=red>ORG</font color=red> Special Needs & disAbilities Info. Center
Actually it needs to be in the language file for portability. So what could be done is just adding a new variable that stores the generic privacy statements that get's attached to the end of the email, $lang{'PRIVACY'} = "....."; This wouldn't be too difficult, just need to know what all actually needs to be included in the variable. --- Scream <A HREF="http://www.wcsoft.net" target="_new">http://www.wcsoft.net</A>
But then you have another portion of it that states:
When operators want to disclose a child's personal information to third parties or make it publicly available (for example, through a chat room or message board), the sliding scale requires them to use a more reliable method of consent, including:
getting a signed form from the parent via postal mail or facsimile; accepting and verifying a credit card number; taking calls from parents, through a toll-free telephone number staffed by trained personnel; email accompanied by digital signature; email accompanied by a PIN or password obtained through one of the verification methods above.
So, if the child fills out his profile with his personal info then you'd have to take these extra steps.
Because of this extra step required an easy solution at this point would be to put in the field for the user's age at signup. If they put in under 13 then it can give them the general statement about account activation for underage children. Those sites that would like to can make a page and then have this general statement link to a form that could be printed out and mailed in by the parent.
I was thinking of how to keep them from hitting their back button and putting in a different age. But you really can't. If we put in a record for the username they chose then they could just put in something different for a username. If we stored their email address so they couldn't register anything else under that email address then it would be violating the new laws.
Yeah, the thing is, I'm no good at the legal mumbo jumbo. So if you or anyone knows what type of statements need to be made on the signup page, and then what needs to be stated on the page that they get if they are underage I can get this worked in and out by this evening.
If we stored their email address so they couldn't register anything else under that email address then it would be violating the new laws.
[/quote]
Violating what?? I don't think I understand this one... could you explain please? Isn't it already set up to block that (if admin chooses that option to limit one username per e-mail)? Why would this be in violation?
Because the child's email address would be in the database, and according to the new laws you can't store the email address of children under 13 without parental permissions.
I see... <img border="0" title="" alt="[Roll Eyes]" src="images/icons/rolleyes.gif" /> well, in that case, we would have to completely block access - and not even allow "reservation" of a username, right?
Well, I don't think it would be that extreme. We would have to track the age of the user, a new field in the User's table. And then if they were of legal age at the time of signup then these are fine. Like I said in an earlier post, there is no sure fire way on this to know how old the user actually is, or that they aren't lying.
Understood - but in that case, the underage user's e-mail address would have to be manually entered by admin before the password could be mailed, right? I guess it would have to be provided on the consent form.
No, I never had anything that covered this. What a cosmetic farce it all is! It will not really protect at all because those children most at risk are the ones who will lie to get around it.
This is how we will handle information we learn about you from your visit to our website. The information we receive depends upon what you do when visiting our site.
If you visit our site to read or download information, such as consumer brochures or press releases:
We collect and store only the following information about you: the name of the domain from which you access the Internet (for example, aol.com, if you are connecting from an America Online account, or princeton.edu if you are connecting from Princeton University's domain); the date and time you access our site; and the Internet address of the website from which you linked directly to our site.
We use the information we collect to measure the number of visitors to the different sections of our site, and to help us make our site more useful to visitors.
If you identify yourself by sending an E-mail:
You also may decide to send us personally-identifying information, for example, in an electronic mail message containing a complaint. We use personally-identifying information from consumers in various ways to further our consumer protection and competition activities. Visit Talk to Us to learn what can happen to the information you provide us when you send us e-mail.
We want to be very clear: We will not obtain personally-identifying information about you when you visit our site, unless you choose to provide such information to us.
-Ken Torbeck <font color=blue>WWW.INFOSITE.</font color=blue><font color=red>ORG</font color=red> Special Needs & disAbilities Info. Center
Well, I can't get real specific on the coding end of it because I don't know how the general customer base is going to want to deal with this. My original thought for now is if the user enters an age of under 13 then the user account will not be created at all, and it will serve up a general "We Cannot Proceed" message, with the information stating that because the user is under 13 the account cannot be setup, please email whoever to get more information... This way, on initial setup of the program it will be compliant. For those that want to allow kids under 13 on their forums they could edit the general message to link to a form to get the proper consent for this kid to have an account, could ask for email address, etc. And then the admin could proceed from there on how they want to handle it. --- Scream <A HREF="http://www.wcsoft.net" target="_new">http://www.wcsoft.net</A>
Ok, I'll do that. What I'll do is ask for the birthdate, and create an altertable to alter the Users table to store the birthdate, even if it's not displayed for now. Also, what type of general statement does everyone think they need on the signup page? I'm sure people will want to know why birthdate is being asked for. So, I can work on the coding if anyone else can suggest any text that needs to be added.
