Not in compliance with COPPA (federal law) (47 posts)

  1. davidchait
    Posted 11 years ago #

    As many people have pointed out, this isn't just a U.S. issue. However, it is a big enough issue overall that providing some basic level of core support to it should be considered in a next round (maybe as a hack/plugin in the interim). But it got me wondering: what do OTHER blog programs do for this same issue? I've seen the over-13 side of many a phpBB forum registration, but never the other side. Does it as for a parental email address and wait to unlock the account until the parental-response allows it?

    I disagree with how Podz last responded to this topic ("If this gets into the core, I'll dump WP"), and think Lorelle's questions back did a good job trying to get more information out of the poster. I'll assume for the moment Podz was trying to say: the person hosting the site ("the website operator"), and not the maker of the software, is responsible for the data collection and how it applies to local laws. WP could >help<, but is in no way responsible. You can modify the software all you want to make it as compliant as you need for your site.

    Certainly, WP could try to make an easier jumping-off point for better compliance for those who want to or need to be in compliance with COPPA or other localities' laws and regulations.

    At the least:

    - the registration page should have a checkbox/radio for stating over/under 13, and a redirect-page for handling under-13 processing... Which for the moment should be left up to the site developer to decide whether to say "You can't sign up" or "A parent must sign up for you" or whatever. Then again, having a few 'solutions' ready to drop in wouldn't be hard.

    - maybe we could work up a 'universal privacy policy' page for WP blogs, that at least outlines what WP core requests and stores. it'd have to be modified on a site by site basis in lots of cases, but better to start from something than nothing.

    - I'm not sure what can be done about Comments. Name & Email are used to firmly verify a person and not a bot. A disclaimer is one quick way to try and get around this.

    - Someone with better knowledge could say whether IP address tracking is an issue in the slightest. Without personally-identifiable data, like Name, Address, Phone, an IP address really isn't personally-identifying.

    Disclaimer: I'm not a lawyer, and wouldn't ever think of anything I say as being legal advice. If you need legal advice, PAY A LAWYER. ;)


  2. vkaryl
    Posted 11 years ago #

    The back side on phpBB fora is handled through the config page: a place to enter a fax number for faxed parental approvals, at which point the under-13 is emailed hisser password. It's a nightmare of filing, record-keeping, etc. which is why many people (myself included) simply state "no one under x-age allowed to register or participate". My sites default to age 18 - legal voting age, if not drinking age, in the US - and the age of majority in most states.

    As I said earlier, a friend in this state's DA's office informed me that if a minor lied about hisser age to gain access and hisser parents later caused a fuss, I was covered by the disclaimers. I'm not an attorney either, and a nebulous "oh it's okay if...." from a friend of mine as regards the state in which I live isn't enough for others to go on of course.

    Talk to your attorney if you may be in a position of liability after you study the Act in question.

  3. Jinsan
    Posted 11 years ago #

    Lorelle, I think it's been mentioned, even by Ryan, that this is a plugin issue - it can be done, but the scope and work it will take to do this job is rather large, considering each state. If it's a US thing, then get a US citizen to do the job. I agree with Podz's comment in this regard, we don't need to localise the tool for an American audience, that can be done through plugins.

    What's being asked is no small mean feat, you can get a few US WP users together, do some research o nthis with the OP and put something together, but something like this should NEVER be in the core. To do so would be WP Taking responsibility for the content that users decide to use. Not WP's job.

    WP is for everyone, not one state.

  4. tomhanna
    Posted 11 years ago #

    RE: the technical issue. It's a nonissue. Neither IP addresses nor cookies are COPPA issues. From the webpage in the original post this is the information that is of concern -

    The Children's Online Privacy Protection Act and Rule apply to individually identifiable information about a child that is collected online, such as full name, home address, email address, telephone number or any other information that would allow someone to identify or contact the child.

    Aside from that, since tmaster didn't provide a link, I'm not sure what his particular issue is, but for most of us before we worry about WordPress, it might be more useful to ask why we need any personal information from a child under 13. I'd say that if tmaster's site is generating negative user comment, he's doing more than collecting IP addresses in his server logs or serving cookies and he's probably doing more than just having the standard comment form require an email address.

  5. RustIndy
    Posted 11 years ago #

    In the case of COPPA compliance, requiring an email address for the comment form is enough of a reason to either have the form available or completely disallow people under 13 (or 16, or 18, or 21, or whatever) from commenting.

    And yes, simply adding the line "Persons under the age of XX are not allowed to leave comments on this page" is enough - it's called "reasonable effort" and is usually enough to get your ass out of the sling if needed.

    No, WP should not be core-localized to any specific location, but for things like COPPA, there should be a mechanism (either a core routine you can enable/disable, or an *included* plugin) to provide the necessary stuff. If this will be a plugin solution, the plugin(s) should be included with WP so people don't need to put extra effort into their compliance.

