Frequently Asked Questions
about the Children's The following FAQs are intended to supplement the compliance materials available on the FTC's website. To view the Rule and the compliance materials, go to www.ftc.gov/kidzprivacy. INDEX OF HEADINGS 1. What is the Children's Online Privacy Protection Rule? The Children's Online Privacy Protection Act (COPPA) was passed by Congress in October 1998, with a requirement that the Federal Trade Commission (FTC) issue and enforce rules concerning children's online privacy. The primary goal of the Act and the Rule is to place parents in control over what information is collected from their children online. The Rule was designed to be strong, yet flexible, to protect children while recognizing the dynamic nature of the Internet.
2. Where can I find information about COPPA? The FTC has a comprehensive website, www.ftc.gov, which has information concerning all the activities of the agency. In the upper left section of the home page is a link that says "Privacy Initiatives." If you click on that banner, you will have access to a variety of documents regarding the Children's Rule, including the proposed and final Rules, the public comments received by the Commission in the course of the rulemaking, guides for businesses and parents, safe harbor applications we've received and any public comments on those applications, notice of any cases brought under the Rule, and announcements of future activities. Materials concerning general privacy and financial privacy (including the Gramm-Leach-Bliley rulemaking) are available there as well. In addition, the FTC has set up a special web page designed for kids, parents, businesses, and educators at www.ftc.gov/kidzprivacy. In addition to providing the Rule and compliance materials for businesses and parents, this web page features online safety tips for children and other useful education resources about the Rule and online privacy in general. All educational materials on our website are also available free by calling the FTC's Consumer Response Center's toll free number at (877) FTC-HELP. 3. What do I do if I have questions about the COPPA Rule? The first thing you should do is read the educational materials available on our website www.ftc.gov and through our toll free telephone number (877) FTC-HELP. If you still have questions, you can email us at kidsprivacy@ftc.gov or contact our Consumer Response Center at toll free (877) FTC-HELP. The FTC also has an online form to file complaints or request information at the website. 4. When did COPPA and its implementing Rule go into effect? The Act and the Rule went into effect on April 21, 2000. 5. COPPA applies to "websites directed to children." What determines whether or not a website is targeted to children? The Rule sets out a number of factors in determining whether a website is targeted to children, such as its subject matter, language, whether it uses animated characters, and whether advertising appearing on the site is directed to children. The Commission will also consider empirical evidence regarding the ages of the site's visitors. These standards are very similar to those previously established for TV, radio, and print advertising. 6. Does COPPA apply to information about children collected from parents or other adults? No. COPPA and the Rule only apply to personal information collected from children, not their parents or other adults. The Rule's Statement of Basis and Purpose, however, notes that the Commission expects that operators will keep confidential any information obtained from parents in the course of obtaining parental consent or providing for parental access pursuant to COPPA. See Rule n. 213. 7. Why does COPPA apply only to children under 13? What about protecting the online privacy of teens? Young children may not understand the safety and privacy issues created by the online collection of personal information, and are therefore particularly vulnerable. Children under 13 has often been the standard for distinguishing adolescents from young children who may need special protections. As a general matter, however, the FTC encourages operators to afford teens privacy protections, given the risks inherent in the disclosure of personal information for all ages. The FTC has recommended that Congress pass legislation to ensure the fair information principles be implemented for all consumers. In the interim, websites' information practices are still subject to Section 5 of the FTC Act, which prohibits deceptive or unfair trade practices. See July 15, 1997 Staff Opinion Letter to Center for Media Education for guidance on how Section 5 applies to information practices involving children and teens. 8. Does the Rule apply to information collected prior to the its effective date? No, but if a site collects new information after the effective date of the Rule, even for existing registrants, they must comply. For example, if an operator collected a child's email address prior to April 21 and now wishes to collect the child's postal address to send a premium or prize, the operator must comply with COPPA prior to collecting the mailing address. Similarly, if a child registered at a website prior to April 21, 2000 for an online newsletter and the website invites the child to sign up for a new chat room, the fact that the child was already registered with the site does not obviate the need for the operator to comply with COPPA for purposes of enabling the child to register for the chat room. 9. Are there any protections that apply to information collected before COPPA went into effect? Yes. Although the Rule covers only information collected after its effective date, previously collected information is still subject to the protections afforded by Section 5 of the FTC Act. Thus, if an operator engaged in deceptive or unfair practices when collecting, using or disclosing information from kids, the operator could face FTC action. See Staff Opinion Letter to Center for Media Education issued July 15, 1997, outlining what would be deceptive and/or unfair practices with regard to the collection and use of children's information. 