How to Comply With
The Children's Online Privacy Protection Rule
Kidz
Privacy website
The Children's
Online Privacy Protection Act, effective April 21, 2000, applies to the
online collection of personal information from children under 13. The new
rules spell out what a Web site operator must include in a privacy policy,
when and how to seek verifiable consent from a parent and what
responsibilities an operator has to protect children's privacy and safety
online.
The Federal Trade Commission
staff prepared this guide to help you comply with the new requirements for
protecting children's privacy online and understand the FTC's enforcement
authority.
Who Must Comply
If you operate a commercial Web
site or an online service directed to children under 13 that collects
personal information from children or if you operate a
general audience Web site and have actual knowledge that you are
collecting personal information from children, you must comply with the
Children's Online Privacy Protection Act.
To determine whether a Web
site is directed to children, the FTC considers several factors,
including the subject matter; visual or audio content; the age of models
on the site; language; whether advertising on the Web site is directed
to children; information regarding the age of the actual or intended
audience; and whether a site uses animated characters or other
child-oriented features.
To determine whether an
entity is an "operator" with respect to information collected
at a site, the FTC will consider who owns and controls the information;
who pays for the collection and maintenance of the information; what the
pre-existing contractual relationships are in connection with the
information; and what role the Web site plays in collecting or
maintaining the information.
Personal Information
The Children's Online Privacy
Protection Act and Rule apply to individually identifiable information about
a child that is collected online, such as full name, home address, email
address, telephone number or any other information that would allow someone
to identify or contact the child. The Act and Rule also cover other types of
information -- for example, hobbies, interests and information collected
through cookies or other types of tracking mechanisms -- when they are tied
to individually identifiable information.
Basic Provisions
Privacy Notice
Placement
An operator must post a link to
a notice of its information practices on the home page of its Web site or
online service and at each area where it collects personal
information from children. An operator of a general audience site with a
separate children's area must post a link to its notice on the home page of
the children's area.
The link to the privacy notice
must be clear and prominent. Operators may want to use a larger font size or
a different color type on a contrasting background to make it stand out. A
link in small print at the bottom of the page -- or a link that is
indistinguishable from other links on your site -- is not considered clear
and prominent.
Content
The notice must be clearly
written and understandable; it should not include any unrelated or confusing
materials. It must state the following information:
The name and contact
information (address, telephone number and email address) of all
operators collecting or maintaining children's personal information
through the Web site or online service. If more than one operator is
collecting information at the site, the site may select and provide
contact information for only one operator who will respond to all
inquiries from parents about the site's privacy policies. Still, the
names of all the operators must be listed in the notice.
The kinds of personal
information collected from children (for example, name, address, email
address, hobbies, etc.) and how the information is collected -- directly
from the child or passively, say, through cookies.
How the operator uses the
personal information. For example, is it for marketing back to the
child? Notifying contest winners? Allowing the child to make the
information publicly available through a chat room?
Whether the operator
discloses information collected from children to third parties. If so,
the operator also must disclose the kinds of businesses in which the
third parties are engaged; the general purposes for which the
information is used; and whether the third parties have agreed to
maintain the confidentiality and security of the information.
That the parent has the
option to agree to the collection and use of the child's information
without consenting to the disclosure of the information to third
parties.
That the operator may not
require a child to disclose more information than is reasonably
necessary to participate in an activity as a condition of participation.
That the parent can review
the child's personal information, ask to have it deleted and refuse to
allow any further collection or use of the child's information. The
notice also must state the procedures for the parent to follow.
Direct Notice to Parents
Content
The notice to parents must
contain the same information included on the notice on the Web site. In
addition, an operator must notify a parent that it wishes to collect
personal information from the child; that the parent's consent is required
for the collection, use and disclosure of the information; and how the
parent can provide consent. The notice to parents must be written clearly
and understandably, and must not contain any unrelated or confusing
information. An operator may use any one of a number of methods to notify a
parent, including sending an email message to the parent or a notice by
postal mail.
