Federal Trade Commission
Children’s Online Privacy Protection Rule
�Privacy Online: A Report to Congress
FTC 1998 Children’s Survey Findings (212 sites)
89% of children’s sites collect personal information from children 24% posted a “privacy policy” 1% required prior parental consent
�Children’s Online Privacy Protection Rule
1998 FTC report recommended legislation COPPA enacted Oct. 21, 1998 FTC issued final rule, Oct. 20, 1999
64 Fed Reg 59888, Nov. 3 Rule became effective April 21, 2000
�The Goal of COPPA
Place parents in control over what information is collected from their children online. Require commercial websites to provide NOTICE and obtain parent’s CONSENT before collecting personal information from children under 13, with certain exceptions.
�Who Must Comply with COPPA?
Operators of commercial websites directed to children (under 13) who collect personal information. Operators of general audience websites who have actual knowledge that they collect personal information from children. Entities on whose behalf operators collect the information.
�FTC Considers Several Factors
Who owns, controls, or has access to the information Who pays for its collection or maintenance Any pre-existing contractual relationship The party’s role in collecting or maintaining the information The party’s “interest” in the information
(entities that merely provide Internet access would not be operators)
�When Does COPPA Not Apply?
Nonprofits are exempt from COPPA
(if otherwise exempt from coverage under the FTC Act)
Collection of anonymous or aggregate (nonpersonally identifying) information does not trigger COPPA
�Is a Website Directed to Children?
The FTC considers several factors including:
The site’s subject matter, content, age of models, language or other characteristics Whether advertising promoting or appearing on the site is directed to children Empirical evidence about audience composition Evidence about intended audience Whether the site uses animated characters and/or child-oriented activities or incentives
�Is a Website Directed to Children?
A children’s site cannot avoid COPPA’s requirements by:
Disclaimers that “children under 13 cannot visit” or that “the FTC does not permit visitors under 13.” Making requests for personal information “optional” Asking for age information in a way that invites children to falsify age
�What Is “Personal Information?”
Full name Physical address E-mail address, Social Security Number Telephone number A screen name revealing an e-mail address A persistent identifier, such a number held in cookie, which is combined with personal information Any information tied to personal information -age, gender, hobbies, preferences, etc.
�Examples of Non-Personal Information
First name only, without other identifying information A screen name that is not tied to an email address or other identifying information Gender, hobby, or preference information that is not tied to an email address or other identifying information
�“Collection” of Personal Information
All online means are covered, including:
Requesting that children submit personal information online Enabling children to make the information public, i.e., in a chat room or message board (except where it is deleted before posting) Passive tracking linked to personal information.
�The Rule Requires Operators to:
Post a PRIVACY POLICY and links to the policy Give parents NOTICE of its information practices With certain exceptions, obtain VERIFIABLE PARENTAL CONSENT before collecting, using or disclosing personal information from children Provide PARENTAL ACCESS to information collected from children, and the opportunity to delete child’s information and opt-out of future collection
�The Rule Requires Operators to:
LIMIT COLLECTION of personal information to what is reasonably necessary to participate in the activity
Cannot condition child’s participation upon the disclosure of personal information not reasonably necessary to the activity
Ensure CONFIDENTIALITY, SECURITY and INTEGRITY of personal information ENFORCEMENT – civil penalties up to $11,000 per violation
�The Rule Requires NOTICE
Children’s Sites
A Privacy Policy link on home page and at each area where personal information can be collected
General Audience Sites with Child Area
A link on the children’s area home page and each area where personal information can be collected
Direct Notice to Parents where parental consent or notice is required
�Privacy Policy Links Must Be:
Clearly labeled as a notice of the site’s information practices regarding children Prominently placed on the home page and at all information collection areas In close proximity to requests for personal information Clearly distinguishable from other links
�The Privacy Policy - Content
Must be clear and understandable Must be complete Cannot contain any unrelated, confusing or contradictory materials Must state:
Operator’s contact information Kinds of personal information collected, and whether actively or passively How such information is or may be used
�The Privacy Policy -- Content
Must state:
Whether the information is disclosed to Third Parties – including: what businesses they are engaged in how they use the information whether they have agreed to maintain the confidentiality of the information That parents can consent to collection of personal information, WITHOUT consenting to its disclosure to third parties
�The Privacy Policy -- Content
Must state:
That a child’s participation cannot be conditioned upon providing more personal information than reasonably necessary to participate That parents can review and delete personal information, and opt-out of future collection (and how to do so)
�Verifiable Parental Consent General Points
With certain exceptions, verifiable parental consent must be obtained PRIOR to the collection, use or disclosure of personal information from children Must allow the parent the option to consent to collection without disclosure to third parties Standard: “an operator must make reasonable efforts to obtain verifiable parental consent, taking into consideration available technology” Sliding scale in place until April 2002
�E-Mail Exceptions to Prior Parental Consent
1. To provide parental notice or seek parental consent
May collect parent’s or child’s name and email address Must delete this information within a reasonable time if you don’t get a response May collect child’s email address Email address must then be deleted Cannot be used to re-contact the child
2. To respond on a one-time basis to a child’s request
�E-Mail Exceptions to Prior Parental Consent
3. To respond directly more than once to child’s request
May collect parent’s (exception #1) and child’s name and email address Must provide parent with notice and opt-out If parent does not opt out, the operator may use the information for the purposes stated in the notice Cannot use information for any other purpose
�Content of the Notice and Opt-out
Information contained in privacy policy That the operator has collected the child’s email address to respond to a request & that there will be more than one contact with the child That the parent may refuse to permit further contact & may request deletion of the PI (and how to do so)
�Notice and Opt-out
How to provide notice?
