This is a guest post by Anne Bowser, a PhD candidate at the University of Maryland College of Library and Information Science, and a Research Assistant with the Commons Lab of the Woodrow Wilson International Center for Scholars.
Citizen science allows anyone and everyone to experience the thrill of scientific discovery. Children, who love being outside and prefer doing things to simply reading about them, can be especially enthusiastic volunteers. In schools, citizen science can be a powerful experience that nurtures curiosity through experiential learning. Some citizen science projects—like Project Globe—even provide tools such as learning objectives or assessment tools to help teachers bring citizen science into their classrooms. Children also experience citizen science through clubs like 4-H, which partners with NASA in the Adopt a Landsat Pixel project, and with parents or family friends.
Technology is a key component to citizen science for many young volunteers. Children can upload data through mobile apps, play games for citizen science, and communicate with their peers through discussion forums. But for children under 13, many online activities are regulated by COPPA, the Children’s Online Privacy Protection Act. COPPA was passed in 1998 to protect the safety of children by limiting the types of information that websites or mobile aps can collect and share. Many citizen science projects value openness, allowing a range of people to participate, and making data available for the public to access and use. Unfortunately, openness sometimes conflicts with privacy. Well-meaning projects can violate COPPA without realizing they are doing so.
This blog post examines COPPA in the context of citizen science with the goal of helping projects and volunteers make informed decisions about contending with child volunteers. Please note that the author is a PhD student, not a lawyer; the claims below represent legal research, not legal advice.
Getting oriented: The basics of COPPA
COPPA is a United States Law that was passed in October of 1998 and amended on July 1st, 2013. COPPA was written for “commercial websites,” but may impact other projects as well (see below). The law addresses provisions for “the online collection of personal information from children under 13.”
According to COPPA, “personal information” includes:
- First and last name
- Home or physical address
- E-mail address
- Telephone number
- Social security number
- Any other identifier that allows children to be contacted in person, or online
- Any information collected about a child combined with one of the identifies described above
The 2013 amendment designates additional types of “personal information”:
- Geolocation information
- Photos, videos, and audio that contain an image or voice of the child
A website that collects any type of personal information from children must take steps in order to be “COPPA compliant.” The most relevant portions of COPPA explain that a website must:
- Explain what types of information are collected, how this information is used, and how this information is shared with others
- Obtain verifiable parental consent before knowingly collecting personal information from children (except contact information used to answer a child’s question)
- Maintain “reasonable procedures” to protect the confidentiality of personal information
- Upon request, tell parents what types of information the website has about a child, share information collected about a child, or stop collecting or maintaining personal information about a child
COPPA and citizen science
The connection between citizen science and COPPA may not be clear, but consider the following:
- Projects typically collect demographic information including the name and age of volunteers during registration
- Many projects collect contact information such as email address, phone number, and mailing address during registration
- Many location-based projects ask a volunteer to submit the location of their observation; this data also includes the location of a volunteer
- Data collected through smartphones includes metadata with geolocation
- Projects that collect photos or audio files may accidentally collect images or voices of volunteers
- Projects that make raw data publicly available often include data that COPPA considers “personal information”
- Some projects recognize contributors by thanking volunteers by name
Who needs to comply with COPPA?
Any one operating a commercial website directed at children, or a general purpose website that knowingly collects data from children, needs to be COPPA compliant. To break this down further:
- A “commercial” website includes one run for profit, or a website where the parent company is run for profit (including some museums)
- Additionally, all projects operated in whole or part by federal agencies are required to be COPPA compliant
- The FTC determines whether a website is directed at children by considering “several factors, including the subject matter; visual or audio content; the age of models on the site; language; whether advertising on the Web site is directed to children… and whether a site uses animated characters.”
- General purpose websites that collect demographic information must comply with COPPA if even a single user is under 13.
What about recipients of federal grants from agencies like NSF?
Because NSF is a federal agency and COPPA applies to federal agencies and federal contractors alike, some projects with NSF funding express concern about COPPA. Fortunately, none of the sources consulted for this piece believe that non-profit federal grantees must be COPPA compliant.
According to one NSF employee, “COPPA is not mentioned in our award terms and conditions or anywhere in our policy documents. Therefore, my take is that it does not apply to NSF awardees.” Furthermore, a representative from the University of Maryland’s legal office believes that: “Traditional private universities and many public universities are non-profits. Other public universities, such as UMD, are tax-exempt state agencies; for federal regulatory purposes, they are typically treated as non-profits.” The FTC’s COPPA hotline agrees. As one representative writes, “if the grantee is a nonprofit entity it is not covered by COPPA–though we still recommend COPPA protections as a best practice. If a federal grantee is a for profit entity providing a site or service directed to children, it is covered by COPPA.”
