We currently have a CRA/Compliance exam scheduled for next month. There are two questions under the subject heading:

1. A copy of documents that demonstrate that the institution participates in an FTC-approved, self-regulatory program, if applicable.
2. A copy of notice(s) to parents of the institution’s practices with regard to the collection, use, and/or disclosure of a child’s personal information.

Can someone refer me to the reg or law covering this issue? We have a web site, but we are not marketing to children or gathering information on children or anyone else - so is that the answer to these questions, e.g., N/A, based on the fact that we are not gathering information?

A search on BOL on "COPPA" will yield many questions and answers that will allow you to be sure that you are not indirectly gathering information on children. But from your question it sounds as though you are not.

COPPA, the law, is here.

FYI OCC COPPA exam procedures are here.

If you have no info-gathering forms on your pages and do not allow 12-year-olds to have access to an internet banking service, then all of COPPA is "N/A" for you.

In addition to the advice given above, check your web site for "kid's pages." I've caught our folks holding contests on these pages where the child has to contact the bank, sometimes with personal info, but at the very least giving us their e-mail address.

Thanks for the links and input.

Do you have it documented anywhere that you looked at COPPA and determined that it doesn't apply to you? I would suggest that you review the act and document that you "... do not currently operate a Web site or online services directed to children, ... are not subject to COPPA." I made sure it was in the minutes of a compliance committee meeting and revisit the issue periodically.