Make reasonable efforts to notify the parent, taking into account available technology Can email the notice to the parent Cannot ask the child to print out the notice and hand to the parent (because it is opt-out) If you already have the postal address, can mail the notice to the parent
�E-Mail Exceptions to Verifiable Parental Consent
4. To protect the safety of a child participating on the website, where such information is:
Used only for that purpose Not used to re-contact the child Not disclosed on the website
May collect parent’s (exception #1) and child’s name and email address Operator must provide parent with direct notice
�Content of the Notice
Information contained in the privacy policy That the operator has collected the child’s name or email address to protect the safety of the child participating on the website That the parent may refuse to permit the use of the PI and require its deletion (& how to do so) That if parent does not respond, operator may use the PI for the purpose stated in the notice
�E-Mail Exceptions to Prior Parental Consent
5. To the extent reasonably necessary:
To protect the security or integrity of the website To take precautions against liability To respond to judicial process As permitted by law, to provide information for law enforcement and public safety
May collect child’s name and email address And such information is not used only for any other purpose
�Verifiable Parental Consent
If the above exceptions are not applicable, you must obtain verifiable parental consent prior to any collection, use or disclosure of PI from children
As noted earlier, must give the parent the option to agree to collection of PI, without agreeing to disclosure to third parties
�Mechanisms for Verifiable Parental Consent
Must be reasonably calculated, in light of available technology, to ensure:
The parent of a child receives notice of the operator’s practices with regard to the collection, use or disclosure of the child’s PI The person providing consent is the child’s parent (or legal guardian)
�Notice of the Operator’s Information Practices
The notice must include:
Information contained in privacy policy Statement that the operator wishes to collect PI from the child That the parent’s consent is required and the means by which the parent can consent
�Mechanisms for Verifiable Parental Consent
Sliding scale in place until April 2002 Depends on how the website will use the information
Internal use Disclosure to third parties or the public
�Internal Uses of Personal Information
Collecting a postal address to
Send a free gift, a prize or a postal mailing to the child Obtain parental permission to publish a child’s letter to the editor
Pet website collects child’s e-mail address and information about the child’s pets to personalize the web page or to provide information updates Marketing back to the child based on his/her preferences
�“Email Plus” to Verify Consent
May obtain parental consent via email “plus” - an additional step to verify that it is actually the parent providing consent:
Send a confirmatory email at a later date Follow up with a telephone call or letter (this can be obtained through initial email from parent)
�Disclosure to Third Parties or the Public
Examples include:
Operator releases the PI to a third party, such as a marketer Chat rooms Message boards Email and instant messaging services Pen pal services
�Must Obtain Prior Parental Consent Using One of the “More Reliable Methods”
Postal mail or fax Toll-free number staffed by trained personnel Credit card transaction E-mail accompanied by digital certificate Digital signature PIN or password obtained via one of the above
In addition, other methods are acceptable if they verify that the consent is coming from the parent
�Still to Come…
FTC will conduct notice and comment review in Oct. 2001 to assess progress of the “more reliable” electronic consent mechanisms After April 2002, all uses will require the “more reliable methods”
�Parental Access and Opt-Out
Operator must disclose to parent the “kinds” of personal information collected, and provide a means for reviewing the personal information Parent may revoke consent to further use or collection of information, and may direct operator to delete it Parent can say NO to the disclosure of the child’s information to third parties
�Parental Access and Opt-Out
Operator must verify the parent’s identity for access to specific information.
The Rule allows flexibility in verification methods, taking into account available technologies and the burden on parents.
Operator may terminate services if parent refuses the collection or use of personal information or has directed the operator to delete it.
�Maintaining Security
Operator must establish and maintain reasonable procedures to protect confidentiality, security and integrity of children’s personal information. Operator can choose the method of implementing security.
�Online Compliance Resources
KidzPrivacy
www.ftc.gov/kidzprivacy
FTC Privacy Initiatives
www.ftc.gov/privacy/index.html
Safe harbor programs
www.ftc.gov/privacy/safeharbor/shp.htm How to Comply with the Childrens Online Privacy Protect
