We are continually being asked by companies if they can run a sweepstakes or contest that includes entrants under the age of 13, and the answer is yes. However, if your sweepstakes or contest includes collecting the personal information from children under the age of 13, you must comply with the Children’s Online Privacy Protection Act (COPPA) https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protection-rule. Understanding and interpreting the nuances of COPPA can be quite overwhelming. The FTC has put together a list of frequently asked questions on their website to help guide businesses through the Act. Below are a few of the most pertinent questions and answers to keep in mind when running a promotion directed towards children.
“Who is covered by COPPA?”
“The Rule applies to operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children. It also applies to operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. The Rule also applies to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children.”
The FTC requires that if you are going to be collecting personal information from children under 13 that you be sure to disclose what information you will be collecting and how it will be used. They also require that a verifiable parental consent be obtained.
“What is Personal Information?”
“The amended Rule defines personal information to include:
- First and last name;
- A home or other physical address including street name and name of a city or town;
- Online contact information;
- A screen or user name that functions as online contact information;
- A telephone number;
- A social security number;
- A persistent identifier that can be used to recognize a user over time and across different websites or online services;
- A photograph, video, or audio file, where such file contains a child’s image or voice;
- Geolocation information sufficient to identify street name and name of a city or town; or
- Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above.”
“How do I get parental consent?
“You may use any number of methods to obtain verifiable parental consent, as long as the method you choose is reasonably calculated to ensure that the person providing consent is the child’s parent. The Rule sets forth several non-exhaustive options, and you can apply to the FTC for pre-approval of a new consent mechanism, as set out in FAQ H.14 below.
If you are going to disclose children’s personal information to third parties, or allow children to make it publicly available (e.g., through a social networking service, online forums, or personal profiles) then you must use a method that is reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent. Such methods include:
- Providing a consent form to be signed by the parent and returned via U.S. mail, fax, or electronic scan (the “print-and-send” method);
- Requiring the parent, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder;
- Having the parent call a toll-free telephone number staffed by trained personnel, or have the parent connect to trained personnel via video-conference; or
- Verifying a parent’s identity by checking a form of government-issued identification against databases of such information, provided that you promptly delete the parent’s identification after completing the verification.
If you are going to use children’s personal information only for internal purposes – that is, you will not be disclosing the information to third parties or making it publicly available – then you can use any of the above methods or you can use the “email plus” method of parental consent. “Email plus” allows you to request (in the direct notice sent to the parent’s online contact address) that the parent indicate consent in a return message. To properly use the email plus method, you must take an additional confirming step after receiving the parent’s message (this is the “plus” factor). The confirming step may be:
- Requesting in your initial message to the parent that the parent include a phone or fax number or mailing address in the reply message, so that you can follow up with a confirming phone call, fax or letter to the parent; or
- After a reasonable time delay, sending another message via the parent’s online contact information to confirm consent. In this confirmatory message, you should include all the original information contained in the direct notice, inform the parent that he or she can revoke the consent, and inform the parent how to do so.”
In most instances, when running any sweepstakes, entrants’ personal information is not disclosed publicly, so the “Email plus” method is very effective and less time consuming for the child entrant and the sweepstakes administrator. Another way around this is to have the parents enter on behalf of their child and award the prize to the parent. This way you know you are getting parental consent without having to do the extra step.
“I want to have a contest on my child-directed website. Can I use the Rule’s “one-time contact” exception to prior parental consent?”
“Yes, if you properly design your contest. You may use the “one-time contact” exception if you collect children’s online contact information, and only this information, to enter them in the contest, and then only contact such children once when the contest ends to notify them if they have won or lost. At that point, you must delete the online contact information you have collected.
If, however, you expect to contact the children more than one time, you must use the “multiple-contact” exception, for which you must also collect a parent’s online contact information and provide parents with direct notice of your information practices and an opportunity to opt out. In either case, the Rule prohibits you from using the children’s online contact information for any other purpose, and requires you to ensure the security of the information, which is particularly important if the contest runs for any length of time.
If you wish to collect any information from children online beyond online contact information in connection with contest entries – such as collecting a winner’s home address to mail a prize – you must first provide parents with direct notice and obtain verifiable parental consent, as you would for other types of personal information collection beyond online contact information. If you do need to obtain a mailing address and wish to stay within the one-time exception, you may ask the child to provide his parent’s online contact information and use that identifier to notify the parent if the child wins the contest. In your prize notification message to the parent, you may ask the parent to provide a home mailing address to ship the prize, or invite the parent to call a telephone number to provide the mailing information.”
And even with screening measures in place, you may run across the following issue:
“Am I responsible if children lie about their age during the registration process on my general audience website?”
“The Rule does not require operators of general audience sites to investigate the ages of visitors to their sites or services. See 1999 Statement of Basis and Purpose, 64 Fed. Reg. 59888, 59892. However, operators will be held to have acquired actual knowledge of having collected personal information from a child where, for example, they later learn of a child’s age or grade from a concerned parent who has learned that his child is participating on the site or service.”
“What are the penalties for violating the Rule?”
“A court can hold operators who violate the Rule liable for civil penalties of up to $16,000 per violation. The amount of civil penalties a court assesses may turn on a number of factors, including the egregiousness of the violations, whether the operator has previously violated the Rule, the number of children involved, the amount and type of personal information collected, how the information was used, whether it was shared with third parties, and the size of the company. Information about the FTC’s COPPA enforcement actions, including the amounts of civil penalties obtained, can be found by clicking on the Case Highlights link in the FTC’s Business Center.”
Reading through and understanding COPPA can be a daunting task for those not as familiar with the Act. With the possibilities of steep penalties for violating COPPA, it is advisable that you consult the experts to advise you if you choose to run a sweepstakes or contest aimed at children. Furthermore, Sync Marketing’s legal team are experts in the field and can guide you through your promotion to ensure compliance with COPPA. Here are some of the services we provide and don’t forget to contact Sync today for your next promotion.
Running a Promotion Directed Towards Children