The Children’s Online Privacy Protection Act (COPPA):
Application to church websites
Article summary . Congress enacted the Children’s Online Privacy Protection Act to protect children under age 13 from being solicited or contacted by pedophiles over the Internet. The Act accomplishes its purpose by imposing specific restrictions on commercial websites. While most church websites are not subject to the Act’s provisions because they are not “commercial,” a strong case for voluntary compliance can be made. This article will review the Act’s provisions, and explain why churches should consider voluntarily complying with the law.
Introduction
In the mid-1990s the Federal Trade Commission (FTC) conducted a study to identify issues associated with the online collection of personal information from children. The study included a survey of 212 commercial children’s Web sites. The survey found that while 89% of the sites collected personal information from children, only 24% posted privacy policies and only 1% required parental consent to the collection or disclosure of children’s information. This survey prompted the FTC to urge Congress to enact legislation protecting the privacy of children who use the Internet. Congress responded by enacting the Children’s Online Privacy Protection Act (COPPA) in 1998. Section 6502 of COPPA required the FTC to enact rules governing the online collection of personal information from children under 13 within one year of the date of the enactment of the COPPA, October 21, 1998. The FTC published a final rule in April of 1999, which became effective on April 21, 2000.
COPPA applies to commercial websites and online services directed to, or that knowingly collect information from, children under 13. To inform parents of their information practices, these sites are required to provide notice on the site and to parents about their policies with respect to the collection, use and disclosure of children’s personal information. With certain exceptions, sites also have to obtain “verifiable parental consent” before collecting, using or disclosing personal information from children.
Are church websites subject to COPPA?
Most churches that have websites are not required to comply with COPPA. COPPA only applies to any “operator” of a commercial website or an online service (1) directed to children under 13 that collects personal information from children, or (2) that operates a general audience website and has actual knowledge that it is collecting personal information from children. The Act defines “operator” as follows:
The term “operator” means any person who operates a website located on the Internet or an online service and who collects or maintains personal information from or about the users of or visitors to such website or online service, or on whose behalf such information is collected or maintained, where such website or online service is operated for commercial purposes, including any person offering products or services for sale through that website or online service, involving commerce … among the several states … but does not include any nonprofit entity that would otherwise be exempt from coverage under the Federal Trade Commission Act.
This provision demonstrates that COPPA only applies to “commercial” website operators, and not to websites maintained by nonprofit organizations including churches. The FTC has explained the application of COPPA to websites maintained by nonprofit organizations as follows:
The Act expressly states that it applies to commercial websites and not to nonprofits that would otherwise be exempt from coverage under the FTC Act. Thus, in general, most nonprofits are not subject to the Act. However, nonprofits that operate for the profit of their for-profit members may be subject to the Act. See FTC v. California Dental Association 526 U.S. 756 (1999), for additional guidance on when nonprofits are subject to FTC jurisdiction. Although true nonprofits are not subject to COPPA, we encourage them to set an example by posting privacy policies and providing the protections set forth in COPPA to children providing personal information at their sites.
According to this explanation, nonprofit organizations are not subject to COPPA unless they operate for the profit of their “for-profit members.” It refers to the California Dental Association case for further guidance on when nonprofits are subject to FTC jurisdiction (and by implication, to COPPA).
The California Dental Association case. In a 1999 case, the United States Supreme Court ruled that the FTC has jurisdiction, under the Federal Trade Commission Act, over some nonprofit organizations. California Dental Association v. Federal Trade Commission, 119 S.Ct. 1604 (1999). The case involved a question concerning the jurisdiction of the FTC to regulate advertising by the California Dental Association (CDA), a nonprofit professional association. The CDA insisted that the FTC had no jurisdiction over nonprofit organizations. The Court noted that the FTC Act gives the FTC authority over “persons, partnerships, or corporations,” and defines “corporation” to include “any company or association, incorporated or unincorporated … which is organized to carry on business for its own profit or that of its members.” The FTC asserted that the Act gives it jurisdiction over a nonprofit entity if a substantial part of its total activities provides “pecuniary benefits” to its members. The Court agreed. It based its ruling squarely on the substantial efforts of the CDA to increase the profitability of its members. It noted that the CDA “provides advantageous insurance and preferential financing arrangements for its members, and it engages in lobbying, litigation, marketing, and public relations for the benefit of its members’ interests. [Such activities] confer far more than de minimis or merely presumed economic benefits on CDA members; the economic benefits … plainly fall within the object of enhancing its members’ profit which the FTC Act makes the jurisdictional touchstone.” The Court concluded by turning its attention to the FTC’s jurisdiction over other nonprofit organizations: “Nonetheless, we do not, and indeed, on the facts here, could not, decide today whether the FTC has jurisdiction over nonprofit organizations that do not confer profit on for-profit members but do, for example, show annual income surpluses, engage in significant commerce, or compete in relevant markets with for-profit players. We therefore do not foreclose the possibility that various paradigms of profit might fall within the ambit of the FTC Act. Nor do we decide whether a purpose of contributing to profit only in a presumed sense, as by enhancing professional educational efforts, would implicate the FTC’s jurisdiction.”