    Just my $0.02, IANAL, and YMMV.

  6. Mark (podz)
    Support Maven
    Posted 11 years ago #

    I say that what we do is we go copy what Blogger, MT, Serendipity, Pivot, Expression Engine and all the other blogging softwares have done.
    Oh ... they haven't ? Okaaaayy...

    And what I originally meant was that if this sort of junk was put into the core, then for me - a NON-US citizen of planet Earth - it would be bloat bloat bloat.

    Let's say it DID get into the core - can Matt afford the legal actions against WP that some damn fool would try ? Can he hell.

    This is plugin stuff - a single hook is fine. More code than that would be bloat.

  7. Jinsan
    Posted 11 years ago #

    That's pretty much why I don't think it should even be included in the overall package - extra KB for non-us users. A plugin of this sensitivity and specific requirement should be outside the, dare say it, "loop" of the normal package and made available from the repository.

    The legal ramifications that this would imply upon WP if it were included as tha package (not even as a core) would be almost equally, if not more so, sensitive if it was included as the core. It's green flag to say WP takes responsibility for user. Let's not go down this road.

    requiring an email address for the comment form is enough of a reason to either have the form available or completely disallow people under 13

    Are you positive about this? This law is more barmy than I first thought

  8. RustIndy
    Posted 11 years ago #

    The COPPA requirement lists an email address as personally identifying information, so if that email address belongs to someone under 13 (in the US, this would be), they (and it) falls under COPPA's jurisdiction (so to speak).

    If you want to bypass COPPA, then just put that little 1 line disclaimer on the comment form.

    On the other topic here, what legal ramifications if it's included with WP? If some asshat uses WP to spread his jewish-conspiracy/nazi-propoganda/pick-your-racism message, is Matt going to be sued for providing him the tools? If your car breaks down and causes you an injury, do you sue the company that made the wrench that the robot used to tighten the bolt that came loose? No, you sue the asshat. Or you sue the vehicle company. I don't see how Matt could be held responsible for anything that anyone does with WP. Your logic (including COPPA would infer acceptance of responsibility by the tool-maker) could also mean that including a disclaimer of any kind opens the tool-maker to legal problems relating to everything they're disclaiming responsibility for.

    In other words, it's a moot point. Content is ALWAYS (well, nearly) the responsibility of the content owner/writer, and WP (and Matt, by extension) cannot be held responsible for that unless he explicitly states that he will accept that responsibility. Including a COPPA agreement (or whatever) does not infer that acceptance.

    So I stand (slightly modified to remove potential core bloat). WP *should* include any forms necessary to legally qualify for "reasonable effort" in the content owner's legal region. This should be in a plugin form (a single plugin, say, with the different forms in 1 or more text files or database records), and allow the content owner to select exactly which (if any) of the forms need to be displayed.

    WP is a tool, and every tool more complex than a hammer comes with safety intructions for the user's protection. Why not WP? Like any other tool, include the standard disclaimer ("WP and it's developers are not responsible for anything that happens because of your WP site" or some such) and provide safety intructions (in this case, privacy/child-protection guidance - not legal advice, though).

  9. Mark (podz)
    Support Maven
    Posted 11 years ago #

    As I said then, let's copy what all the other blog engines are using - including Blogger. After all, Google would be ever so careful about privacy issues wouldn't it ;)

  10. Mark (podz)
    Support Maven
    Posted 11 years ago #

    For UK users, I just happened across the Dept Of Health's Privacy Policy:

  11. Michael Bishop

    Posted 11 years ago #

    I'd like to echo that this is a non issue for MOST of those using WP. From the first few lines of the link provided:

    Who Must Comply

    If you operate a commercial Web site or an online service directed to children under 13 that collects personal information from children or if you operate a general audience Web site and have actual knowledge that you are collecting personal information from children, you must comply with the Children's Online Privacy Protection Act.

    So my cooking site and my personal/politico blogs are neither directed at children, nor would I know the age of someone who coments at my site. I suppose if a commenter says, "I'm 12 and...", then I would be obligated to delete the info, otherwise, I don't care to know anyone's age.
    Now if you are running a blog about PSP or something that a 12 yearold would use, then yes, this law would be something to be concerned with, and you should have been familiar with the law BEFORE starting the site, and choosing an interface that helped you stay in accordance of the law.

  12. onlinecasinoselite.org
    Posted 11 years ago #

    just to mention it: in germany - and next time most of EU - you have to make sure that someone really owns an email-adress before you save it.
    so if you want to stay in accordance with german laws, you have to send out verification mails at registration and also for notification-plugins.

  13. DianeV
    Posted 11 years ago #

    Yep, there are different laws for different locations, which is why I thought it would be too much to try to build a solution into WP, let alone one that people in different locations could depend upon as an absolute solution.

