6

(This is a follow-up question from How to make sure my website complies with things like COPPA?)

COPPA stands for Children's Online Privacy Protection Rule.

In their FAQ they say "yes, you can block children under 13 from visiting your website if you choose to" (assuming the website is not directed to children - and for the sake of this question, indeed it is not). Great! But later on they say that I should ask their age in a certain manner that confuses me.

Quoting FTC's COPPA FAQ:

G. GENERAL AUDIENCE, TEEN, AND MIXED-AUDIENCE SITES OR SERVICES

3. Can I block children under 13 from my general audience website or online service?

Yes. COPPA does not require you to permit children under age 13 to participate in your general audience website or online service, and you may block children from participating if you so choose. By contrast, you may not block children from participating in a website or online service that is directed to children as defined by the Rule. See FAQ D.2 above.

If you choose to block children under 13 on your general audience site or service, you should take care to design your age screen in a manner that does not encourage children to falsify their ages to gain access to your site or service. Ask age information in a neutral manner at the point at which you invite visitors to provide personal information or to create a user ID.

In designing a neutral age-screening mechanism, you should consider:

  • Making sure the data entry point allows users to enter their age accurately. An example of a neutral age-screen would be a system that allows a user freely to enter month, day, and year of birth. A site that includes a drop-down menu that only permits users to enter birth years making them 13 or older, would not be considered a neutral age-screening mechanism since children cannot enter their correct ages on that site.

  • Avoiding encouraging children to falsify their age information, for example, by stating that visitors under 13 cannot participate or should ask their parents before participating. In addition, simply including a check box stating, “I am over 12 years old” would not be considered a neutral age-screening mechanism.

In addition, consistent with long standing Commission advice, FTC staff recommends using a cookie to prevent children from back-buttoning to enter a different age. Note that if you ask participants to enter age information, and then you fail either to screen out children under age 13 or to obtain their parents’ consent to collecting these children’s personal information, you may be liable for violating COPPA. See, e.g., the FTC’s COPPA cases against Path, Inc., Playdom, Inc. and Sony BMG Music Entertainment.

This is looking weird to me. So I can block children under 13, but I can't tell them that?

Please re-read this part:

In addition, consistent with long standing Commission advice, FTC staff recommends using a cookie to prevent children from back-buttoning to enter a different age. Note that if you ask participants to enter age information, and then you fail either to screen out children under age 13 or to obtain their parents’ consent to collecting these children’s personal information, you may be liable for violating COPPA.

Their suggestion about using a cookie can be easily bypassed. For example: if a child tries to register and gets blocked for being too young, the child can use another computer and then claim to be older (this was just an example, there are thousands of ways to bypass that).

Then what is the correct way to block children under 13 to access my website and still comply with COPPA?

Note: I have read this question, and I think its answer might be incomplete, considering my question here.

Improve this question

2 Answers 2

Reset to default
5

So I can block children under 13, but I can't tell them that?

You can tell them after they fail, you cannot tell them on the asking screen.

Then what is the correct way to block children under 13 to access my website and still comply with COPPA?

I agree with you that it is odd that they recommend using a cookie but they do!* So you have a entry page with a simple question, "Please indicate your age" and then block based on the response. That's it.

Note that the rule is neutral. This means that you do not need to disguise your purpose or try to trick people into entering their correct age.

*I think that what is happening here is that any parent who wants to complain to their legislator can be met with the response, "If your kid is so sneaky that they are using different computers to lie about their age what do you want us to do about it?" The fact is, this scheme keeps innocent kids from seeing stuff they shouldn't; the sneaky ones are going to find a way.

Improve this answer
4
  • 1
    Thank you very much!! But - (question 1) I was thinking that the last paragraph I quoted implies that I have to block not only the innocent kid, but that sneaky kid as well, and that's what bothers me (because that's impossible). Also - (question 2) that response to the sneaky kid's parent, even though perfectly reasonable, is "legally valid"? I was worried that common-sense arguments like that, although reasonable, might not be accepted in court or something.
    – Pedro A
    Commented Sep 1, 2015 at 21:38
  • I understand how you are reading that and your reading makes sense. However I read it to say that if you ask for age information you must block anyone who enters an age under 13, not that you must block anyone under 13 regardless of the age. It's a way of saying that asking is not enough, you need to act on the information. It's not saying you are strictly liable for any kid that gets through. I have not researched this. It is not advice. I stress this because your version is certainly plausible!
    – jqning
    Commented Sep 1, 2015 at 22:04
  • Thanks. I think you are probably right, because otherwise they would be asking for something impossible, and all websites would be liable. But still, it is worth some more research (I am aware answers on this site should never be taken as legal advice, don't worry). If you don't mind, I'll wait some more to see if someone else comes with a researched answer. Your help was nevertheless VERY useful and thank you very much (I mean it). One last thing, do you know how can I research this myself other than asking/hiring a lawyer?
    – Pedro A
    Commented Sep 1, 2015 at 23:22
  • @Hamsteriffic - The way to research this is to look for prosecutions under COPPA. The wikipedia page has links to some violations (it does not include Yelp). Understanding past prosecution should inform your understanding of your own exposure.
    – jqning
    Commented Sep 2, 2015 at 17:27
3

Although the implication is that you have to block all children under 13, in reality you are likely to be able to fairly easily defend yourself if you have undertaken "Reasonable" actions to comply with the law. And, in fact, you are hugely unlikely to find yourself even needing to defend yourself

Make all reasonable attempts to block 13 year olds, sure, but there's very little you can do if someone lies or deliberately works around your techniques. There is no sure-fire way to guarantee you can block under-13s: you can't track their movements if they do something like travel to a friends house, and even requiring credit card information isn't foolproof (what 13 year old do you know of that can't get hold of their parents credit card if they really wanted to?).

You are looking at sensible techniques to block a normal user, not to catch the one who can bypass your security.

What are your peers doing? What are larger websites than yours doing in the same circumstance? If you are doing at least as much, you're probably in the clear.

You could decide whether you wish to increase the security beyond the minimum level suggested by COPPA, for example applying IP bans, but they aren't foolproof either... in truth, there's no way to truly ban someone from a website.

Note: I am not a lawyer, nor do I play one on TV. You should probably consult one, if in any doubt..

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .