Security and Privacy of Information Belonging to Children and in Educational Records
everal laws are in place in the United States to protect children when they are online. The Children’s Online Privacy Protection
Act (COPPA) governs how information from children is to be collected and used. If you
host a Web site that collects information from children, COPPA applies to you. The Children’s Internet Protection Act (CIPA)
protects minors from obscene or objectionable material on school or library computers. These computers must implement
technology to filter objectionable content. The Family Educational Rights and Privacy Act (FERPA) protects the privacy rights of
students and their educational records. Students and parents have the right to review these records. Additionally, schools cannot
release records without the written consent of a student or parent.
This chapter begins with a discussion of children and the Internet, and the unique challenges Web site operators face in protecting
children. The chapter then provides details about COPPA, CIPA, and FERPA.
CHAPTER 5 Chapter 5 Topics
This chapter covers the following topics and concepts: • What challenges exist in protecting children on the Internet • What the
Children’s Online Privacy Protection Act (COPPA) is • What the Children’s Internet Protection Act (CIPA) is • What the Family
Educational Rights and Privacy Act (FERPA) is
121 Chapter 5 Goals
When you complete this chapter, you will be able to: • List some of the challenges with protecting children on the Internet •
Identify the purpose and scope of COPPA, and describe its main requirements and oversight responsibilities
• Identify the purpose and scope of CIPA, and describe its main requirements and oversight responsibilities
• Identify the purpose and scope of FERPA, and describe its main requirements and oversight responsibilities
Challenges in Protecting Children on the Internet
U.S. children ages 8 to 18 spend over seven hours a day using electronic media. This includes television, music, computer use,
and video game use.1 Parents, schools, and Web site providers all have different roles to play in protecting children when they
are online. It’s not unusual to hear about cases where Web site operators run afoul of the laws that attempt to protect children: •
In 2013, a social media company paid $800,000 to settle charges with the Federal Trade Commission (FTC). The company had
an app that allowed children to create journals and share those journals online. Children could also post photos and share location
information. The FTC alleged that the company violated the Children’s Online Privacy Protection Act (COPPA). The company
collected the birth dates of 3,000 children before getting parental permission.
• A company that created virtual online gaming worlds agreed to pay $3 million in 2011 to settle charges with the FTC. The FTC
alleged that the company improperly collected and disclosed the personal information of thousands of children without parental
consent. This is the largest civil penalty so far in a COPPA action.
• A student sued a local school board alleging that the school had violated the student’s First Amendment rights. The lawsuit
alleged that the school’s Internet filtering software blocked too much legitimate content. In this case, computers in the school
library blocked access to Web sites that promoted gay rights, but allowed access to Web sites that opposed gay rights. The
student did not challenge that federal law required the school to use filtering software to block obscene material. In 2012, a
federal court judge found that the school’s blocking software configuration was unconstitutional. It ordered the school to
reconfigure its software to make sure that did not discriminate against different viewpoints.
122 CHAPTER 5 | Security and Privacy of Information Belonging to Children and in Educational Records
Although most people agree that children should be protected when they are online, they don’t always agree on how that should
be accomplished. For example, some people suggest that a parent should monitor a child’s Internet access and decide if the
child’s Internet activities are acceptable. Others suggest that laws should be in place to protect the child even if a parent is not
monitoring the child’s Internet use. As you will see in this chapter, several laws have been enacted to protect children. Most of
these laws are directed at the Web site operators who provide online content to children. However, even when enacting laws,
challenges still exist. These include: • Identification of children—How can Web site operators distinguish between adults and
• First Amendment and censorship—When does censoring certain types of content violate the First Amendment?
• Defining objectionable content—Where is the dividing line between material that is merely inappropriate for children and that
which is truly objectionable?
Identification of Children
In 1993, the New Yorker published the now-famous cartoon by Peter Steiner with the caption, “On the Internet, nobody knows
you’re a dog.” It is just as hard to separate children from adults on the Internet. To protect children, you must be able to identify
them. Although you can require identification from restaurant customers to ensure they’re old enough to purchase alcohol, it isn’t
easy to require identification when users access a Web site. Most users can easily remain anonymous when they’re online. This
creates a problem for Web site operators. Most of the laws that aim to protect children while they are online require Web site
operators to be able to distinguish children from adults. Web site operators can use several methods to distinguish children from
• Requiring user input—A Web site can require users to identify if they are children or adults. For example, users can select a
check box indicating they are over a certain age. They can be required to enter an age or a birth date. This isn’t a foolproof
method, however, because people can simply lie about their age. If a child accesses an age-restricted Web site under false
pretenses, the Web site operator can still be liable for providing objectionable content to a child.