  14. Lorelle
    Posted 11 years ago #

    Okay, without the philosophizing:

    1. There is no way in the "out of the box" WordPress installation to uncheck a box that says "do not save IP and email addresses in comments".

    2. There is no feature, out of the box, that WordPress has that lets anyone comment without submitting their email address. Like "not requiring people to register when commenting" meaning they can post freely without registering and they don't have to put in an email or website address and the comment will still go through.

    3. There currently is no plugin or PHP code available for WordPress that will:
    ---> A. Stop IP and email addresses from being saved.
    --->B. Pop up a window that says "Click this to verify your claim that you are over 18 before your comment will be submitted to our site."
    --->C. A window view returned upon clicking submit or the second "Are you sure you are over 18" that restates "By submitting a comment here, you are agreeing to the fact that you are over 18." Similar to "your comment will now be held for moderation".

    Now, I have another idea. If a site is using some authimage security thing on comments, could they add text that says, "By entering the above code to verfiy you aren't a spammer or bot, you are also agreeing to hold this site harmless from your petty crap and stating that you are over 18"?

  15. kickass
    Posted 11 years ago #

    It seems to me this can be handled by explicit instructions in the Codex on how anyone who has a site aimed at children could "build in" the screening needed if their site is aimed at kids. That way it wouldn't be in the "core" and yet would allow site owners to add whatever kid-friendly functionality they need to add, maybe in the form of one simple file with a php call for it on the comment post page or as a plugin.

    Podz point is taken that we don't need to be US-centric, and this doesn't need to be part of the core package, however, in the interest of adding this functionality for those who desperately need it due to their local laws (and couldn't it be altered to fit ANY set of local laws???) it should be made available as an OPTION for those who need it.

    Just a reminder of what the original poster, tmaster, asked for:
    "We need a special minor subscription level built in the software that way minors can make post but we will not have any persional info on them.."

    Unfortunately I'm not geek enough to build this. I'm sure one of you very talented plugin developers or core developers can come up with something . . .

  16. Lorelle
    Posted 11 years ago #

    Okay, someone finally reminded me that there is a built in way to do this, and I hope the original poster has not been run off by all of the rest of the non-technical help.

    ***********HELP IS HERE ************

    In the ADMIN > OPTIONS > DISCUSION there is a checkbox next to:

    ___ Comment author must fill out name and e-mail

    If that is not checked, anyone can post and the email does not have to be included.

    You can then go into the comment form template file and remove the call for the email address or add a note that this is optional, along with the proper other warnings.

    The IP of the commentor is saved because, I've been told, your site statistics already records every visitor's IP and that information is not posted on your site for public use. It's just a part of how it all works, so it doesn't matter, as long as you do not use it publicly.

    If you would like to run chats that clearly include children, there are a number of PHP ones that could easily run off a static or WordPress Page that have built in features to accomodate the COPPA act. Here is one that works and if you search for "PHP scripts comments children COPPA" you should find plenty more. Integrating these into WordPress is a different issue and there are plenty of discussions about this on this forum.

    To the original poster of this question. I would like to apologize for the rest of the forum's "jump" onto your question and not understanding that you needed help with this and not analysis of whether or not compliance with a federal law was a good thing or not. Whether they know it or not, compliance with web standards and international laws is the responsiblity of a website owner, no matter what software they are using. Still, that is not the purpose of this forum.

    What is the purpose of this forum is: help. Unfortunately, the beginning of your post didn't hold a disclaimer that this was a request for help and not an accusation. We are all at fault, but I hope this helps answer your question.

  17. xushi
    Posted 11 years ago #

    Hi all, I've been using bblog for a while, and am currently switching to try out wordpress. I must say, i'm very impressed with your work, and wish you luck in continuing it.

    Regarding this matter, my 2 cents would be not to stick any of this in the core of wordpress. Not all the world is in USA and Europe, nor follows US/EU laws. I like this blog for its simplicity in both design and use. The last thing i want is for silly *US* or *EU* laws to control it, adding these pointless email requests, and offensive discriminating "don't use this program if you're from this country or that country" laws.

    The internet is all about freedom. I don't live in the US, nor do i ever plan on going there again.. So why should i along with 5.7 billion other people suffer under US laws on a program that's supposed to be international and free.

    If anything, put these checks as plugins, and let the user who's setting up wordpress on his server to enable them. Its his reponsibility, not yours. But don't lock the code to a specific country... Or just simply say "this is a free program, if you're in USA then you're not allowed to use it" :p like encryption in the early days ;) OR just put a disclaimer "warning, do not download this", then you're off the hook for sure :p

    Anyway, i don't want my first post to cause bad blood between anyone, so ill stop here.. this is all talk, and i hope to contribute to the project if it seems worth the upgrade (so far, so good).

Topic Closed

This topic has been closed to new replies.

About this Topic