10. I know the Rule is triggered by the collection of personal information from children, but the information I collect at my site is voluntary and not mandatory. Does the Rule still apply? Yes. Whether your information collection is voluntary or mandatory, it still constitutes collection and triggers the Rule. 11. Hasn't the Children's Online Privacy Protection Act been declared unconstitutional? No. The Children's Online Privacy Protection Act (COPPA), has not been challenged and went into effect on April 21, 2000. Enforcement of the Children's Online Protection Act (COPA), which sought to regulate the dissemination of material harmful to minors on the Internet, was preliminarily enjoined by the U.S. District Court for the Eastern District of Pennsylvania, ACLU v. Reno, 31 F.Supp.2d 473 (E.D. Pa.1999). That decision was affirmed by the Third Circuit, 217 F.3d 162 (3d Cir. 2000). For information on COPA and the work of the Commission on Child Online Protection, which is studying methods and technologies to help reduce access by minors to such materials visit www.copacommission.org. 12. Will the COPPA Rule keep my child from accessing pornography? No, not directly. COPPA is meant to give parents control over the collection of their children's personal information and does not limit children's access to information publicly available on the Internet. COPPA may help keep your child off email lists. Information about COPA, which does address dissemination of pornography to minors, is available at www.copacommission.org. If you are concerned about your children accessing pornography or other inappropriate materials on the Internet, you may want to look for a filtering program or an Internet Service Provider that offers such tools. Information about such tools is available at www.getnetwise.org and www.safekids.com. 13. How will the FTC enforce the Rule? The FTC will monitor the Internet for compliance with the Rule and bring law enforcement actions where appropriate to deter violations. Parents and others can submit complaints to the FTC through our website www.ftc.gov and our toll-free number (877) FTC-HELP. We will also investigate referrals from consumer groups, industry, and approved safe harbor programs, as appropriate. 14. What are the penalties for violating the Rule? Website operators who violate the Rule could be liable for civil penalties of up to $11,000 per violation. The level of penalties assessed may turn on a number of factors including egregiousness of the violation, e.g., the number of children involved, the amount and type of personal information collected, how the information was used, whether it was shared with third parties and the size of the company. 15. Do the states or other government agencies have jurisdiction over this issue? Yes. COPPA also gives states and certain federal agencies authority to enforce compliance with the Act with respect to entities in their jurisdiction. For example, the Office of the Comptroller of the Currency will handle compliance by national banks and the Department of Transportation will handle air carriers. 16. Have any cases ever been brought for deceptive collection of online information from children? Yes. Even prior to COPPA, the FTC brought enforcement actions in this area under Section 5 of the FTC Act. In the agency's first Internet privacy case, Geocities agreed to settle charges of deceptively collecting personal information from children and adults. Geocities, FTC Dkt. No. C-3849 (Feb. 12, 1999). The Liberty Financial case involved the "Young Investors" website which deceptively promised to maintain only anonymous information from children and teens. Liberty Financial Companies, Inc., FTC Dkt. No. C-3891 (Aug. 12, 1999). In Toysmart, the FTC alleges that the defendants collected personal information from children without obtaining prior parental consent in violation of COPPA, 16 C.F.R. § 312.5(c)(2). FTC. v. Toysmart.com LLC and Toysmart.com, Inc., No. 00-11341-RGS, (D. Mass. filed July 10, 2000, amended July 21, 2000). Commission cases are available on its website via the Privacy Initiatives link from the home page or via its search engine. 17. What do I do if my site isn't in compliance with the Rule? If you are not collecting any personal information from children, then you are not subject to the Rule. So the quickest thing to do until you can get your site into compliance is to stop collecting personal information from children under 13. In fact, many sites that we have talked to have realized that collection of such information is not necessary. Then, review your website, your privacy policy, and the Rule carefully. The materials on the Commission's website can provide you with helpful guidance. Take a close look at: what information you collect; how you collect it; how you use it; whether the information you seek to collect is necessary for the activities on your site; whether you have adequate mechanisms for providing parents with notice and obtaining consent; and whether you have adequate methods for parents to review their children's information and for verifying that the people requesting access to kids' information really are their parents. 