While there is no doubt that some churches are engaged in “commerce” for purposes of coverage under some federal employment laws, it is clear that most would not be considered “commercial” operators under the FTC Act. In fact, no nonprofit organization has ever been found to be subject to FTC jurisdiction other than membership associations (such as medical societies) that clearly provide significant financial benefit to their for-profit members. This conclusion was affirmed in a telephone conversation that your author had with an FTC attorney in Washington, DC, who stated emphatically that the FTC has jurisdiction over commercial activities, not nonprofit organizations, except for nonprofit trade associations that operate for the financial benefit of their members. The attorney observed, “I cannot imagine why any religious organization would think that it is subject to COPPA.” However, she noted that many “secular nonprofits” consider compliance to be a good practice, even though not required. For example, all federal agencies, and most state agencies, comply with COPPA even though they are clearly exempt because they are not “commercial.”
The FTC attorney also pointed out that in a civil lawsuit brought by a minor who is molested by a pedophile, a charity may be sued for not complying with COPPA. While compliance is not necessary, it is possible that a court would conclude that COPPA establishes a “standard of reasonable care.” So, while most nonprofit organizations (including churches) are not subject to COPPA, there are reasons why they might want to voluntarily comply.
• Key point. The FTC itself has observed, “Although true nonprofits are not subject to COPPA, we encourage them to set an example by posting privacy policies and providing the protections set forth in COPPA to children providing personal information at their sites.”
Key point. We have done an extensive review of the websites of dozens of denominations and churches, and have discovered that many are voluntarily complying with the requirements of COPPA.
Key point. What about denominational headquarters that have publishing houses and sell products? Are they “commercial” and therefore subject to COPPA? Or, what about a denominational foundation that assists members in financial and estate planning? Are they not “benefiting” members financially? An FTC attorney in Washington, DC informed your author that it is conceivable that such denominational entities may be “commercial” and therefore subject to COPPA, but “you have to consider the likelihood that the FTC will say that a church is covered. Candidly, this is simply not likely. It’s not going to happen. Who is the FTC going after? Trade associations and similar nonprofits. Section 501(c)(3) charities, including churches, are more strictly regulated by the tax code and cannot engage in commercial activities and remain exempt. So, the FTC assumes that they are not engaged in any commercial activity.”
Should churches voluntarily comply with COPPA?
Most church websites are not subject to COPPA since churches are not “commercial” operators. However, there are compelling reasons why church leaders should seriously consider voluntary compliance. Here are the factors to consider:
(1) COPPA coverage
Churches that want to voluntarily comply with COPPA should first determine if they operate the kind of website that COPPA regulates. As noted above, COPPA only applies to:
(1) operators of commercial websites or online services directed to children under 13 that collect personal information from children, or
(2) commercial operators of general audience websites that have actual knowledge that they are collecting personal information from children
There is little justification for a church to comply with COPPA if its website does not fit within either of these two categories, since COPPA only applies to them.
On the other hand, it is possible for a church website to fall within one or both of these categories. Most church websites are not directed at children under 13, but some have “secondary pages” that are directed at children (for example, a “children’s ministry” page). To determine whether a website is directed to children, the FTC considers several factors, including the subject matter; visual or audio content; the age of models on the site; language; whether advertising on the website is directed to children; information regarding the age of the actual or intended audience; and whether a site uses animated characters or other child-oriented features.
In addition, some church websites would be considered “general audience websites,” and if the church has actual knowledge that it is collecting personal information from children under age 13, it would be required to comply with COPPA (if it met the “commercial” requirement). To illustrate, a general audience church website may contain “chatrooms” and bulletin boards in which children may make public postings containing personal information about themselves. So long as church leaders have actual knowledge that this is the case, the church website would fall within the second category of website subject to COPPA.
