If you’ve never heard of COPPA, consider yourself lucky… and now, warned. Chances are, if you’re finding this article via a search engine, you’re already in the thick of it. For that, I offer my consolations and a few lessons learned. Disclaimer: I am not a lawyer. None of the suggestions contained in this blog post constitute legal advice.
Some rights reserved by matt.forestpath
Age Neutral Verification
This is the biggest area of impact on the interface. If you have a site which offers kid-attractive content, you’ll need to know if they’re above thirteen before making an account or storing personally identifiable information.
The problem is that you can’t actually ask that in a way that indicates that thirteen is the break point. This is what “age-neutral verification” means. If only it was as simple as a checkbox that they tick which says “I am over 13 years of age.” Nuuuh-uh, not so fast, cowboy. That’s not legal. (See FAQ #39 of the COPPA statute.)
If the user fails the age-neutral test, you must fail in a obtuse way that doesn’t indicate to them that the age check was the reason. This defies all good UX principles around writing clear error message that tell people what is actually going on. As much as this boils my cockles, it is the law. But it doesn’t end there. You must prevent them from turning around trying again. Finally, your company must delete all info from any source that you have about that user.
Most providers, including the screenshot from Facebook, are asking for a birth date, as that’s the example solution given in the law. Facebook’s popup delicately explains “Providing your birthday helps make sure you get the right Facebook experience for your age. You can choose to hide this info from your timeline later if you want. For more details, please visit our Data Use Policy.”
Another option is to simplify down to only asking for the birth year. The drawback to this method is that you need to toss out all of the people who turned thirteen that calendar year who would otherwise be able to use your site.
Lastly, my favorite option is the radio buttons with age ranges approach. This example is from the Born This Way Foundation. It’s the best UX but the riskiest approach from a legal standpoint.
Tricks up our sleeve
Since Gmail, Hotmail, Yahoo all are under the same restrictions, they have already asked this question of users. A feature we’ve been talking about for Persona is to flag such users’ accounts as good to go. As we roll this future feature out, this will mean that we can give sites both a verified email address and a verified age-neutral check. Again, check with your lawyers to see what sort of documentation you’ll need to keep around to prove that these third parties were indeed performing the check.