Introduction
COPPA was enacted to prohibit unfair and deceptive acts or practices in connection with the collection, use, or disclosure of personal information from children under the age of 13 in an online environment. Generally, the Act requires operators of Web sites or online services directed to children, or that have actual knowledge that they are collecting or maintaining personal information from children online, to provide certain notices and obtain parental consent to collect, use, or disclose information about children. The FDIC is granted enforcement authority under the Act. Federal Trade Commission regulations (16 CFR 312) that implement COPPA became effective April 21, 2000.
Examiners should consider conducting a compliance review using these procedures only when an institution is operating a Web site or online service directed to children that collects or maintains personal information about children, or operating a general audience Web site or online service and knowingly collecting or maintaining personal information from a child online.
Examination Objectives
- To determine that reliance can be placed on a financial institution’s compliance management policies, internal controls, and procedures for ensuring the institution’s compliance with the COPPA regulation.
- To require effective corrective actions when violations of law are identified, or when policies or internal controls are deficient.
Examination Procedures
- Determine whether the institution operates a Web site or online service directed to children that collects or maintains personal information about them, or operates a general audience Web site or online service and knowingly collects or maintains personal information from a child online.
- If the financial institution does not operate a Web site or online service directed to children that collects or maintains personal information about them, and does not knowingly collect or maintain personal information from a child online, it is not subject to COPPA. No further examination is necessary.
- If the financial institution does operate a Web site or online service directed to children that collects or maintains personal information about them, or knowingly collects or maintains personal information from a child online, it is subject to COPPA. Continue with step 4 below.
- Determine whether the institution participates in an FTC-approved, self-regulatory program. If it does, no further examination is necessary. If it does not participate in such a program, continue with the procedures below.
- Assess the quality of the institution’s compliance risk management by determining whether procedures and controls ensure compliance with COPPA. Consider the following, as they pertain to COPPA:
- Knowledge level of management and staff;
- Board of Directors adoption, and management implementation, of policies and procedures;
- Adequacy of the institution’s training program;
- Frequency of compliance monitoring;
- Effectiveness of the compliance audit program to detect and correct compliance deficiencies; and
- Appropriate and timely handling of consumer complaints.
- Identify any weaknesses in compliance management policies, procedures, or controls, and the areas and level of risk associated with the institution’s Web site or online service subject to COPPA.
- Formulate conclusions.
- Summarize all findings, and describe the general assessment of the quality of the institution’s compliance management program for implementing COPPA.
- Discuss findings with management and obtain a commitment for corrective action, as necessary.
References
Statute: Children’s Online Privacy Protection Act
Regulation: Children’s Online Privacy Protection Rule