Key point. The FTC has noted, “Children’s use of chat rooms and bulletin boards that are accessible to all online users present the most serious safety risks, because it enables them to communicate freely with strangers. Indeed, an investigation conducted by the FBI and the Justice Department revealed that these services are quickly becoming the most common resources used by predators for identifying and contacting children.”
(2) the FTC perspective
The FTC has stated, “Although true nonprofits are not subject to COPPA, we encourage them to set an example by posting privacy policies and providing the protections set forth in COPPA to children providing personal information at their sites.”
This is an important point. Even if a church website is not subject to COPPA, why would church leaders not want to voluntarily comply with a law whose purpose is to protect children from pedophiles? Many churches have decided to “make a statement” that they are concerned about protecting children from pedophiles by voluntarily complying with the law.
(3) the practice of other nonprofits
Many nonprofit organizations, including the entire federal government, most state governments, and many religious organizations, are voluntarily complying with COPPA. As this trend continues, it will make it increasingly difficult to justify noncompliance with a law that is designed to protect children.
(4) protection of children
As noted above, the purpose of COPPA is to protect children from pedophiles while using the Internet. Even if a church is not technically subject to COPPA’s requirements, why would it not want to voluntarily comply?
Key point. An excellent analogy is the screening of church members who volunteer to work with children. There is no legal requirement that churches screen such persons, but many churches have voluntarily elected to do so. Why? To protect children from pedophiles. The very same reasoning applies to compliance with COPPA. While church websites are not subject to COPPA, voluntary compliance helps to protect children from pedophiles.
(5) reducing the risk of litigation
Another reason for voluntary compliance is to reduce a church’s risk of legal liability in the event that a pedophile solicits and then molests a child by using a church website. An attorney with the FTC national office in Washington, DC made this point to your author in a recent conversation. As more charities voluntarily comply with COPPA, this may establish a “standard of care” that a court would apply to all charities.
(6) some church websites may be “commercial”
COPPA only applies to operators of “commercial” websites. While it will be rare for a local church’s website to meet the current definition of “commercial,” this conclusion is less certain with some denominational agencies. To illustrate, some denominational agencies operate publishing houses and sell products. Are they commercial and therefore subject to COPPA? Or, what about a denominational foundation that assists members in financial and estate planning? Is it not “benefiting” members financially? This comes very close to the California Dental Society definition of a nonprofit organization subject to FTC jurisdiction. This is an added incentive for some denominational agencies to voluntarily comply with COPPA.
Complying with COPPA
“This final step achieves one of the Commission’s top goals—protecting children’s privacy online. The rule meets the mandates of the statute. It puts parents in control over the information collected from their children online, and is flexible enough to accommodate the many business practices and technological changes occurring on the Internet.” FTC Chairman Robert Pitofsky commenting on the FTC “Final Rule.”
Churches that decide to voluntarily comply with COPPA should be familiar with the following key provisions:
(1) privacy notice on website
A website operator must post a clear and prominent link to a notice of its information practices on its home page and at each area where personal information is collected from children. An operator of a general audience site with a separate children’s area must post a link to its notice on the home page of the children’s area.
The link to the privacy notice must be clear and prominent. Operators may want to use a larger font size or a different color type on a contrasting background to make it stand out. A link in small print at the bottom of the page—or a link that is indistinguishable from other links on your site—is not considered clear and prominent.
The notice must be clearly written and understandable; it should not include any unrelated or confusing materials. It must state the following information:
- The name and contact information (address, telephone number and email address) of all operators collecting or maintaining children’s personal information through the website or online service. If more than one operator is collecting information at the site, the site may select and provide contact information for only one operator who will respond to all inquiries from parents about the site’s privacy policies. Still, the names of all the operators must be listed in the notice.
- The kinds of personal information collected from children (for example, name, address, email address, hobbies, etc.) and how the information is collected—directly from the child, or passively through “cookies.”/
- How the operator uses the personal information. For example, is it for marketing back to the child? Notifying contest winners? Allowing the child to make the information publicly available through a chat room?
- Whether the operator discloses information collected from children to third parties. If so, the operator also must disclose the kinds of businesses in which the third parties are engaged; the general purposes for which the information is used; and whether the third parties have agreed to maintain the confidentiality and security of the information.
- That the parent has the option to agree to the collection and use of the child’s information without consenting to the disclosure of the information to third parties.
- That the operator may not require a child to disclose more information than is reasonably necessary to participate in an activity as a condition of participation.
