[OpenID] OpenID and the COPPA

Brendon J. Wilson brendon.wilson at gmail.com
Thu Apr 3 21:39:52 UTC 2008 

A really interesting contribution Tom - thanks for that!

I'm not sure if the eligibility clause will survive over the long term  
under legal scrutiny - we'll see, I guess. If it doesn't I think  
there's actually an opportunity in the market to provide an OP with  
capabilities to delegate "permission" - imagine if, as a parent, I  
could create identities for my kids, and also manage an authorization  
list of some kind (you can go on facebook, but not on myspace, or what  
have you).

Brendon

On Apr 1, 2008, at 10:27 PM, tom wrote:
> Hi Brendon,
>
> All US based OP's and consumers fall under the definition of "The  
> operator" - meaning "any person who operates a website located on  
> the Internet or an online service and who collects or maintains  
> personal information from or about the users of or visitors to such  
> website or online service."
>
> If you store personal information obtained via SREG/AX/ 
> any_other_extension or from a form (as a consumer) or you give out  
> information requested by SREG/AX/any_other_extension (as an OP) then  
> you will need to comply with COPPA.
>
> Here is the act for those that want to know more -> http://www.coppa.org/coppa.htm
>
> Whilst it does not affect OpenID authentication specifically COPPA  
> should be noted in guidelines for web developers. If you are  
> concerned and you want to check your service then the way around  
> COPPA is to provide an Eligibility clause in you terms of service  
> which denies service to under 13 year olds. You can find an example  
> in the Facebook terms of service - http://www.facebook.com/terms.php  
> - [hint] In a quick survey I found 3 OP's this morning that I know  
> have servers in the US and DO NOT have COPPA protection in their  
> terms of service. Ladies and Gentlemen - you've been warned,
>
> Tom
>
>
>
>
>
>
>
> Brendon J. Wilson wrote:
>>
>> Hi all,
>>
>> I'm curious if anyone has given any thought to the possible
>> ramifications of COPPA (the Child Online Privacy and Protection Act)
>> on the proliferation of OpenID? My understanding is that COPPA
>> requires service providers to obtain permission from a parent to
>> collect, disclose, etc information from a child less than 13 years of
>> age. It appears to me that the Simple Registration Extension would
>> qualify as disclosure of the user's personal information, and hence a
>> relying party would need some way to confirm a user's age and  
>> parental
>> permission prior to, or perhaps as part of, allowing an underage user
>> to authenticate via OpenID?
>>
>> Brendon
>> ---
>> Brendon J. Wilson
>> www.brendonwilson.com
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>>
>>
>
>
> -- 
> Tom Calthrop
> Founding director, Barnraiser.
>
> Dedicated to giving people the tools they need to share
> knowledge and advance society through social software.
>
> Web site: http://www.barnraiser.org/
> OpenID: http://tom.calthrop.info/

More information about the general mailing list