18. Are websites run by nonprofit entities subject to the Rule? The Act and the Rule expressly state that they apply to commercial websites and not to nonprofits that would otherwise be exempt from coverage under Section 5 of the FTC Act. Thus, in general, most non-profits are not subject to the Rule. However, nonprofits that operate for the profit of their for-profit members may be subject to the Rule. See FTC v. California Dental Association 526 U.S. 756 (1999), for additional guidance on when nonprofits are subject to FTC jurisdiction. Although true nonprofits are not subject to COPPA, we encourage them to set an example by posting privacy policies and providing the protections set forth in COPPA to children providing personal information at their sites. 19. Does COPPA apply to websites operated by the Federal Government? It is federal policy that all Federal websites and contractors when operating on behalf of agencies comply with the standards set forth in COPPA. See www.whitehouse.gov/OMB/memoranda/m00-13.html 20. The Internet is truly a global medium. Do websites set up and run abroad have to comply with the Rule? Yes. Foreign-run websites must comply with COPPA if they are directed to children in the U.S. or knowingly collect information from children in the U.S. For example, foreign-run kid-oriented websites would be subject to COPPA if they advertised in offline media in the U.S. or on popular U.S. websites. The Rule's definition of an "operator" - who is subject to the Act - includes foreign websites that are involved in commerce in the United States or its territories. PRIVACY POLICIES AND NOTICE TO THE PARENT 21. My site does not collect any personally identifiable information. Do I still need to post a privacy policy? No. COPPA only applies to those websites that collect personal information from children. However, the FTC recommends that all websites post privacy policies, so visitors have an easily recognizable place to go to find out about the operator's information practices. Surveys show that most parents are uncomfortable with their children giving out any personal information on the Internet, so as a practical matter, parents will be pleased to read your privacy policy and find out quickly that you do not collect personally identifiable information. 22. What information must I include in my privacy policy and in the direct notice to parents? The Rule identifies the information that must be disclosed in the privacy policy and in the direct notice - the notice sent directly to the parent. See §312.4(b) for information regarding the content of the privacy policy and §312.4(c) for information regarding the content of the direct notice to the parent. Remember, that in addition to including the content required in the privacy policy, the direct notice to parents needs to tell the parent that you wish to collect personal information from the child, that consent is required for you to do so, and how the parent may provide consent. The Rule also requires that the privacy policy be posted clearly and prominently on the home page and that a hyperlink to the policy be provided at each area where personal information is collected. 23. Do I have to disclose my use of cookies, GUIDS, IP addresses, or the use of other passive information collection technology? Yes, when such information is combined with "personal information." The Rule defines personal information to include individually identifiable information about an individual collected online, including any persistent identifier that is tied to identifying information. Where such passive forms of information collection are tied to identifying information, including a persistent identifier that can be used to identify, contact, or locate an individual, then it is considered personal information under the Rule. 24. Can I include in my privacy policy materials promoting products, services, and/or websites of mine and my partners? No. The Rule requires that privacy policies must be "clearly and understandably written, be complete, and contain no unrelated, confusing, or contradictory materials." See §312.4(a). The more complicated and confusing a policy is, the more likely it will be that parents won't understand or even read the policy. And remember, parents who find your policy confusing or difficult to comprehend may be less likely to grant you consent. 25. I run a general audience site, but I offer a specific children's section. Is it acceptable for me to structure my privacy policy so that information about my children's practices and non-children's practices are mixed in together, or do I have to have a separate privacy policy about my practices with respect to children? In the commentary of the Final Rule, the Commission noted that "[o]perators are free to combine the privacy policies into one document, as long as the link for the children's policy takes visitors directly to the point in the document where the operator's policies with respect to children are discussed, or it is clearly disclosed at the top of the statement that there is a specific section discussing the operator's information practices with respect to children." 64 Fed. Reg. 59894 at n.98. In addition, the link for the privacy policy pertaining to the children's area must appear on the home page of the children's area and at each area where personal information is collected from children. Sites may also wish to post it as part of their general privacy policy. 26. Is it okay for the link to my privacy policy to be at the very bottom of my home page? As long as the link is "clear and prominent" it is okay to have it at the bottom of the home page. The Rule requires that the link to your privacy policy "be placed in a clear and prominent place and manner on the home page of the website or online service" and at each area where children provide, or are asked to provide, personal information. See §§312.4(b)(1)(ii) and (iii). In its explanation of this requirement, the Commission noted that "'[c]lear and prominent' means that the link must stand out and be noticeable to the site's visitors through use, for example, of a larger font size in a different color on a contrasting background. The Commission does not consider 'clear and prominent' a link that is in small print at the bottom of the page, or a link that is indistinguishable from a number of other, adjacent links." 