- That the parent can review the child’s personal information, ask to have it deleted and refuse to allow any further collection or use of the child’s information. The notice also must state the procedures for the parent to follow.
Tip. Because of variations in individual websites and church practices, it is impossible to draft a “generic” privacy notice that can be used by every church. Churches that would like to voluntarily comply with COPPA should review privacy notices of other websites. A good way to start is to conduct a search for “children’s online privacy protection.” This will result in hundreds of websites that contain a privacy notice that complies with COPPA. By reviewing several notices, church leaders will be able to draft a policy notice that applies to their church.
Tip. To improve compliance, the FTC has launched an educational effort and issued a new publication, “You, Your Privacy Policy and COPPA,” to assist the operators of children’s websites in drafting a COPPA-compliant privacy policy. This guide explains each component of a COPPA-compliant privacy policy, answers questions that website operators have asked, and features a compliance checklist to help site operators improve their privacy policies.
The FTC has noted that “operators are free to combine their privacy policies into one document, as long as the link for the children’s policy takes visitors directly to the point in the document where the operator’s policies with respect to children are discussed, or it is clearly disclosed at the top of the statement that there is a specific section discussing the operator’s information practices with respect to children.” In addition, the FTC has stated that “the link for the privacy policy pertaining to the children’s area must appear on the home page of the children’s area and at each area where personal information is collected from children. Sites may also wish to post it as part of their general privacy policy.”
Is it permissible for the link to a church’s privacy policy to be at the very bottom of my home page? Yes, as long as the link is “clear and prominent” it can be at the bottom of the home page. The FTC final rule requires that the link to the privacy policy “be placed in a clear and prominent place and manner on the home page of the website or online service” and at each area where children provide, or are asked to provide, personal information. In its explanation of this requirement, the FTC noted that “clear and prominent means that the link must stand out and be noticeable to the site’s visitors through use, for example, of a larger font size in a different color on a contrasting background. The FTC does not consider ‘clear and prominent’ a link that is in small print at the bottom of the page, or a link that is indistinguishable from a number of other, adjacent links.”
(2) verifiable parental consent
Before collecting, using or disclosing personal information from a child, a website operator must obtain verifiable parental consent from the child’s parent. This means an operator must make reasonable efforts (taking into consideration available technology) to ensure that before personal information is collected from a child, a parent of the child receives notice of the operator’s information practices and consents to those practices.
Until April 2002, the FTC used a sliding scale approach to parental consent in which the required method of consent varied based on how the operator used the child’s personal information. That is, if the operator used the information for internal purposes, a less rigorous method of consent was required. For example, website operators could obtain parental consent via e-mail as long as additional steps were taken to ensure that the parent was providing consent. Such steps could include sending a confirmatory e-mail to the parent following receipt of consent, or obtaining a postal address or telephone number from the parent and confirming the parent’s consent by letter or telephone call. On the other hand, if the website operator disclosed a child’s personal information to others, the situation presented greater dangers to children, and a more reliable method of consent was required, such as print-and-send via postal mail or facsimile, use of a credit card or toll-free telephone number, digital signature, or e-mail accompanied by a PIN or password.
In 2002 the FTC announced that it was extending the sliding scale mechanism for three years, until April 21, 2005.
Example. A website operator makes a child’s personal information available publicly (through a chat room or message board). The sliding scale requires the operator to use a more reliable method of consent, including any one or more the following: (1) getting a signed form from the parent via postal mail or facsimile; (2) accepting and verifying a credit card number in connection with a transaction; (3) taking calls from parents, through a toll-free telephone number staffed by trained personnel; (4) email accompanied by digital signature. In the case of a monitored chat room, if all individually identifiable information is stripped from postings before it is made public, and deleted from the operator’s records, an operator does not have to get prior parental consent.
Key point. What if some parents cannot or will not use the consent method a website operator has chosen? For example, some parents cannot provide email consent because they don’t have an email account. Other parents do not have credit cards or do not like to give out credit card numbers on the Internet. The FTC recommends that operators have a readily available backup method of providing consent for those parents who cannot or will not use the primary consent mechanism. One practical backup method to use is the print-and-send form. This method makes it easy for parents without access to email or a credit card to provide consent.