Verifiable Parental Consent
Before collecting, using or
disclosing personal information from a child, an operator must obtain
verifiable parental consent from the child's parent. This means an operator
must make reasonable efforts (taking into consideration available
technology) to ensure that before personal information is collected from a
child, a parent of the child receives notice of the operator's information
practices and consents to those practices.
Until April 2002, the FTC will
use a sliding scale approach to parental consent in which the
required method of consent will vary based on how the operator uses the
child's personal information. That is, if the operator uses the information
for internal purposes, a less rigorous method of consent is
required. If the operator discloses the information to others, the
situation presents greater dangers to children, and a more reliable method
of consent is required. The sliding scale approach will sunset in April 2002
subject to a Commission review planned for October 2001.
Internal Uses
Operators may use email
to get parental consent for all internal uses of personal information, such
as marketing back to a child based on his or her preferences or
communicating promotional updates about site content, as long as they take
additional steps to increase the likelihood that the parent has, in fact,
provided the consent. For example, operators might seek confirmation from a
parent in a delayed confirmatory email, or confirm the parent's consent by
letter or phone call.
Public Disclosures
When operators want to disclose
a child's personal information to third parties or make it publicly
available (for example, through a chat room or message board), the sliding scale
requires them to use a more reliable method of consent, including:
getting a signed form from
the parent via postal mail or facsimile;
accepting and verifying a
credit card number in connection with a transaction;
taking calls from parents,
through a toll-free telephone number staffed by trained personnel;
email accompanied by
digital signature;
But in the case of a monitored
chat room, if all individually identifiable information is stripped from
postings before it is made public -- and the information is deleted from the
operator's records -- an operator does not have to get prior parental
consent.
Disclosures to Third
Parties
An operator must give a parent
the option to agree to the collection and use of the child's personal
information without agreeing to the disclosure of the information to third
parties. However, when a parent agrees to the collection and use of their
child's personal information, the operator may release that information to
others who uses it solely to provide support for the internal operations of
the website or service, including technical support and order fulfillment.
Exceptions
The regulations include several
exceptions that allow operators to collect a child's email address without
getting the parent's consent in advance. These exceptions cover many popular
online activities for kids, including contests, online
newsletters, homework help and electronic postcards.
Prior parental consent is not
required when:
an operator collects a
child's or parent's email address to provide notice and seek consent;
an operator collects an
email address to respond to a one-time
request from a child and then deletes it;
an operator collects an
email address to respond more than once to a
specific request -- say, for a subscription to a newsletter. In
this case, the operator must notify the parent that it is communicating
regularly with the child and give the parent the opportunity to stop the
communication before sending or delivering a second communication to a
child;
an operator collects a
child's name or online contact information to protect the safety of a
child who is participating on the site. In this case, the operator must
notify the parent and give him or her the opportunity to prevent further
use of the information;
an operator collects a
child's name or online contact information to protect the security or
liability of the site or to respond to law enforcement, if necessary,
and does not use it for any other purpose.
October 2001/April 2002
In October 2001, the Commission
will seek public comment to determine whether technology has progressed and
whether secure electronic methods for obtaining verifiable parental consent
are widely available and affordable. Subject to the Commission's review, the
sliding scale will expire in April 2002. Until then, operators are
encouraged to use the more reliable methods of consent for all uses of
children's personal information.
New Notice for Consent
An operator is required to send
a new notice and request for consent
to parents if there are material changes in the collection, use or
disclosure practices to which the parent had previously agreed. Take the
case of the operator who got parental consent for a child to participate in
contests that require the child to submit limited personal information, but
who now wants to offer the child chat rooms. Or, consider the case of the
operator who wants to disclose the child's information to third parties who
are in materially different lines of business from those covered by the
original consent -- for example, marketers of diet pills rather than
marketers of stuffed animals. In these cases, the Rule requires new notice
and consent.
Access Verification
At a parent's request, operators
must disclose the general kinds of personal information they collect online
from children (for example, name, address, telephone number, email address,
hobbies), as well as the specific information collected from children who
visit their sites. Operators must use reasonable procedures to ensure they
are dealing with the child's parent before they provide access to the
child's specific information.