64 Fed. Reg. 59894. 27. When I send the notice to parents, can I simply email them a link to the privacy policy? Yes. You may send your direct notice to parents via email, and you may include in that email a link to your privacy policy. Remember that the direct notice to the parent also needs to tell the parents that you wish to collect personal information from the child, that the parent's consent is required for you to do so, and how the parent may provide consent. It is also important to remember that the notices must not contain unrelated, confusing, or contradictory information. For example, your notice to parents may not include so much additional information that the message about needing consent or the link to the privacy policy is obscured. 28. Do I have to list the names, addresses, phone numbers, etc. of all of the operators at my site? This will make my privacy policy very long and confusing. Under the Rule, if there are multiple operators collecting information through your site, you may list the name, address, phone number, and email address of one operator who will respond to all inquiries from parents regarding all of the operators' privacy policies and uses of children's information, as long as the names of all the operators are also listed in the notice. See §312.4(b)(2)(i). If you wish to list the contact information of all the operators but still keep your privacy policy and notice simple, you can include a link in the privacy policy or notice to the list of operators. Just make sure that when you send the notice to parents to request consent, they can access that list. 29. When do I have to get verifiable parental consent? The general rule is that an operator must obtain verifiable parental consent before collecting personal information from a child unless the collection fits into one of the exceptions for the collection of online contact information. As described below, the method for obtaining such consent will vary with the use of the information. 30. Can I first collect information from children and then get consent from parents as long as I don't use the information until I get consent? In most cases, no. COPPA clearly states that operators must get verifiable parental consent before collecting personal information from children under 13. There are several exceptions to this requirement which allow an operator:
All of these exceptions are described in §312.5(c) of the Rule. 31. I collect personal information from children on my website but I only use it for internal purposes and never give it to third parties. Do I still need to get parental consent before collecting that information? Yes, unless the information collection fits within one of the Rule's limited exceptions. If you are only using the information internally, and do not make it publicly available through such activities as chat rooms or bulletin boards, then you can get parental consent through the Rule's "email plus" methods until April 2002 See §312.5(b)(2) and below. 32. How do I get parental consent? You can use one or more of a number of methods of obtaining parental consent. Until April 2002, the methods you may use will depend on how you use the information you collect. If you are going to use the information only for internal purposes, that is, you will not be giving the information to third parties or making it publicly available through such activities as chat rooms or bulletin boards, then you can use what is being called the "email plus" method of obtaining consent. You may send an email to the parent containing the required notice, and request that the parent provide consent by responding in an email - as long as you take some additional, confirmatory step after receiving the parent's email. For example, after a reasonable time delay, you can send another email to the parent to confirm consent and let the parent know that he or she can revoke the consent if they wish. You may also request in your initial email that the parent include a phone number or mailing address in his or her reply so that you can follow up to confirm via telephone or postal mail. If you are going to disclose children's information to third parties or make it publicly available through such activities as a chat room, message board, personal home page, pen pal service, or email service, then you must use the most reliable methods available to obtain parental consent. You can: provide a form for the parent to sign and mail or fax back to you; ask a parent to use a credit card in connection with a transaction (perhaps a fee just to cover the cost of processing the credit card); maintain a toll-free telephone number staffed by trained personnel for parents to call in their consent, or you can accept emails from parents where those emails contain a digital signature or other digital certificate that uses public key technology. 33. Am I required to obtain prior parental consent if I collect the personal information through software that is downloaded from my website or from a CD-ROM that I sell at retail outlets? If personal information is collected by or through any website or online service, such collection would be covered by COPPA regardless of how the collection was initiated. For example, if children to your site are invited to download software that tracks their online activities and the information sent back to the website is personal information as defined under the Rule, then such collection would require prior parental consent. It is important to note, however, that where the information collection does not take place on the Internet, it is not subject to COPPA, but such collection would still be subject to Section 5 of the FTC Act, which prohibits deceptive or unfair trade practices. 