[OpenID] OpenID and the COPPA

[Peter Williams]

And, while you are at it, US sites in all states may be advised to seek and obtain safe harbor provision status from the Commerce dept, to get certain immunities from EU data protection regulations - if knowingly collating personal information about any 2 (of about 450M) EU persons. Collecting c=GB during sreg is a material act of  "knowing".

A fraudulent privacy controls attestation (even one sanctioned on the basis of a seemingly appropriate US privacy audit/attestation) will not get you "effective" safe harbor status, though. Any one of 30+ jurisdictions may cite the US firm, given a material basis for a fraudulent declaration. http://www.export.gov/safeharbor/sh_overview.html


Comment: The safe harbor regime that US insisted on negotiating is a little like the alternative minimal tax situation under practical US federal tax system. Designed to protect big US firms, it ended up just burdening the smaller US parties - the very parties more likely to fall foul of disclosure fraud. It will be interesting to watch China apply its economic muscle and deploy foreign powers laws too, to build an EU-style data protection envelope around another nBillion human beings.





From: tom
Sent: Tue 4/1/2008 10:27 PM
To: Brendon J. Wilson; general at openid.net
Subject: Re: [OpenID] OpenID and the COPPA


Hi Brendon,

All US based OP's and consumers fall under the definition of "The operator" - meaning "any person who operates a website located on the Internet or an online service and who collects or maintains personal information from or about the users of or visitors to such website or online service."

If you store personal information obtained via SREG/AX/any_other_extension or from a form (as a consumer) or you give out information requested by SREG/AX/any_other_extension (as an OP) then you will need to comply with COPPA.

Here is the act for those that want to know more -> http://www.coppa.org/coppa.htm

Whilst it does not affect OpenID authentication specifically COPPA should be noted in guidelines for web developers. If you are concerned and you want to check your service then the way around COPPA is to provide an Eligibility clause in you terms of service which denies service to under 13 year olds. You can find an example in the Facebook terms of service - http://www.facebook.com/terms.php - [hint] In a quick survey I found 3 OP's this morning that I know have servers in the US and DO NOT have COPPA protection in their terms of service. Ladies and Gentlemen - you've been warned,

Tom







Brendon J. Wilson wrote: 
Hi all,

I'm curious if anyone has given any thought to the possible  
ramifications of COPPA (the Child Online Privacy and Protection Act)  
on the proliferation of OpenID? My understanding is that COPPA  
requires service providers to obtain permission from a parent to  
collect, disclose, etc information from a child less than 13 years of  
age. It appears to me that the Simple Registration Extension would  
qualify as disclosure of the user's personal information, and hence a  
relying party would need some way to confirm a user's age and parental  
permission prior to, or perhaps as part of, allowing an underage user  
to authenticate via OpenID?

Brendon
---
Brendon J. Wilson
http://www.brendonwilson.com/
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

  



-- 
Tom Calthrop
Founding director, Barnraiser.

Dedicated to giving people the tools they need to share 
knowledge and advance society through social software.

Web site: http://www.barnraiser.org/
OpenID: http://tom.calthrop.info/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080402/c5b09bc3/attachment-0002.htm>