They can use a variety of
methods to verify the parent's identity, including:
obtaining a signed form
from the parent via postal mail or facsimile;
accepting and verifying a
credit card number;
taking calls from parents
on a toll-free telephone number staffed by trained personnel;
email accompanied by
digital signature;
email accompanied by a PIN
or password obtained through one of the verification methods above.
Operators who follow one of
these procedures acting in good faith to a request for parental access are
protected from liability under federal and state law for inadvertent
disclosures of a child's information to someone who purports to be a parent.
Revoking & Deleting
At any time, a parent may revoke
his/her consent, refuse to allow an operator to further use or collect their
child's personal information, and direct the operator to delete the
information. In turn, the operator may terminate any service provided to the
child, but only if the information at issue is reasonably necessary for the
child's participation in that activity. For example, an operator may require
children to provide their email addresses to participate in a chat room so
the operator can contact a youngster if he is misbehaving in the chat room.
If, after giving consent, a parent asks the operator to delete the child's
information, the operator may refuse to allow the child to participate in
the chat room in the future. If other activities on the Web site do not
require the child's email address, the operator must allow the child access
to those activities.
Timing
The Rule covers all personal
information collected after April 21, 2000, regardless of any prior
relationship an operator has had with a child. For example, if an operator
collects the name and email address of a child before April 21, 2000, but
plans to seek information about the child's street address after that date,
the later collection would trigger the Rule's requirements. In addition,
come April 21, 2000, if an operator continues to offer activities that
involve the ongoing collection of information from children -- like a chat
room -- or begins to offer such activities for the first time, notice and
consent are required for all participating children regardless of whether
the children had already registered at the site.
Safe Harbors
Industry groups or others can
create self-regulatory programs to govern participants' compliance with the Children's
Online Privacy Protection Rule [PDF]. These guidelines
must include independent monitoring and disciplinary procedures and must be
submitted to the Commission for approval. The Commission will publish the
guidelines and seek public comment in considering whether to approve the
guidelines. An operator's compliance with Commission-approved
self-regulatory guidelines will generally serve as a Asafe harbor" in
any enforcement action for violations of the Rule.
Enforcement
The Commission may bring
enforcement actions and impose civil penalties for violations of the Rule in
the same manner as for other Rules under the FTC Act. The Commission also
retains authority under Section 5 of the FTC Act to examine information
practices for deception and unfairness, including those in use before the
Rule's effective date. In interpreting Section 5 of the FTC Act, the
Commission has determined that a representation, omission or practice is deceptive
if it is likely to:
Specifically, it is a deceptive
practice under Section 5 to represent that a Web site is collecting personal
identifying information from a child for one reason (say, to earn points to
redeem a premium) when the information will be used for another reason that
a parent would find material -- and when the Web site does not disclose the
other reason clearly or prominently.
In addition, an act or practice
is unfair if the injury it causes, or is likely to cause, is:
For example, it is likely to be
an unfair practice in violation of Section 5 to collect personal identifying
information from a child, such as email address, home address or phone
number, and disclose that information to a third party without giving
parents adequate notice and a chance to control the collection and use of
the information.
For More Information
If you have questions about the Children's Online Privacy Protection Rule
[PDF], visit the FTC
online at www.ftc.gov/kidzprivacy.
You also may call the FTC's Consumer Response Center toll-free at
1-877-FTC-HELP (382-4357), or write Consumer Response Center, Federal Trade
Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580.
Your Opportunity to
Comment
The National
Small Business Ombudsman and 10 Regional Fairness Boards collect
comments from small businesses about federal compliance and
enforcement activities. Each year, the Ombudsman evaluates the
conduct of these activities and rates each agency's responsiveness
to small businesses. Small businesses can comment to the Ombudsman
without fear of reprisal. To comment, call toll-free 1-888-REGFAIR
(1-888-734-3247) or go to www.sba.gov/ombudsman.
November 1999 |