34. I would like to get consent by collecting a credit card number from the parent, but I don't want to charge a fee. Is this ok? Not unless the card issuer is willing to verify the card number without a transaction. The verifiability of the credit card transaction comes from the card issuer's verification that the number is from a real credit card. Most credit card companies have told us that they do not approve of using credit card numbers without a transaction, and some say they won't verify numbers in the absence of a transaction. Website operators should check with the credit card companies first; if they are willing to work with you to verify a credit card without completing a transaction, then you may use this method of obtaining consent. 35. What do I do if some parents cannot or will not use the consent method I've chosen? For example, some parents can't use email consent because they don't have an email account. Other parents do not have credit cards or do not like to give out credit card numbers on the Internet. We recommend that operators have a readily available backup method of providing consent for those parents who cannot or will not use your primary consent mechanism. One practical backup method to use is the print-and-send form. This method makes it easy for parents without access to email or a credit card to provide consent. 36. Should I give out passwords or PIN numbers to parents to confirm their identity in any future contact with them? Yes. This is a good way to confirm a parent's identity for future contacts. Remember that if, after obtaining consent from a parent, you change your information practices in a material way, you will have to send a new notice to the parent and obtain consent all over again. If you have given the parent a password in your initial consent process, then getting new consent will be much easier. In addition, COPPA requires you to give parents access to any information you have collected from their children. Before you give out that information, you will need to confirm that the person requesting the information really is the child's parent. Again, giving the parent a password during the initial consent process makes it easier to confirm the identity of that parent if access is later requested. 37. I know that I must allow parents to consent to my collection and use of their children's information, while giving them the option of prohibiting me from disclosing that information to third parties. Does that mean that if I have chat rooms or bulletin boards, I have to offer "choice" about those as well? No. If chat or bulletin boards are bundled together with other online activities, you don't have to offer parents choice regarding the collection of personal information necessary for chat or the bulletin board; but prior parental consent is still required before permitting children to participate in chat rooms or bulletin boards that enable a child to make their personal information publicly available. The Rule only requires parental choice as to disclosures to third parties. There are many parents, however, who do not want their children participating in unmonitored chat rooms or bulletin boards because they can raise safety concerns. Those parents may not give consent for their child to provide personal information for participation in other site activities if the activities are bundled together with chat and bulletin boards. Therefore, while not required, sites may wish to offer parents a broader range of choices in order to address their concerns. GENERAL AUDIENCE AND TEEN SITES 38. I operate a general audience site and don't ask visitors to reveal their ages. However, I do have a number of chat rooms. (a) What happens if a child visits my site and posts personal information in a chat room but doesn't reveal his age? The Rule is not triggered. It applies to general audience websites if they have actual knowledge that a particular visitor is a child. If such a site knows that a particular visitor is a child, then the Rule must be followed with respect to that child. If a child posts personal information on a general audience site, but doesn't reveal his or her age and you have no other information that would lead you to know that the visitor is a child, then you would not have "actual knowledge" under the Rule and would not be subject to its requirements. Collecting a child's age, however, does provide "actual knowledge." (b) What happens if a child visits my chat room and announces his or her age? If your site has a chat room and no one in your organization sees or is alerted to the post, then you do not have the requisite actual knowledge under the Rule. You may be considered to have actual knowledge with respect to that child: (1) if someone from your operations sees the post in a chat room; or (2) if someone alerts you to the post. At that point, you should delete any personal information that has been posted and either ask the child for a parent's email address for purposes of providing notice and obtaining consent to future postings, or take reasonable steps to block that child from returning to the chat area of the site, whether through screen name blocking, a cookie, or some other means. If you have monitored chat rooms where the monitors can delete information from posts before they are made public, then your monitors can simply strip the child's posts of any personal information before they are publicly posted, thus permitting children to participate in the chat room without the need for obtaining parental consent. This practice is easily applied to "auditorium" style chat in which children pose questions which are screened to a moderator or guest celebrity. 