• Requiring payment—If a Web site has material that should be restricted from children, it can require a payment to access the
site. Payment can be made using a credit card, a PayPal account, or another method that a child is unlikely to be able to use. The
payment may be a nominal fee, such as 99 cents. It could also be a larger fee designed to generate revenue. A payment
requirement can be effective because children generally don’t have access to means of payment.
Children and Educational Records 124 NOTE
The Entertainment Software Rating Board (ESRB) is a self-regulating nonprofit that assigns independent ratings to computer and
video game content. This includes games available online. The ratings help parents select appropriate games and other content for
their children. Web site operators can rate their Web sites according to ESRB so that parental controls work properly. Visit
http://www.esrb.org to learn more.
PART 2 | Laws Influencing Information Security
• Using parental controls—Some operating systems include parental controls. So do many applications. Parental controls allow a
parent to restrict their children’s access to objectionable material based on different ratings.
• Requiring parental consent—If a child wishes to access a particular Web site, that site can block the child’s access until a parent
provides permission. This means that the Web site operator implements controls to verify that a parent is providing consent to
access the Web site.
First Amendment and Censorship The First Amendment is a part of the Bill of Rights. The First Amendment grants certain rights
related to freedom of speech. It also protects freedom of the press and the free exercise of religion. First Amendment issues come
into play on the Internet in many different ways:
• Individuals online have a First Amendment right to view lawful content, including content that others might find troubling.
• Web site operators and other content creators have a First Amendment right to post lawful content, including content that others
might find troubling.
The U.S. Supreme Court has said that the right to freedom of speech applies to the Internet.2 This means that the government
can’t restrict an adult’s access to content on the Internet. However, the government can restrict a child’s access to harmful online
materials if the government has a compelling reason to do so. When the government restricts a child’s access to objectionable
online materials, other issues are raised. Does it violate a Web site operators rights to force it to censor material because a child
might view it? If individuals are required to identify themselves before they can use a Web site, such as proving that they’re not
children, does that restrict their free speech? Does it restrict free speech if individuals are required to identify themselves by name
in comments on a Web site? If libraries are required to use filters on computers to keep children from viewing objectionable
content, does it restrict the free speech rights of adults who also use those computers? Many of these issues continue to evolve
within the context of the laws discussed in
Defining Obscenity The laws discussed in this chapter protect the privacy of children. They protect children from harmful
content. For the most part, this harmful content is content that would be considered obscene. Most people agree that children
should not see obscene material. However, it is difficult to legally define what obscene material is. CHAPTER 5 | Security and
Privacy of Information Belonging to Children and in Educational Records I Know It When I See It
A 1964 U.S. Supreme Court case shows the difficulty of defining obscenity.3 In Jacobellis v. Ohio, a movie theater manager was
convicted under state law of illegally possessing and exhibiting an obscene film. The state supreme court upheld the conviction.
The U.S. Supreme Court later reversed that decision. In this case, the Court agreed that the First Amendment does not protect
pornography or obscenity. It disagreed about whether the motion picture was obscene. In the Court’s decision, Justice Potter
Stewart expressed the difficulty of defining what is obscenity and pornography. He wrote “But I know it when I see it, and the
motion picture involved with this case is not that.”
This case was decided over 50 years ago. Yet the challenge of identifying obscenity still exists today.
125 The U.S. Supreme Court addressed this in 1973. In Miller v. California the Court said
that for material to be identified as “obscene,” it must meet three conditions. The condi-tions are based on the average person
applying contemporary community standards to a review of the material. The three conditions are that the material:
• Appeals predominantly to prurient interests—prurient indicates a morbid, degrading, and unhealthy interest in sex
• Depicts or describes sexual conduct in a patently offensive way • Lacks serious literary, artistic, political, or scientific value4
The three conditions for defining obscenity are known as the Miller test.
It isn’t always easy to apply this definition. What one person considers obscene, another person may consider healthy. Material
that one person finds informative may be deemed tasteless by another. Material that is offensive to one person may be viewed as
valuable by another. How a person views material is often influenced by societal, family, community, and religious values.
Children’s Online Privacy Protection Act
The Children’s Online Privacy Protection Act (COPPA)5 passed in November 1998. It first went into effect in April 2000.
