Contact Us

New FTC Rules for Children's Web Sites Go Into Effect On April 21, 2000
(May, 2000)
Introduction
The Children's Online Privacy Protection Act (COPPA) took effect on April 21, 2000. If your Web site, or any part of your Web site, is directed toward children, I strongly recommend you consider its implications. If you don't, you could face stiff penalties. These new federal regulations, which seek to protect children's online privacy, apply to all commercial Web sites and online services which are either
(1) directed at children and collect personal information from children under age 13
(2) maintained by Web site operators who have "actual knowledge" that personal information is being collected from children under the age of 13. COPPA, however, does not place any particular burden on you to affirmatively confirm that you are dealing with an adult. Thus, if you operate a Web site geared to adult audiences, and not children, COPPA applies only if you have actual knowledge that you're collecting personal information from children under the age of 13 or if a portion of your Web site is specifically targeted to children. To comply with the new regulations, which are discussed in more detail below, online service providers and Web site operators must:

1. post prominent links on the Web site to a notice describing how the site collects, uses, and discloses personal information directly or indirectly from children;

2. notify parents and obtain verifiable parental consent before collecting, using, or disclosing a child's personal information;

3. allow a child to participate with minimal information collection and must not condition a child's participation on such a child providing more personal information than is "reasonably necessary" to participate in the online activity; and

4. enable parents to: (1) review the information collected about their children, (2) delete such information from the database, and (2) prohibit future information collection; and

What Constitutes the Collection Of Information?

Let's start with "collecting information." According to he FTC, the collection of information encompasses the many ways a Web site can gather information from children. This includes "the direct or passive gathering of any personal information from a child by any means. . ." and includes "[a]ny online request for personal information" by the Web site "regardless of how that personal information is transmitted" to the Web site. Thus, under COPPA you are "collecting information" not only if you directly ask a child to fill out an online information form, but also if your Web site offers a chat room, message board, or other public posting of personal information. You are also "collecting information" if your Web site utilizes passive or automated tracking software, such as cookies.

What is Personal Information?

Although the COPPA applies only to the collection of "personal information" concerning children, it defines "personal information" broadly. "Personal information" includes any information which can be used to identify a child or to permit direct physical or online contact with a child. In addition to a child's first name, last name, mailing address, home address, telephone number, e-mail address, and social security number, COPPA covers any identifier which can be combined with other information to identify or contact a child.

Information Previously-Collected.

COPPA only applies to personal information collected from children on or after April 21, 2000, even if the personal information had been previously collected. However, where the online activity involves the ongoing collection of information (as is the case where a Web site offers a chat room), COPPA requires prior parental consent for all children participating as of April 21, 2000. Parental consent therefore should have been obtained before the effective date.

How Does A Web Site Comply With COPPA?

Posting Privacy Policies.

Web sites covered by COPPA must post a "clear and prominent" link to a children's privacy policy (personal information collection practices) not only on the Web site's home page, but also on all other pages which collect personal information from children. A children's privacy policy may be part of a general privacy policy, only if it includes the name and contact information of the web site operator(s) for parents and a description of the following:

  • information collected (e.g. name, address, e-mail, interests,
    hobbies, etc).

  • information collected (e.g. name, address, e-mail, interests, hobbies, etc).

  • how the information is collected (passively through cookies or directly from the child).

  • how the information collected is used (marketing back to the child, notifying contest winners, etc).

  • whether the Web site discloses the information collected to third parties, and if so, the terms under which such information may be disclosed to third parties, the kinds of businesses in which the third parties are engaged; how the information is used; and whether the third parties have agreed to maintain the confidentiality and security of the information.

  • procedures for how parents can: (a) to limit access by third parties; (b) review the child's personal information, (c) ask to have it deleted, and (d) refuse to allow any further collection or use of the child's information.
  • statements affirming the child's right to participate without providing unnecessary information and the parents right to review and restrict access to the information about their children; and then

  • only so long as the Web site adopts procedures to protect the information.