39. I have a website that targets teens. How does COPPA affect my practices? Although your site targets teens, you may still attract a substantial number of children protected by COPPA. The Commission has urged all sites to provide fair information practices for all consumers, so personal information collected from even your older children should be given such protections. At a minimum, however, you should identify which visitors are under 13 -- for example, simply ask age (or birth year) when you invite visitors to provide personal information or to create their log-in user ID. Most importantly, ask age in such a way as not to invite falsification. You can also use a session cookie to prevent children from back clicking to change their age once they realize that parental consent is required to collect their information for the activity. Once you identify those under 13, you have a number of options. First, you can collect their parent's email address to provide direct notice and implement the COPPA parental consent requirements; or, if you are only collecting an email address, it may fall within one of the email exceptions to prior parental consent. (Note that several of the email exceptions do require that you provide notice to the parent and an opportunity to opt-out.) Alternatively, if you do not wish to implement the COPPA protections for your younger visitors, then your data system could be configured to automatically delete the personal information of those visitors under 13, and simply direct those children to content that does not involve information collection. It is very important to design your information collection in such a way that children are not encouraged to provide a false age. For example, if the log-in registration only permits the visitor to enter birth years starting with age 13, children may be encouraged to falsify their ages. In addition, telling visitors that children under 13 should not provide their information or that they must ask their parents first, may only encourage children to provide their information. If your site does not invite falsification, however, then it will not be responsible if a child misstates his or her age. 40. Can I block children under 13 from my site? Blocking all children under 13 from accessing your site is not in the spirit of COPPA and probably not good business in the long run. Many sites have found creative ways both to provide rich content for children and comply with COPPA: (1) offering activities that do not require personal information; (2) using screen names to personalize activities on the site; (3) using the email exceptions to prior parental consent (see below) ; and (4) limiting the collection of personal information to only those activities that require it, e.g., collecting the parent's and child's email address to ensure safety of the child participating in a chat room. 41. I operate a general audience site and don't ask visitors to reveal their ages. I do have a button that users can click to send feedback, comments, or questions by email. What are my responsibilities if I get an email that says, "Hi, I am Steve, age 10, and I really like your site. When do you think you will add some more games?" Under the Rule's one-time contact exception, you can reply to the child (once) without sending notice to the parent or obtaining prior parental consent as long as you do not re-contact the child and you delete the personal information from your records. EXCEPTIONS TO PRIOR PARENTAL CONSENT 42. I want to have a contest on my site. Can I use the one-time contact exception to prior parental consent? Yes, as long as you only collect children's email addresses to enter them in the contest and only contact them to notify them of the winner(s). However, if you will be contacting the child more than once, then you will have to use the multiple-contact "notice and opt out" exception. In either case, you must delete those email addresses as soon as the contest ends. In addition, the Rule prohibits operators from using the email addresses for any other purpose and requires them to ensure the security of this information, which is particularly important if the contest runs for any length of time. If you wish to collect any information from children online beyond an email address in connection with contest entries - for example a home address to mail a prize - you must provide parental notice and obtain prior parental consent (opt-in) as you would for any other type of personal information collection. You may ask the child to provide the parent's email address to notify the parent if the child wins. In the prize notification email, you can ask the parent to provide the home mailing address to ship the prize, or invite the parent to call a telephone number to provide the mailing information. Remember, the exception to prior parental consent only applies to collection of an email address, and in the case of providing notice or to ensure the safety of a child participating at the site in an activity such as chat, you can also collect the child's name. All other personal information collection will require prior parental consent. 43. I have a site that has an "Ask the Author" corner where kids can send questions via email to featured authors. Do I need to provide notice and obtain parental consent? No. This feature will likely fall under the one-time contact exception. If your site simply sends children's email to the author and doesn't maintain or store them in any form, then you fall into the one-time contact exception and do not need to obtain parental consent. 