In the United States, it’s nearly Summer. And, you know what that means: Vacation Bible School!
If your small church is like many others, you’ll likely want to share memories of the experience by capturing photos and video during the event, and publishing them to your website.
But, are you violating child privacy laws by publishing that content on your site?
That was the subject of a question posted on the Church Law & Tax website:
We recently posted our VBS SoccerCamp video (showing kids and parents) to YouTube and linked to it via our monthly newsletter (which goes out electronically). Are we in violation of COPPA laws? Should we have asked permission from each participant before posting the video? Also, our Sunday school teachers and nursery workers like to take photos of the kids and post them on church bulletin boards and create collages for the children with their pictures. Is this okay?
In response, the article cited the Children’s Online Privacy Protection Act of 1998 (“COPPA”).
Since you need a paid subscription to read the full article (and, I’m not a paid subscriber), I don’t know where the response ended.
And, unless the church planned to collect information on it’s website from children under 13, I was left wondering how or even if, COPPA applied.
Nonetheless, as a responsible Web worker, it seemed prudent to at least consider how—or even if—posting content like photos and video of children on our church websites somehow infringes on child privacy.
What is COPPA and who is covered by the rule?
Issued and enforced by the Federal Trade Commission, the primary goal of the Act is to place parents in control over what information is collected from their young children online.
COPPA was designed to protect children under age 13.
The Rule applies to operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children. It also applies to operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. The Rule also applies to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children. — Source: A Guide For Business and Parents and Small Entity Compliance Guide, FTC
[lightbox title=”Protecting Children’s Privacy Under COPPA” type=”iframe” href=”http://bcove.me/aj4nxv2e” width=”480″ height=”270″]Watch this short video[/lightbox] that outlines five key changes to COPPA that took effect on July 1, 2013.
In my efforts to determine the affect of the Rule on my own church’s website content, I reviewed a compliance guide published by the Federal Trade Commission entitled, A Guide For Business and Parents, and Small Entity Compliance Guide.
The guide is actually a list of frequently asked questions about COPPA. I’ve added excerpts below that I found particularly helpful.
Disclaimer: I am not a lawyer and do not play one on T.V. Therefore, this article is not meant to be construed as legal advice.
I strongly encourage you to become familiar with COPPA by reading the FTC’s Compliance Guide yourself, and directing questions either to the FTC or to your church’s legal counsel.
Questions about COPPA
What is Personal Information?
The amended Rule defines personal information to include:
- First and last name;
- A home or other physical address including street name and name of a city or town;
- Online contact information;
- A screen or user name that functions as online contact information;
- A telephone number;
- A social security number;
- A persistent identifier that can be used to recognize a user over time and across different websites or online services;
- A photograph, video, or audio file, where such file contains a child’s image or voice;
- Geolocation information sufficient to identify street name and name of a city or town; or
- Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above.
Does COPPA apply to information about children collected online from parents or other adults?
No. COPPA only applies to personal information collected online from children, including personal information about themselves, their parents, friends, or other persons. However, the Commission’s 1999 Statement of Basis and Purpose notes that the Commission expects that operators will keep confidential any information obtained from parents in the course of obtaining parental consent or providing for parental access pursuant to COPPA. See 64 Fed. Reg. 59888, 59902 n.213.
Are websites and online services operated by nonprofit organizations subject to the Rule?
COPPA expressly states that the law applies to commercial websites and online services and not to nonprofit entities that otherwise would be exempt from coverage under Section 5 of the FTC Act. In general, because many types of nonprofit entities are not subject to Section 5 of the FTC Act, these entities are not subject to the Rule. However, nonprofit entities that operate for the profit of their commercial members may be subject to the Rule. See FTC v. California Dental Association, 526 U.S. 756 (1999). Although nonprofit entities generally are not subject to COPPA, the FTC encourages such entities to post privacy policies online and to provide COPPA’s protections to their child visitors.
So, if a church isn’t collecting personal information on its website from children under 13, and given the nonprofit exemption, does this mean that a church should ignore COPPA?