Notice and Prior Verifiable Parental Consent.

In most cases, before collecting, using or disclosing personal information from a child, the Web site operator must first notify the child's parent or legal guardian and obtain "verifiable consent". In limited circumstances, however, a child's e-mail address may be collected without prior parental consent. For example, a child's name and e-mail address may be collected without prior parental consent if the information is used only to obtain parental consent. Likewise, a Web site operator may respond directly to a specific request from a child for such things as a one-time request for homework help or other information. And a Web site operator may enter a child into a contest or send a child an online newsletter, so long as the parent is given notice of these practices and a chance to prevent further use of the child's information. The manner in which the consent must be obtained depends somewhat on how the information will be used. In an attempt to balance the economic burden placed upon Web site operators with the need to protect a child's privacy, the FTC decided to allow the Web site operator to use different methods to get the "verifiable parental consent".

If the information will be used only internally by the Web site, then parental consent via e-mail is sufficient so long as additional steps are taken to ensure that the person providing the consent is in fact the parent. The "additional steps" that may be taken include sending a confirmatory e-mail to the parent following receipt of the consent, or obtaining a post office address or telephone number from the parent and confirming the consent by letter or telephone. However, if the information will be disclosed to third parties or is intended for public release (e.g., via a chat room), then the Web site is required to obtain either written or some other verified electronic consent.

This may include a faxed or mailed consent form, requiring a parent to use a credit card for the transaction, and having a parent call a toll-free telephone number staffed by trained people. Additionally, if the information is intended for release to a specific third party, then parents must be allowed to "opt out" of that disclosure without affecting the child's participation. Finally, when a privacy policy or practice "materially" changes, the Web site operator must notify the parents and obtain new written consent. A material change may include, altering the kind of information they collect, how they collect the information, or how they use the information.

Parental Review and Ability to Revoke Consent.

The Web site must also provide parents with the ability not only to review and delete any personal information collected from their children, but also the ability to revoke their prior consent. Once personal information is collected from a child, parents must be allowed to review the information collected, have the information deleted, and refuse to permit further collection or use of the child's personal information. Prior to granting the parental right to review, however, the Web site must verify the identity of the requesting parent.

Ban on Conditional Participation.

COPPA allows a Web site operator or online service provider to restrict a child's access if a parent refuses to provide, or revokes, consent to the collection of personal information "reasonably necessary" for the child's participation. However, the Web site or online service provider may not condition a child's participation on the disclosure of any information which is not "reasonably necessary" to participate in the online activity.

Penalties.

Violations of these new federal rules will be treated as "unfair" or "deceptive" trade practices, which are punishable by cease-and-desist orders, public admonition, and substantial fines.

Conclusion -- Take COPPA Seriously.

Unlike many other parts of the world which stringently protect an individual's privacy, in the United States few laws protect individual privacy. COPPA is one of the first of what I expect will be many laws to regulate the use of private information. As this Internet Alert only outlines COPPA's main provisions, it is important that you review COPPA's requirements carefully with your attorney.
 Return to Internet Alert
DISCLAIMER: This article has been prepared by Melissa C. Marsh for the benefit of clients and friends. Although prepared by a professional, this article should not be used as a substitute for legal advice because your specific factual circumstances may differ, the laws of your jurisdiction may differ, your specific situation may require different advice, or the laws may have changed. Readers should not act upon the information contained in this article without first seeking the advice of a local licensed and practicing attorney.

If you have questions relating to this article, please call (323) 655-1002 or email: mmarsh@yourlegalcorner.com.
About Us | Articles | Contact Us | Consultation Form | Directions | Links
Practice Areas: Ad Law | Business Law | Computer Law | Internet Law | IP Law | Employment Law
Disclaimer | Privacy | Copyright 2000 - 2007, Melissa C. Marsh. All Rights Reserved.