Children's Online Privacy Protection Act (COPPA) Flashcards
What is the purpose of COPPA?
COPPA was enacted to prohibit unfair and deceptive acts or
practices in connection with the collection, use, or disclosure of personal information from children under the age of 13 in an online environment.
Generally, the Act requires operators
of Web sites or online services directed to children, or that have actual knowledge that they are collecting or maintaining personal information from children online, to provide certain notices and obtain parental consent to collect, use, or disclose information about children.
When should examiners review for COPPA?
Only when a bank is operating a Web site or online service directed to children that collects or maintains personal information about children.
If a bank does operate a COPPA subject website, what is the first thing an examiner should determine?
If the bank participated in an FTC-approved, self regulatory program. If it does no further examination is necessary.
If a bank operates a COPPA subject website and is not part of a FTC-approved program, what CMS elements should examiners consider at when reviewing for this area? (6)
Assess the quality of the institution’s compliance risk management by determining whether procedures and controls ensure compliance with COPPA. Consider the
following, as they pertain to COPPA:
a. Knowledge level of management and staff;
b. Board of Directors adoption, and
management implementation, of policies and procedures;
c. Adequacy of the institution’s training program;
d. Frequency of compliance monitoring;
e. Effectiveness of the compliance audit program to detect and correct compliance deficiencies; and
f. Appropriate and timely handling of consumer complaints.
If a bank operates a COPPA subject website, what is the operator of the website required to do for compliance? (5)
Generally, under this part, an operator must:
(a) Provide notice on the Web site or online service of what information it collects from children, how it uses such information, and its disclosure practices for such information (§ 312.4(b));
(b) Obtain verifiable parental consent prior to any collection, use, and/or disclosure of personal information from children (§ 312.5);
(c) Provide a reasonable means for a parent to review the personal information collected from a child and to refuse to permit its further use or maintenance (§ 312.6);
(d) Not condition a child’s participation in a game, the offering of a prize, or another activity on the child disclosing more personal information than is reasonably necessary to participate in such activity (§ 312.7); and
(e) Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children (§ 312.8)