top | item 5630574

(no title)

mvelie | 13 years ago

Simple answer: Don't get information from kids under 13 unless you have parents permission. You must also have a privacy policy.

Complex answer: How you determine if the person is under 13 and how you get the parents permission can be done a lot of different ways. Some of the most popular is doing a test charge against a credit card number, assuming kids won't have those.

discuss

codev|13 years ago

That isn't how it works. COPPA is pretty narrowly defined.

You only have to take action to get parent's permission if:

a) Your site or app is very specifically targeting children (LEGO or Disney for example)

b) You have asked for some information from the user that positively identifies them as a child - birthdate is the main one

Path were fined because they asked for birthdate during the signup process and then allowed registration even if the user was under 13.

citricsquid|13 years ago

Do you have a citation for that? The legislation doesn't seem to make the distinction[1]. If you can provide evidence for the 2 points you made that would be awesome. Thanks!

[1] http://www.law.cornell.edu/uscode/text/15/6501

citricsquid|13 years ago

wait wait wait, surely putting "You cannot use this website if you are under 13" in their terms of service is enough? I know COPPA is pretty ridiculous but if they require actual proactive enforcement of no under 13s they would literally break the internet.

I thought that there were 2 options with COPPA compliance: Allow <13s to register and have an email sent to their parents IF they select that they are under 13 OR disallow under 13s through a terms of service "Do not register if you are under 13" type clause. Is that not compliant?

BoyWizard|13 years ago

I'm not an expert, but I imagine there's something in there about if you know people under 13 are using your product and they shouldn't be, you have to proactively do something about it. Facebook delete accounts belonging to minors, perhaps Path weren't and this played into it?

Terretta|13 years ago

> wait wait wait, surely putting "You cannot use this website if you are under 13" in their terms of service is enough?

Absolutely categorically not.

A ToS clause alone has been tested and found not compliant.

For a while, when the ToS clause was tested and failed, the panic reaction acid test was asking for a valid CC.

Over the past decade best practice has relaxed to a gating page asking for confirmation of over age, or, for the more cautious, asking for the user to explicitly provide their birth year (not birthday).

droopybuns|13 years ago

Is the simplest answer then to have a T.o.S. that states no one under 13 is allowed to use your product until you can afford staff charged with handling security & privacy?

Then you can CFAA those little twerps.