Richard Chopa, aka “the COPPA Attorney”, says, “No.”
Is there a non-profit exemption when it comes to COPPA? Yes, but a technical review of the non-profit is required to determine if a “for the profit of members” characteristic exists that will trigger a duty to comply. Even if none exists, business management teams must take into consideration the potential backlash from foregoing voluntary compliance.
While being a nonprofit may mean that our church is technically exempt from COPPA compliance, as believers, we are bound by love and ethics to safeguard child privacy and ensure the welfare of the children who visit our websites.
What can I do to protect child privacy on our website?
Helping your website visitors understand how your church collects, shares, and uses personal information is the responsibility of every website owner. So, posting online privacy policies is an important step.
While the original Rule required operators to provide extensive categories of information in their online privacy notices, the amended Rule now takes a shorter, more streamlined approach to cover the information collection and use practices most critical to parents. Under the amended Rule, the online notice must state the following three categories of information:
- The name, address, telephone number, and email address of all operators collecting or maintaining personal information through the site or service (or, after listing all such operators, provide the contact information for one that will handle all inquiries from parents);
- A description of what information the operator collects from children, including whether the operator enables children to make their personal information publicly available, how the operator uses such information, and the operator’s disclosure practices for such information; and
- That the parent can review or have deleted the child’s personal information and refuse to permit its further collection or use, and state the procedures for doing so. See 16 C.F.R. § 312.4(d) (“notice on the Web site or online service”).
By streamlining the Rule’s online notice requirements, the Commission hopes to encourage operators to provide clear, concise descriptions of their information practices, which may have the added benefit of being easier to read on smaller screens (e.g., those on smartphones or other Internet-enabled mobile devices).
Examples of COPPA language in church website privacy policies
You could spend a few hundred dollars hiring an attorney to draft privacy and terms of service policies for your church’s website. But, I can save you that.
If your small church website is running on WordPress, get ready to do your happy dance!
The one I fell in love with is not only absolutely FREE, but one-half of the development team is a lawyer-turned-plugin developer.
I’m using the Legull plugin for WordPress to create these important pages for my church’s website.
This plugin is super-easy to use. Just answer a few questions about your website and, in minutes, you’ll have comprehensive website policies that explain to your visitors what information you collect, how you use it, and who has access to it.
The policies are fully editable, so you’ll have no problem adding in your unique language for COPPA compliance.
(And, it should be unique. Please, don’t simply copy and paste another church’s policy language. At best, the language may not be accurate, appropriate, or adequate to cover your website’s activities. At worst, you’ll be infringing on copyright, plagiarizing content—basically, stealing.)
Make sure the policy is tailored to your specific organization. All the policies and procedures addressed should be actual policies and procedures your non-profit has implemented and used.
Do I need to get permission to post photos of children on our website?
Good question. COPPA and child privacy aside, I tend to agree with the perspective of United Methodist Communications concerning children and photographs,
[Taking] this issue of protecting users’ and members’ privacy further, we turn to the hot topic of the times: children and photographs. Do you need permission to post pictures of children, or anyone else, on your website? Well, that depends. Legally, any picture that you take in public that contains recognizable images of people, regardless of age, can be displayed on your website without obtaining permission. Ethically, and especially as people of faith, it is strongly recommended that you go the extra mile and gain at least verbal, if not written, permission from parents when using a recognizable image of their child up through age 17. Oftentimes, churches simply include a check box on standard permission forms where parents can say yes or no to allowing images or recordings of their children to be displayed on the website or used in print pieces, etc.
So, what’s the bottom line?
If you want to publish those amazing VBS memories—or any other photos or video of your people, and especially children—on your church’s website, here’s a recipe for success:
- Add a dash of COPPA language
- Fold in a plan to get verbal or written permission to display images or recordings of your people online
- Mix well with prayer
What about you?
Do you ask permission to display images or video of your folks online?
What steps has your church taken to safeguard child privacy online?