Websites that Collect PII from Children

West Virginia Executive Branch
Privacy Policy: Notice, Consent

Websites that Collect PII from Children

Question:

I worry that my nieces and nephews will be asked to provide PII while playing games on the internet. Are there laws that protect children from being targeted by unsavory website operators?

Answer:

The West Virginia Privacy Policies require Executive Branch Agencies to comply with the requirements of the Children’s Online Privacy Protection Act (COPPA). COPPA is a Federal law that protects children by requiring commercial website operators to obtain verifiable parental consent before they collect personally identifiable information (PII) from children under 13.

If a website is directed at children under 13 (or, if the website operator has knowledge that children are providing PII), the operator must:

• Provide notice on the website regarding the PII it collects from children, how it uses the PII, and its disclosure practices with respect to the PII;

• Obtain verifiable parental consent for the collection, use or disclosure of PII from children; 

• Provide a reasonable means for parents to access the PII collected from their children and prohibitits further use or storage;

• Not condition a child’s participation in a game, the offering of a prize, or any other activity on the child disclosing more PII than is reasonably necessary to participate in such activity; and,

• Establish and maintain reasonable procedures to protect the confidentiality, security and integrity of PII collected from children.

“Verifiable parental consent” means a reasonable effort has been made to ensure that a parent receives notice of the PII collection, use and disclosure practices, and authorizes these practices before PII is collected from the child. Consent may be obtained online or offline.

COPPA does provide a “safe harbor” for limited collection of PII from children for a one-time use (e.g., to respond to children’s requests for information). Website operators can collect a child’s e-mail address and first name only, and use the information solely for the purpose of responding to a question from a child on a one-time basis. The operator must delete the e-mail address immediately after responding.

This limited exception allows entities to respond to a specific request from the child. The PII cannot be stored or otherwise used to re-contact the child. In this case, the operator must include information about the collection and use of PII in its privacy notice, but it is not required to obtain verifiable parental consent.

Note: Your agency/bureau/department/division may have specific requirements – always check your policies and procedures. If you have questions, contact your Privacy Officer.