(from the
FTC government website)
How to Comply With The Children's Online Privacy Protection Rule
November 1999
The Children's Online Privacy Protection Act becomes effective April 21, 2000. The regulations apply to the online collection of personal information from children under 13. They spell out what a Web site operator must include in a privacy policy, when and how to seek verifiable consent from a parent and what responsibilities an operator has to protect children's privacy and safety online.
The Federal Trade Commission staff prepared this guide to help you comply with the new requirements for protecting children's privacy online and understand the FTC's enforcement authority.
Who Must Comply
If you operate a
commercial Web site or an
online service directed to children under 13 that collects personal information from children or if you operate a
general audience Web site and have actual knowledge that it collects personal information from children, you must
comply with the Children's Online Privacy Protection Act.
Personal Information
The Children's Online Privacy Protection Act and Rule apply to
individually identifiable information about a child that is collected online, such as full
name,
home address,
email address,
telephone number or any other information that would allow someone to
identify or contact the child. The Act and Rule also cover other types of information -
for example,
hobbies, interests and information collected through
cookies or other types of
tracking mechanisms - when they are tied to individually identifiable information.
Basic Provisions
Privacy Notice
Placement
An operator must post a
link to a
notice of its
information practices on the
home page of its Web site or online
service and at each area where it collects personal information from children. An operator of a
general audience site with a
separate children's area must post a link to its notice on the home page of the
children's area.
The link to the privacy notice must be clear and prominent. Operators may want to use a larger font size or a different color type on a contrasting background to make it so. A link in small print at the bottom of the page -- or a link that is indistinguishable from other links on your site -is not considered clear and prominent.
Content
The notice must be clearly written and
understandable; it should not include any unrelated or
confusing materials. It must state the following information:
- The name and contact information (address, telephone number and email address) of all operators collecting or maintaining children's personal information through the Web site or online service. If more than one operator is collecting information at the site, the site may select and provide contact information for only one operator who will respond to all inquiries from parents about the site's privacy policies. Still, the names of all the operators must be listed in the notice.
- The kinds of personal information collected from children (for example, name, address, email address, hobbies, etc.) and how the information is collected - directly from the child or passively, say, through cookies.
- How the operator uses the personal information. For example, is it for marketing back to the child? Notifying contest winners? Allowing the child to make the information publicly available through a chat room?
- Whether the operator discloses information collected from children to third parties. If so, the operator also must disclose the kinds of businesses in which the third parties are engaged; the general purposes for which the information is used; whether the third parties have agreed to maintain the confidentiality and security of the information; and that the parent has the option to agree to the collection and use of the child's information without consenting to the disclosure of theinformation to third parties.
- That the operator may not require a child to disclose more information than is reasonably necessary to participate in an activity as a condition of participation.
- That the parent can review the child's personal information, ask to have it deleted and refuse to allow any further collection or use of the child's information. The notice also must state the procedures for the parent to follow.
Direct Notice to Parents
Content
The notice to parents must contain the same information included on the notice on the
Web site. In addition, an operator must notify a parent that it wishes to collect personal
information from the child; that
the parent's consent is required for the collection, use
and disclosure of the information; and how the parent can
provide consent. The notice
to parents must be written clearly and understandably, and must not contain any unrelated or
confusing information. An operator may use any one of a
number of
methods to notify a parent, including sending an
email message to the parent or a notice by
postal mail.
Before collecting, using or disclosing personal information from a child, an operator must obtain
verifiable parental consent from the child's parent. Until
April 2002, the FTC will use a
sliding scale
approach to parental consent in which the required method of consent will vary based on how the
operator uses the child's personal information. That is, if the operator uses the information for
internal purposes, a less
rigorous method of consent is required. If the operator discloses the information to others, the situation presents greater
dangers to children, and a more reliable method of consent is required. The sliding scale approach will sunset in April 2002 subject to a Commission review planned
for
October 2001.
Internal Uses
Operators may use email to get parental consent for all internal uses of personal
information, such as marketing back to a child based on his or her preferences or
communicating
promotional updates about
site content, as long as they take additional
steps to increase the
likelihood that the parent has, in fact, provided the consent. For example, operators might seek confirmation from a parent in a follow up email, or confirm
the parent's consent by letter or phone call.
Public Disclosures
When operators want to disclose a child's personal information to third parties or make it
publicly available (for example, through a chat room or message board), the sliding scale requires them to use a more reliable method of consent, including:
But in the case of a
monitored chat room, if all individually identifiable information is
stripped from
postings before it is made public - and the information is deleted from the operator's records - an
operator does not have to get
prior parental consent.
Disclosures to Third Parties. An operator must give a parent the option to agree to the collection
and use of the child's personal information without agreeing to the disclosure of the information to third
parties. That is, a parent can grant consent to allow his/her child to participate in activities on the site
without consenting to the disclosure of the child's information to third parties.
