Client Alert - Complying with COPPA
The purpose of this memorandum is to alert you to the fact that the Children's Online Privacy Protection Act ('COPPA'), 15 U.S.C. Sections 6501 et seq., became effective on Friday, April 21, 2000. COPPA governs the online collection, use and disclosure of 'personal information'1 from children under 13, and applies to all websites and online services that collect or maintain personal information from or about such users or visitors. The statute is enforceable by the Federal Trade Commission and the Attorneys General of each of the states.
Given the recent, well-publicized controversies surrounding online privacy, and the ability of individual states to enforce COPPA, many observers are anticipating high-profile lawsuits against popular website operators.
Each operator of a website or online service ('operator') that collects (or wishes to collect) personal information from children under 13 will have to meet COPPA's requirements, including:2
- giving notice of the kinds of information the operator collects from
children under 13; creating a mechanism for obtaining 'verifiable
parental consent' to the collection of such information; and
- providing a reasonable means for parents to:
- review personal information collected from their children;
- decide whether they wish to permit its further use or maintenance; and
- revoke their consent, refuse to allow further use or collection of
personal information from their children, and direct deletion of the information already collected.
In addition, COPPA prohibits operators from conditioning a child's participation in a game, the offering of a prize, or another activity on the child's disclosing more information than is reasonably necessary to participate in the activity.
Finally, operators must put into place reasonable procedures to protect the confidentiality, security and integrity of the personal information they collect from children under 13 beginning with COPPA's effective date.
II. Applicability of COPPA
COPPA applies to any operator of a website or online service which is arguably 'directed to children' under the age of 13 and collects (and wishes to collect) personal information from them. COPPA also applies to what may be considered a 'general audience site' not directed to children, if the operator has 'actual knowledge' that children under 13 visit the site, or a link to a children's page on the general audience site. See 15 USC Section 6501(1).
Any operator that meets the above criteria must meet the statute's requirements. As noted above, these include (i) a privacy notice requirement, (ii) a requirement of prior parental notice and consent to the collection of personal information from children, (iii) a requirement for a parental right of review of such information, and (iv) a mechanism permitting parents to limit consent to the use of their children's personal information and to revoke consent once given.
III. The Requirement of a Privacy Notice--16 CFR Section 312.4
As noted above, the first set of COPPA requirements which an operator must satisfy relate to the privacy notice it must provide.
By virtue of COPPA, an operator must:
- post a link to a notice of its information practices on its home page and
at each area where it collects information from children under 13; and
- if a website has a separate children's area, the operator must also
post a notice on the home page of the children's area.
The link(s) to the privacy notice must be clear and prominent. The FTC suggests that entities subject to COPPA may wish to use a larger font size or a different color type on a contrasting background to achieve this effect. A link in small print at the bottom of the pageâ€”or a link that is indistinguishable from other links on the siteâ€”will not be considered 'clear and prominent' by the FTC.
The content of the required notice must be clearly written and understandable, and should not include any unrelated information. It must include the following:
- The name and contact information (address, telephone number and email address)
of all operators collecting or maintaining children's personal information
through the website or online service. If more than one operator is collecting
information at the site, the site may select and provide contact information for
only one operator who will respond to all inquiries from parents about the site's privacy policies.
Still, the names of all the operators must be listed in the notice.
- The kinds of personal information collected from children (for example, name,
address, email address, hobbies, etc.) and how the information is collected -- directly
from the child or passively, say, through cookies.
- How the operator uses the personal information. For example, is it used for
marketing back to the child? Notifying contest winners? Allowing the child to make the
information publicly available through a chat room?
- Whether the operator discloses information collected from children to third parties.
If so, the operator also must disclose the kinds of businesses in which the third parties
are engaged; the general purposes for which the information is used; whether the third
parties have agreed to maintain the confidentiality and security of the information; and
that the parent has the option to agree to the collection and use of the child's information
without consenting to the disclosure of the information to third parties.
- That the operator may not require a child to disclose more information than is
reasonably necessary to participate in an activity as a condition of participation.
- That the parent can review the child's personal information, ask to have it deleted
and refuse to allow any further collection or use of the child's information. The notice
also must state the procedures for the parent to follow.
IV. The Requirement of 'Prior' Parental Notice and Consentâ€”16 CFR Sections 312.4 and 312.5
Any operator subject to COPPA must, in most cases (exceptions are described below), obtain verifiable parental consent prior to any collection, use and/or disclosure of personal information from children under 13, and make reasonable efforts to ensure that parents receive notice of its practices with regard to the collection, use and/or disclosure of such information, and notice of any material changes to any such practices to which the parent may already have consented.3
Until April 2002, the FTC will use a 'sliding scale' approach to the methods it will require with respect to such notice and consent depending on how the operator uses the personal information it wishes to gather from children. The key distinction here is whether such information is to be used for internal purposes, or is to be disclosed to others.