COPPA governs how Web sites collect information from children under the age of 13. The Federal Trade Commission (FTC)
oversees COPPA compliance. It has the power to make rules for COPPA compliance. The FTC Rule governing COPPA is called
the COPPA Rule. This rule was first drafted in 1999. In 2012 the FTC revised the rule to respond to changes in technology. The
new rule gives parents more control of how their children’s information is used. The revised rule went into effect in July 2013.
Children and Educational Records 126 NOTE
COPPA is not the same as the Child Online Protection Act (COPA). COPA was enacted in 1998. Its purpose was to protect
minors from access to harmful material on the Internet. However, courts ruled that COPA violated free speech and the law never
went into effect. CIPA is similar to what COPA attempted to accomplish and is discussed later in this chapter.
PART 2 | Laws Influencing Information Security
Web sites must follow specific rules under COPPA to collect and use information from children. There are several important
definitions in the COPPA Rule:
• Child—Any person under the age of 13 • Parent—The legal guardian of a child • Operator—A Web site operator, or operator of
an online service, who collects or maintains personal information about users
Purpose of COPPA
The primary purpose of COPPA is to protect children’s privacy on the Internet. Web sites must follow specific rules if they
collect or use a child’s personal information. They must obtain a parent’s consent before doing so. They must also post a privacy
policy explaining their practices.
Personal information includes: • A child’s first and last name • A child’s e-mail address or other online contact information such
as an Instant Messaging username or voice over internet protocol (VOIP) identifier
• A child’s screen name or username • A child’s physical address, such as their home address • A child’s telephone number • A
child’s Social Security number • Photographs, video, or audio files that contain a child’s image or voice • Geolocation data that
identifies a physical address • Any persistent identifier, such as an Internet cookie or Internet Protocol (IP) address that is used to
recognize a user over time and across different Web sites
• Any other information concerning a child or the child’s parents that a Web site operator collects from a child and combines with
any other data about a child6
Any personal information that’s collected must be protected. This means that the Web site operator must protect the
confidentiality, security, and integrity of this data. Web site operators must ensure the information isn’t made publicly available
to others. This includes making sure it isn’t displayed on a home page of a Web site, on a message board, or in a chatroom. The
law allows Web site operators to share this kind of data only for specific reasons. However, when Web site operators share this
information, they must share it only with third parties who can properly protect it.7 CHAPTER 5 | Security and Privacy of
Information Belonging to Children and in Educational Records
Scope of the Regulation COPPA applies to anyone operating online services that collect or use information about children under
the age of 13. This includes situations where the Web site operator directly collects the information. It also includes situations
where the Web site operator lets third parties collect the information. Even general-audience Web sites might have to follow the
COPPA Rule. If operators of such sites know they are collecting data from children, then they must comply with COPPA. An
operator might know that its site is collecting data from children if it asks users to share their birth date. An operator that collects
demographic data such as school attendance and grade completion might also know that children are using its Web site. The
definition of Web site or online service is broad. It includes standard Web sites. It also includes: • Mobile apps • Internet gaming
platforms • Advertising networks8
Main Requirements COPPA has two main rules that Web sites must follow in order to comply with the rule. Operators must: •
collects about children. It also states how the site will use the information. The COPPA Rule tells operators the terms that must
must be accessible from a clear and prominent link. This means the link needs to stand out and be noticeable. A Web site
designer can achieve this in a variety of ways. For example, the designer can use different type sizes, fonts, colors, or contrasting
Children and Educational Records 128 PART 2 | Laws Influencing Information Security
written and easy to read. The format isn’t as important as the content. At a minimum, the policy must contain: • Operator contact
information—This includes the name, mailing address, telephone number, and e-mail address of all operators collecting or using
the information collected on the Web site. If several operators are collecting infor-mation, the policy can list the contact details
accessible from that policy. Second, the listed operator must respond to all questions about the policy. It also must answer
questions about how data is collected and used on the site.
• Notice of what information is collected—The policy must be specific. A generic term such as “contact information” isn’t
acceptable. Instead the policy should specify child’s name, address, telephone number, gender, age, and e-mail address.
• Notice of how information is collected—A Web site can collect information actively or passively. A user entering information
clearly state how information is collected.
• Notice of how the information will be used—Web sites must state how the information will be used. It must be specific. For
example, a Web site could collect e-mail addresses for newsletter subscriptions. It could collect mailing addresses for prizes. It
could also collect the information for sales and marketing purposes. Each use must be clearly stated.
• Notice of whether the information is disclosed to third parties—The Web site must also state whether collected information is
shared with a third party. These are any entities that aren’t the operator of the Web site. Third parties also include entities that
don’t provide internal support for the Web site. Parents may refuse to share the ...
Purchase answer to see full