44. I want to offer electronic post cards. Can I take advantage of one of the email exceptions? Yes, if you design your system to either delete the email address immediately after the e-card is sent (a one time exception) or, if you retain the email address for a period of time, you must give parents notice and opportunity to opt-out. See Rule n.222. 45. Do I have to keep all information I've collected from children in case a parent may want to see it in the future? No. As we noted in the discussion on the Final Rule, "if a parent seeks to review his child's personal information after the operator has deleted it, the operator may simply reply that it no longer has any information concerning that child." 64 Fed. Reg. 59904. 46. What if, despite all my most careful efforts, I mistakenly give out a child's personal information to someone who isn't that child's parent or guardian? Under the Rule, if you act in good faith and follow reasonable procedures to verify the identity of someone seeking access to a child's information, then you will not be liable under any Federal or State law if you mistakenly give out a child's information. See §312.6(b). Acceptable verification methods for access include obtaining parental consent by mail, a toll- free number staffed by trained personnel, a credit card in conjunction with a transaction, digital signatures, and use of an email accompanied by a PIN number or password obtained through one of the verification methods listed above. 46. If a parent revokes his or her consent, can an operator maintain the child's email address so that it can prevent the child from contacting or registering at the site in the future? Yes, where a parent requests that their child be blocked from providing personal information in the future, the site can obtain the parent's express authorization to retain an email address for such purpose. Otherwise, the Rule does not permit the operator to maintain email addresses collected from children for a "Do Not Contact List." Rather, the site is free to begin the notice and consent process anew if the child returns to the site and registers for an activity. REQUIREMENT TO LIMIT INFORMATION COLLECTION 47. I know that I can't condition a child's participation in a game or the offering of a prize on the child giving out more information than is reasonably necessary to participate in those activities, but does that limitation apply to other activities? Yes. The relevant rule provision is: "An operator is prohibited from conditioning a child's participation in a game, the offering of a prize, or another activity on the child's disclosing more information than is reasonably necessary to participate in such activity." See §312.7. Therefore, you must be careful to examine the information you collect in connection with each activity you offer on your site to ensure that you are only collecting information that is reasonably necessary to participate in that activity. 48. If I operate a chat room and a parent revokes their consent to my maintaining the child and parent's email addresses, can I block that child from my chat room? Yes. If a parent revokes their consent and directs you to delete the personal information you had collected that was necessary for the activity, you may terminate that service. See §312.6(c). If your site has activities for which such information collection is not required, however, then you should allow the child to continue to participate in those activities. 49. How can organizations with self-regulatory guidelines qualify for safe harbor treatment? The organization must submit its guidelines to the FTC for approval. The Commission will publish submitted guidelines for public comment and then make a determination whether the guidelines meet the criteria set forth in the Rule. The key criteria are that the guidelines (1) provide "substantially similar requirements that provide the same or greater protections" as those in the Rule, and (2) include effective mechanisms for independent assessment of operators' compliance with the guidelines and for enforcement of the guidelines. 50. What should I do if I am interested in submitting my self-regulatory program to the FTC for approval under the safe harbor provisions? Information about applying for FTC certification of a safe harbor program is provided in §312.10 of the Rule and at our website at www.ftc.gov/privacy/safeharbor/shp.htm. In addition, you may call (202) 326-3090, and you will be connected to someone who can help you with your questions. 51. How can I learn about what safe harbor programs have been approved under the Rule? Applications for safe harbor status are posted on the FTC website, along with the comments on the application. The Commission has 180 days to issue a decision on an application. The applications and comments are available at www.ftc.gov/privacy/safeharbor/shp.htm. The Commission's decisions on these submissions will be announced in the Federal Register and on the FTC website. 52. Will the Rule limit children's use of the Internet in schools and libraries? No, the Rule does not limit children's access to information or ability to surf. Rather, it sets forth protections with respect to the personal information collected from children by commercial operators. 53. What role can schools play? The Rule notes that COPPA does not preclude schools from acting as intermediaries in the notice and consent process, or from serving as agents of parents. Where a school has an agency relationship with an operator that explicitly authorizes information collection, the Rule allows the operator to presume parental consent. Schools can also help to educate students and parents about online privacy issues and safe surfing practices. The FTC is currently working with the Department of Education to develop educational materials on COPPA for teachers and school administrators. |