• Printer friendly
  • Email this page to a friend
  • Generate a PDF version of this page

Articles & White Papers
Intellectual Property

Children's Online Privacy
 
 June 1, 2001
 
Paul F. Kilmer- Washington
James E. "Ted" Long- Boston

Enforcement Actions Commenced by FTC

On April 19, 2001, the Federal Trade Commission (FTC) charged three Web site owners with collecting personal information from children in violation of the Children's Online Privacy Protection Act (COPPA). The FTC also announced that it had accepted a second "safe harbor" program, a privately developed industry self-regulatory plan, adherence to which provides companies the assurance they are complying with COPPA.

These actions by the FTC demonstrate that the agency will be enforcing COPPA and underscore the importance of knowing and complying with the regulations that implement the legislation. Internet privacy will be a significant public policy and business issue in the coming years and many of the principles around which COPPA has been built could become compliance essentials for all companies, not just those that are geared toward children.

Compliance

Both general audience Web sites that collect personal information from children and sites devoted to serving the specific needs and interests of children may be subject to COPPA, which became effective April 21, 2000. That Act is administered by the FTC, which has issued guidelines that apply to online services directed to children age 13 and under in situations where personal information is collected.

Compliance with the Children's Online Privacy Protection Act requires the following:

1. The Web site operator must post a link to a child privacy notice on the homepage of the Web site and each area where personal information from children may be collected. That link must be clear and prominent, generally requiring use of a larger type font size or different type color on a contrasting background to make it standout from other text. A link in small print at the bottom of a Web page may not be considered sufficient.

2. The linked notice must contain the following information:

  • the name and contact information (address, telephone number and email address) of the operator of the site or, if more than one operator is collecting information from a site, contact information for all such site operators

  • an identification of the personal information collected from children (e.g., name, address, email address, hobbies, etc.) and how the information will be collected (e.g., by direct response from the child or passively through cookies)

  • in what manner the site operator will use the personal information (e.g., only to notify contest winners, to send periodic information to the child, or for marketing back to the child)

  • whether the site operator will disclose information collected from children to third parties, and, if so, the type of businesses in which those third parties are engaged and how the information will be used (including whether such third parties will maintain the information in confidence)

  • a statement that parents have the option to agree to the collection and use of the child's information solely by the site operator, without consenting to the disclosure of that information to third parties

  • a statement that the operator may not require a child to disclose more information than is reasonably necessary to participate in the activity offered through the site

  • a statement that a parent may review the child's personal information, ask to have it deleted from the site and may refuse to allow any further collection or use of the child's information. Such a notice must state the specific procedures that a parent must undertake to request the desired limitations on use of a child's personal information

3. There must be a separate "notice to parents" that must contain the same information included in point 2 above, and must notify the parent that the site operator wishes to collect personal information from the child; that the parent's consent is required for the collection, use and disclosure of the information; and a statement as to how the parent can provide his or her consent.

The Federal Trade Commission has announced that until April 2002, it will use a sliding scale to determine whether the method of obtaining parental consent is sufficient. For example, a site operator that uses information from children for internal purposes only will be held to a lower standard of obtaining parental consent (e.g., in all likelihood an email consent obtained by a delayed confirmation, such as the parent sending an email from the parent's own email address, and then confirming the parent's consent by letter or phone call). However, if the Web site operator will disclose the child's personal information to third parties, the FTC sliding scale requires:

  • obtaining a signed form from the parent via regular mail or facsimile

  • accepting and verifying a credit card number in conjunction with any transactions

  • making available a toll-free telephone number staffed by trained professionals to whom parents may give their consent, and

  • obtaining an email from a parent accompanied by a digital signature

The FTC will begin a review of its sliding scale in October 2001.

4. The regulations include several exceptions that allow Web site operators to collect a child's email address without obtaining a parent's consent in advance. These exceptions cover many popular online activities for children including contests, online newsletters, homework help and electronic postcards. Parental consent is not required when:

  • a Web site operator collects a child's or parent's email address to provide notice and seek consent to communicate with the child

  • the Web site operator collects an email address to respond to a one-time request from a child and then deletes that email address from the operator's system

  • the Web site operator collects an email address to respond more than once to a specific request, such as a request for a subscription to a newsletter, in which case the operator must notify the parent that the operator is communicating regularly with the child and give the parent the opportunity to stop the communication before sending or delivering a second such communication to the same child

  • where the Web site operator collects a child's name or online contact information to protect the child's safety, in which case the Web site operator must notify the parent and give the parent an opportunity to prevent further use of the child's information, and

  • an operator collects a child's name or online contact information to protect the security or liability of the Web site or to respond to legal process

5. If a Web site operator makes material changes in the collection, use or disclosure practices it employs on its Web site, it is required to send a new notice and request a new consent from the child's parents. For example, if a parent gave consent for a child to participate in a contest, and that child now wishes to participate in a chat room, a new notice must be sent by the Web site operator to the parent. Similarly, where the Web site operator now wishes to disclose a child's information to third parties a new notice to the parents must be sent and a new consent obtained.

6. A parent may revoke consent, refuse to allow the site operator to further use or collect their child's personal information, and direct the site operator to delete such information, at any time. If a parent revokes consent, the site operator may then terminate the child's participation in the Web site without incurring liability.

The Children's Online Privacy Protection Act contains certain "safe harbor" provisions which permit industry groups to create self-regulatory programs that require prior approval by the Federal Trade Commission.

Direct COPPA inquiries to:

Paul Kilmer
Washington, D.C.
(202) 663-7269

Ted Long
Boston
(617) 619-9296