Exceptions
The regulations include several
exceptions that allow operators to collect a child's email
address without getting the parent's consent in advance. These exceptions cover many
popular online
activities for kids, including
contests,
online newsletters,
homework help
and
electronic postcards. Prior parental consent is not required when:
- an operator collects a child's or parent's email address to provide notice and
seek consent;
- an operator collects an email address to respond to a one-time request from a
child and then deletes it;
- an operator collects an email address to respond more than once to a specific
request - say, for a subscription to a newsletter. In this case, the operator must
notify the parent that it is communicating regularly with the child and give the
parent the opportunity to stop the communication before sending or delivering a
second communication to a child;
- an operator collects a child's name or online contact information to protect the
safety of a child who is participating on the site. In this case, the operator must
notify the parent and give him or her the opportunity to prevent further use of the
information; an operator collects a child's name or online contact information to protect the security or liability of the site or to respond to law enforcement, if necessary, and does not use it for any other purpose.
October 2001/April 2002
Come October 2001, the Commission will seek comment from interested parties to determine whether technology has progressed as expected and whether s
ecure electronic methods are widely available and affordable. Subject to the Commission's review, the sliding scale will expire in April 2002. Until then, operators are encouraged to use the more reliable methods of consent for all uses of children's personal
information.
New Notice for Consent
An operator is required to send a new notice and request for consent to parents if there
are material changes in the collection, use or disclosure practices to which the parent
had previously agreed. Take the case of the operator who got parental consent for a
child to participate in contests that require the child to submit
limited personal
information, but who now wants to offer the child chat rooms. Or, consider the case of
the operator who wants to disclose the child's information to third parties who are in
materially different lines of business from those covered by the original consent - for
example, marketers of
diet pills rather than marketers of
stuffed animals. In these cases,
the Rule requires new notice and consent.
Timing
The Rule covers all personal information collected after April 21, 2000, regardless of any
prior relationship an operator has had with a child. For example, if an operator collects
the name and email address of a child before April 21, 2000, but
plans to seek
information about the child's street address after that date, the later collection would
trigger the Rule's requirements. In addition, come April 21, 2000, if an operator
continues to offer activities that involve the
ongoing collection of information from
children - like a chat room - or begins to offer such activities for the first time, notice
and consent are required for all participating children regardless of whether the children
had already registered at the site.
Access Verification
At a parent's request, operators must disclose the general kinds of
personal information
they collect from children (for example, name, address,
telephone number, email
address, hobbies), as well as the specific information collected from children who visit
their sites. Operators must ensure they are dealing with the child's parent before they
provide access to the child's specific information. They can use
a variety of methods to
verify the parent's identity, including:
- obtaining a signed form from the parent via postal mail or facsimile;
- accepting and verifying a credit card number;
- taking calls from parents on a toll-free telephone number staffed by trained personnel;
- email accompanied by digital signature;
- email accompanied by a PIN or password obtained through one of the verification
methods above.
Revoking & Deleting
At any time, a parent may
revoke his/her consent, refuse to allow an operator to
further
use or collect their child's personal information and
direct the operator to delete the
information. In turn, the operator may
terminate any service provided to the child, but
only if the information at issue is
reasonably necessary for the child's participation in
that activity. For example, an operator may
require children to provide their email
addresses to participate in a chat room so the operator can contact a youngster if he is
misbehaving in the chat room. If, after giving consent, a parent asks the operator to
delete the child's information, the operator may refuse to allow the child to participate in
the chat room in the future. If other activities on the Web site do not require the child's
email address, the operator must allow the child access to those activities.
Safe Harbors
Industry groups or others can create
self-regulatory programs to govern
participants'
compliance with
the Children's Online Privacy Protection Rule. These
guidelines must include
independent monitoring
and
disciplinary procedures and must be submitted to the Commission for approval. The Commission
will publish the guidelines and seek public comment in considering whether to approve the guidelines.
An operator's compliance with Commission-approved self-regulatory guidelines will serve as a "
safe
harbor" in any enforcement action for violations of the Rule.
Enforcement
Once the Rule becomes effective (April 2000), the Commission may bring
enforcement actions and impose
civil penalties for violations in the same manner as for other Rules under the FTC Act. In the meantime, the
Commission also retains authority under Section 5 of the FTC Act to examine information practices in use before the Rule's effective date for deception and unfairness. In interpreting Section 5 of the FTC Act, the Commission has determined that a representation, omission
or practice is deceptive if it is likely to:
- mislead consumers; and
- affect consumers' behavior or decisions about the product or service.
Specifically, it is a
deceptive practice under Section 5 to represent that a Web site is collecting
personal identifying information from a child for one reason (say, to earn
points to redeem a
premium)
when the information will be used for another reason that a parent would find material-and when the
Web site does not disclose the other reason clearly or prominently.
In addition, an act or practice is unfair if the injury it causes, or is likely to cause, is:
For example, it is likely to be an
unfair practice in violation of
Section 5 to collect personal identifying
information from a child, such as email address, home address or phone number, and sell or otherwise
disclose that information to a third party without giving parents
adequate notice and a chance to
control the collection and use of the information.
For More Information
If you have questions about complying with the Children's Online Privacy Protection Act, visit the
FTC online at
www.ftc.gov. Click on Privacy Initiatives. Or, call the FTC's Consumer Response Center
toll-free at 1-877-FTC-HELP (382-4357), or write
Consumer Response Center, Federal Trade
Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580.
Your Opportunity to Comment
The
Small Business and Agriculture Regulatory Enforcement Ombudsman and 10
Regional Fairness Boards collect comments from
small businesses about
federal enforcement actions. Each year, the
Ombudsman evaluates enforcement activities and rates each agency's responsiveness to small business. To comment on
FTC actions, call
1-888-734-3247.