If chatrooms or bulletin boards are bundled together with other online activities, a website operator does not have to offer parents choice regarding the collection of personal information necessary for the chatroom or the bulletin board. But prior parental consent is still required before permitting children to participate in chatrooms or bulletin boards that enable a child to make personal information publicly available. COPPA only requires parental choice as to disclosures to third parties. There are many parents, however, who do not want their children participating in unmonitored chatrooms or bulletin boards because they can raise safety concerns. Those parents may not give consent for their child to provide personal information for participation in other site activities if the activities are bundled together with chat and bulletin boards. Therefore, while not required, sites may wish to offer parents a broader range of choices in order to address their concerns.
(3) exceptions
COPPA contains several exceptions that allow operators to collect a child’s email address without getting the parent’s consent in advance. These exceptions cover many popular online activities for kids, including contests, online newsletters, homework help and electronic postcards.
Prior parental consent is not required when:
- An operator collects a child’s or parent’s email address to provide notice and seek consent.
- An operator collects an email address to respond to a one-time request from a child and then deletes it. For example, no consent is required to respond to a one-time request by a child for “homework help” or other information.
- An operator collects an email address to respond more than once to a specific request, such as a subscription to a newsletter. In this case, the operator must notify the parent that it is communicating regularly with the child and give the parent the opportunity to stop the communication before sending or delivering a second communication to a child.
- An operator collects a child’s name or online contact information to protect the safety of a child who is participating on the site. In this case, the operator must notify the parent and give him or her the opportunity to prevent further use of the information.
- An operator collects a child’s name or online contact information to protect the security or liability of the site or to respond to law enforcement, if necessary, and does not use it for any other purpose.
Example. An organization operates a general audience site and does not ask visitors to reveal their ages. A child visits the site and posts personal information in a chat room but does not reveal his age. COPPA applies to general audience websites if they have actual knowledge that a particular visitor is a child. If such a site knows that a particular visitor is a child, then COPPA must be followed with respect to that child. If a child posts personal information on a general audience site, but doesn’t reveal his or her age and the website operator has no other information that would lead it to know that the visitor is a child, then it would not have “actual knowledge” and would not be subject to COPPA. Collecting a child’s age, however, does provide “actual knowledge.”
Example. A website has a chatroom and a child visits the chatroom and announces that he is 12 years old. The website operator may be considered to have actual knowledge with respect to that child (1) if someone from that organization sees the post in a chatroom; or (2) if someone alerts the operator to the post. At that point, the operator should delete any personal information that has been posted and either ask the child for a parent’s email address for purposes of providing notice and obtaining consent to future postings, or take reasonable steps to block that child from returning to the chat area of the site, whether through screen name blocking, a cookie, or some other means.
Example. A website targets teens. Does COPPA apply? The FTC has responded to this question as follows, “Although the site targets teens, you may still attract a substantial number of children protected by COPPA. The FTC has urged all sites to provide fair information practices for all consumers, so personal information collected from even your older children should be given such protections. At a minimum, however, you should identify which visitors are under 13—for example, simply ask age (or birth year) when you invite visitors to provide personal information or to create their log-in user ID. Most importantly, ask age in such a way as not to invite falsification. You can also use a session cookie to prevent children from back clicking to change their age once they realize that parental consent is required to collect their information for the activity. Once you identify those under 13, you have a number of options. First, you can collect their parent’s email address to provide direct notice and implement the COPPA parental consent requirements; or, if you are only collecting an email address, it may fall within one of the email exceptions to prior parental consent. (Note that several of the email exceptions do require that you provide notice to the parent and an opportunity to opt-out.) Alternatively, if you do not wish to implement the COPPA protections for your younger visitors, then your data system could be configured to automatically delete the personal information of those visitors under 13, and simply direct those children to content that does not involve information collection. It is very important to design your information collection in such a way that children are not encouraged to provide a false age. For example, if the log-in registration only permits the visitor to enter birth years starting with age 13, children may be encouraged to falsify their ages. In addition, telling visitors that children under 13 should not provide their information or that they must ask their parents first, may only encourage children to provide their information. If your site does not invite falsification, however, then it will not be responsible if a child misstates his or her age.”
Example. Can a website operator block children under 13 from its website? The FTC has responded to this question as follows, “Blocking all children under 13 from accessing your site is not in the spirit of COPPA and probably not good business in the long run. Many sites have found creative ways both to provide rich content for children and comply with COPPA: (1) offering activities that do not require personal information; (2) using screen names to personalize activities on the site; (3) using the email exceptions to prior parental consent (see below) ; and (4) limiting the collection of personal information to only those activities that require it, e.g., collecting the parent’s and child’s email address to ensure safety of the child participating in a chat room.