COPPA Compliance

 
Issue
Our customer’s Drupal web site and iOS mobile application were required to be COPPA Compliant by the FTC. Failure to meet compliance would result in heavy fines. Any functionality in the software (including certain submitted forms and games) that collected individually identifiable information about a child under the age of 13 would first require verifiable parental consent. 
 
The customer was given less than 30 days to become compliant. Recognizing a need for outside expertise, they hired the xforty consulting staff to implement a solution.
 
Solution
To meet the requirement of verifiable parental consent for collecting information, users are required to authenticate to the web site. If the user does not have an account, they may register for one. During registration, the parent has access to the privacy notices.
 
Webforms and games were two types of content on the Drupal site that needed to be made COPPA compliant. Compliance for webforms and games was implemented with a custom module that made comprehensive use of Drupal’s Form API. For webforms, if the user was anonymous, the submitted data needed to be cached while the user either signed in or registered for a site account. Once the user authenticated, the cached form data was submitted. The other type of content, flash games, required that the game be replaced by a sign-in link if the user was anonymous. Once the user authenticated, the game was accessible by the user.
 
For the iOS mobile application, an OAuth two-factor authentication system was set up using the OAuth and Services contributed modules along with a custom module with exported Features components. Similar to the webforms and games on the web site, if users wanted to submit certain information via the iOS application, they first had to authenticate to the site. A REST API was created using the Services module and JSON to allow the iOS application to register users if necessary. The authentication was handled with OAuth. We then assisted the third-party iOS developers with integrating their mobile application with OAuth and our REST API.
 
Outcome
As a result of xforty's ability to deliver technical experteise on a short timeline, our customer is well within compliance and continues to offer their customers a safe and highly engaging on-screen experience. 
 
Notice: Key architecture design elements and corporation names have been omitted in order to protect the proprietary investments of the customer.