Still not sure whether COPPA matters for your project? Please see the flowchart below.
What is COPPA compliance?
In recognition that the law can be confusing, the FTC published a guide to COPPA compliance that can be found online here. This guide covers two main areas: a privacy notice, and direct notice to parents in order to obtain consent before data collection.
- Privacy notice: An operator must post a “clear and prominent” link to a notice of its information policies on the home page of it’s website, and on any page that collects personal information from children. This must include:
- The name and contact information of everyone who collects and maintains children’s personal information
- A description of how the operator uses personal information
- Whether personal information is disclosed to third parties, and under what conditions
- That all information collected is “reasonably necessary”
- That a parent can dictate how information is maintained and used
- Direct notice to parents: Before collecting information from a child, an operator must make reasonable effort to notify and receive consent from the child’s parents.
- “Reasonable effort” is evaluated on a sliding scale, where projects that disclose information to others are held to stricter standards
- If personal information is disclosed to third parties, a reliable form of consent such as “getting a signed form…via postal mail,” “accepting and verifying a credit card number in connection with a transaction,” and “email accompanied by digital signature” is required
How do citizen science projects deal with COPPA?
There are three options for approaching COPPA compliance. Some projects simply refuse to let children under 13 participate. This decision may be based on limited resources (obtaining “verifiable parental consent” is not an easy task), or because some aspect of a project makes COPPA compliance impossible. Most projects that make this decision inform potential volunteers that people under 13 may register through a parent or guardian.
Other projects implement a strict registration process where parents give consent through paper forms. This model makes sense when training or data collection must be done in person, or when the project is run through a school. For example, The Hudson River Eel Project coordinates with teachers to get consent for student volunteers.
Still other projects implement strict protocols to comply with COPPA. The Community Collaborative Rain, Hail, and Snow Network (CoCoRaHS) is run out of the Colorado Climate Center at Colorado State University, and receives support from federal agencies such as NOAA. CoCoRaHS provides a privacy notice by including a link to their data policies in the footer of every website, including their homepage and volunteer registration form. During registration, volunteers are asked to supply their age and (if under 18) the name of a parent or guardian; for volunteers under 13, CoCoRaHS contacts parents to obtain consent if it appears that the email address belongs to their child and not their parent or guardian.
CoCoRaHS makes raw data publically available through a number of reports, including daily participation reports and water year summary reports broken down by state or Canadian province. These reports are stripped of any personal information prior to release. For example, CoCoRaHS collects full mailing addresses from volunteers but only makes data available at the granularity of city and state (or county and state). These data can be sorted by the unique identifiers Station Number, (a combination of letters and numbers such as LA-LY-6), and Station Names (which represents an abbreviated and imprecise location, i.e., Scott 1.0 N). CoCoRaHS assigns a Station Number and a Station Name to each volunteer who applies to be an observer. This ensures that no personal information is unwittingly submitted (i.e., users cannot choose a station name like JoeSmithsHouse).
Understanding COPPA is a difficult task; complying with it, even more so. Resources such as the FTC’s guide to COPPA compliance can help those who wish to gather data from children under 13. Still, compliance may not be possible for small projects, or for projects that lack physical access to volunteers and their families. Ultimately, each project must decide whether COPPA compliance is worth the cost in staff time and resources, balancing the needs of children, their families, and key project goals.
The full text of COPPA with a compliance guide written by the FTC is available here.
The OMB Memorandum 00-13, Privacy Policies and Data Collection on Federal Websites, explains “it is federal policy that all Federal web sites and contractors when operating on behalf of agencies shall comply with the standards set forth in the Children’s Online Privacy Protection Act of 1998.
The National Science Foundation (NSF) publishes a list of Federal-Wide Research Terms and Conditions. Appendix C describes National Policy Requirements that grantees must adhere to. COPPA is not listed (although NSF disclaims that this list is not exhaustive).
Note from the author: Thanks to Nolan Doesken from CoCoRaHS, and Chris Bowser from the Hudson River Eels Project for sharing their privacy policies; thanks to Kevin Crowston of the National Science Foundation, Jen Gartner of UMD’s office of legal affairs, and contributors to the FTC’s COPPA hotline, for advice on COPPA and federal grantees.