Account Data Page
Account Data Page
One of the stipulations of some children's privacy laws, such as the Children's Online Privacy and Protection Act (COPPA), is that parents must be able to access and remove all of the personal information that a site stores about their child. The Account Data page exists specifically to meet the first part of this requirement. You provide a URL to this page when you register your site. From this page, parents can view and modify all of the personal information stored about their child.
Before you allow a user to access a child's data through your Account Data page, use the kppvc parameter to do the following:
- Be sure the user is authenticated.
- Determine which child's personal information record is to be accessed.
- Verify that the user is actually the parent of the child whose personal information is to be accessed.
For information about the kppvc parameter, see Verifying the Parent-Child Relationship.
If your site does not gather or store personal information, your Account Data page should state this. It might also suggest that parents set your site's consent status to "Deny" to prevent Microsoft® .NET Passport from providing your site with any personal information about the child.
The following code sample demonstrates how to use kppvc parameter to perform the checks described earlier.
<% Response.Expires = -1 ' Global variables to store the values in kppvc. dim cmidh, cmidl, pmidh, pmidl, cas Set oMgr = Server.CreateObject("Passport.Manager") thisURL = "https://" & Request.ServerVariables("SERVER_NAME") & _ Request.ServerVariables("SCRIPT_NAME") Sub Validate_Parent_Account_Data ' Check that kppcv is present. If Request("kppvc") <> "" Then ' Verify that the user is signed in with a fresh ticket. If oMgr.IsAuthenticated(36000,False) <> False Then ' For the implementation of this subroutine, see Verifying the Parent-Child Relationship. Call Get_kppvc_Values ' Compare the current user's PUID to the parent's PUID from kppvc. ' Remember that the PUID from kppvc is in hexadecimal format. If (Hex(oMgr("MemberIDHigh")) = pmidh) And (Hex(oMgr(MemberIDLow)) = pmidl) Then ' We've now verified that the user is signed in with a fresh ticket, and that ' the user matches the parent who is linked to the child. Call Access_Child_Data Else ' The current user is not the parent of the child. Response.Write("You are not authorized to access this page.") End If Else ' The current user is not signed in or has a stale ticket. ' Redirect to the Login server with KPP=4 and include kppvc. Response.Redirect(oMgr.AuthURL2(thisURL,600,,,,,4) & "&kppvc= " & _ Request.QueryString("kppvc")) End If Else ' A user is attempting to access your Account Data page directly. ' Display an appropriate error message. Response.Write("You are not authorized to access this page.") End If End Sub Sub Access_Child_Data ' The child's PUID is specified in the cmidh and cmidl variables. ' Insert code here that accesses the child's personal information record in ' your database and presents it to the parent. End Sub %>
Remarks
It is a good privacy practice to serve your Account Data page (or pages) through HTTPS.
After a user has access to the Account Data page, only silent refresh should be used in cases in which a new Ticket is needed.
See Also