This is true, and the more I read about it I'm still not sure that the general sites will need this. If anyone is interested then you can take a look at a discussion on Slashdot at <A HREF="http://slashdot.org/askslashdot/00/04/18/1444248.shtml" target="_new">http://slashdot.org/askslashdot/00/04/18/1444248.shtml</A>. I think if we put in a field for their birthdate for the general setup it could lead to more problems than if the age wasn't asked for at all. A small snippet from the slashdot discussion:
<font color=blue>"If you operate a commercial Web site or an online service directed to children under 13 that collects personal information from children or if you operate a general audience Web site and have actual knowledge that it collects personal information from children, you must comply with the Children's Online Privacy Protection Act."
"Children" is defined to mean "people under the age of 13". So unless your site is directed to kids 12 and under and collects information from visitors OR you collect information and you know that you're collecting information from kids 12 and under (for instance, you make them register and include an age category with "12 and under" as one of the choices), you don't need to do much at all. Just don't ask their age! </font color=blue>
So, it will definitely be an option. For those that do target younger kids this will give them a foundation to build off of, but for the general user they can turn it off, which it will be by default. --- Scream <A HREF="http://www.wcsoft.net" target="_new">http://www.wcsoft.net</A>
Consistent with the Federal Children's Online Privacy Protection Act of 1998/2000 (COPPA), <font color=red>[yoursite]</font color=red> will never knowingly collect PII (Personally Identifiable Information) from anyone under the age of 13 without first obtaining parental consent.
If a user indicates an age below 13, <font color=red>[yoursite]</font color=red> will immediately discard all PII without collecting, using, storing, or disclosing the PII to third parties; or, prior to collecting that information, <font color=red>[yoursite]</font color=red> will implement all the requirements set forth in the COPPA, including those related to parental notice, consent, and access.
If parents wish to give consent for a child under 13 years of age they must contact <font color=red>contact information NAME/ADDRESS/PHONE NUMBER/EMAIL</font color=red>.
For more information see our Privacy Statement at <font color=red>url to statement</font color=red> and FTC Kidzprivacy website <A HREF="http://www.ftc.gov/kidzprivacy" target="_new">http://www.ftc.gov/kidzprivacy</A>.
"ARE YOU 13 YEARS OR OLDER?" (Y/N)
-Ken Torbeck <font color=blue>WWW.INFOSITE.</font color=blue><font color=red>ORG</font color=red> Special Needs & disAbilities Info. Center
Well, that should be simple enough. For those that want to turn this on I'll just have an option in the config that will ask that question:
"Are you 13 Years or older (Y/N)?"
If not then it will give the generic message of not being able to proceed. --- Scream <A HREF="http://www.wcsoft.net" target="_new">http://www.wcsoft.net</A>
Scream, I have a setup on my board that a new user cannot proceed without ticking a box, otherwise the Submit button will not activate. You can go to <A HREF="http://216.167.89.156/" target="_new">http://216.167.89.156/</A> and choose Register to see it. It uses simple JavaScript. Being in Australia I don't even know if COPPA applies to me so it would be good if this was an optional thing.
Eileen, thanks for stopping by and having a look round. The Forum User Tips is just a garden-variety random text cgi script, so whenever the homepage is refreshed or revisted a random tip is displayed. There's a couple of perl files that go in the cgi-bin, a text file you type each piece of text into and it's called by an SSI command, and really easy to setup.
The script I used is called Randex: <A HREF="http://www.cgi.com.hk/scripts/randex/" target="_new">http://www.cgi.com.hk/scripts/randex/</A> <img border="0" title="" alt="[Smile]" src="images/icons/smile.gif" />
Darren, thanks for the link. I really like your site - it has all sorts of goodies I'll be nipping over to steal. <img border="0" title="" alt="[Wink]" src="images/icons/wink.gif" />
<img border="0" title="" alt="[Smile]" src="images/icons/smile.gif" /> I LOVE this place and all who dwell in it. <img border="0" title="" alt="[Smile]" src="images/icons/smile.gif" />