If such information is to be used only for internal purposes, a less rigorous method of consent is required. An operator can use email (along with certain additional steps described in the next paragraph) to get parental consent for all internal uses of children's personal information (where 'internal' uses include such things as marketing back to a child based on his or her preferences or communicating promotional updates about a site's content). Using email to obtain consent to internal use of personal information will be sufficient until April 2002, provided that additional steps are taken to increase the likelihood that the parent has, in fact, provided consent. Examples of such additional steps include sending confirmation of parental consent via a follow-up (i) email, (ii) letter or (iii) phone call.
If an operator intends to disclose such personal information to others, a more stringent (and reliable) method of seeking consent is required. Examples of obtaining verifiable parental consent when information is to be disclosed to others include:
- getting a signed form from the parent via postal mail or facsimile;
- accepting and verifying a credit card number from a parent;
- taking confirmatory calls from parents via a toll-free number staffed by
trained personnel; getting an email accompanied by a digital signature
from a parent; and getting an email from a parent accompanied by a PIN
or password obtained by the parent through one of the verification methods listed above.
Furthermore, in the course of the verification process, parents must be given the option of permitting the collection of personal data from their children without agreeing to the disclosure of such information to third parties. That is, a parent must be permitted to consent to allow his/her child to participate in a website's activities without consenting to the disclosure of the child's information to third parties.
To complicate matters, there are a number of exceptions to the requirement of prior parental consent. Prior parental consent is not required:
- when an operator of a website merely collects a child's or parent's email
address to provide notice to the parent and seek consent;
- when an operator collects an email address to respond to a one-time
request from a child, and then deletes the address;
- when an operator collects an email address to respond more than once
to a specific requestâ€”say for a subscription to a newsletter. In such a case,
the operator must notify the child's parent that it is communicating regularly
with the child and give the parent the opportunity to stop the communication
before sending or delivering a second communication to the child;
- when an operator collects a child's name or online contact information to protect
the safety of the child who is participating on the site. In such a case, the operator
must notify the parent and give him or her the opportunity to prevent further use of the information; and
- when an operator collects a child's name or online contact information to protect
the security or liability of the site, and does not use it for any other purpose.
V. The Requirement of Parental Reviewâ€”16 CFR Section 312.6
An operator subject to COPPA must also provide a reasonable means for parents to review the personal information collected from their children, and to decide whether they wish to permit its further use or maintenance. Thus, at a parent's request, the operator must disclose the general kinds of personal information it collects from children (for example, name, address, telephone number, email address, hobbies), as well as the specific information collected from children who visit the site.
In this regard, the operator is required to ensure that it is dealing with the child's parent before it provides access to the child's specific information. Among the methods suggested by the FTC for verifying a parent's identity in this regard are:
- obtaining a signed form from the parent via postal mail or facsimile;
- accepting and verifying a parent's credit card number;
- taking calls for the purposes of verification from parents via a toll-free number
staffed by trained professionals;
- requiring an email accompanied by a digital signature; or
- requiring an email accompanied by a PIN or password obtained through
one of the foregoing methods.
VI. The Requirement of a Parental Right to Revoke or Deleteâ€”16 CFR Section 312.6
In addition, an operator subject to COPPA must provide a mechanism under which, at any time, a parent may revoke his or her prior consent, refuse to allow the operator further to use or collect its child's personal information, and direct the operator to delete such information.
If a parent does so, the operator may terminate any service provided to the child, but only if the information at issue is reasonably necessary for the child's participation in that activity. The example given by the FTC is of a website operator who requires the email addresses of children who wish to participate in a chat room so that the operator can contact participants in the chat room who 'misbehave.' If, after having given consent to the collection of such information, a parent asks the operator to delete the child's information, the operator may refuse to allow the child to participate in the chat room in the future. If, however, other activities on the website do not require the child's email address, the operator must allow the child access to those activities.
VII. The Requirement of No Undue Conditions for Participationâ€”16 CFR Section 312.7
Furthermore, an operator subject to COPPA may not condition a child's participation in an activity (including a game, a chance to win a prize, or other activity) on the child's disclosing more information than is reasonably necessary to participate in the activity. Any personal information collected in a context of this sort is, of course, also subject to COPPA's rules.
VIII. The Requirement of Reasonable Security Proceduresâ€”16 CFR Section 312.8
In addition to governing the rules of how such information may be collected and used, COPPA also requires entities subject to it to put into place reasonable procedures to protect the confidentiality, security and integrity of the personal information they collect from children under 13.
IX. Safe Harbor Provisionsâ€”16 CFR Section 312.10
Although no help at present, the regulations implementing COPPA include a 'Safe Harbor' provision that would permit industry groups and others to create self-regulatory programs to govern participants' compliance with COPPA. Any such guidelines will be required to include independent monitoring and disciplinary procedures, and must be submitted to the FTC for approval. Once approved, an operator's compliance with such self-regulatory guidelines will serve as a 'safe harbor' in any enforcement actions for violations of COPPA. It will, however, be many months before any such self-regulatory regimes have been approved by the FTC, and as a consequence, they are of little help at present.
Finally, it should be emphasized that the foregoing is an initial interpretation of COPPA, which is of course new and untested. Furthermore, because COPPA is a complex, detailed and untested statute, any effort at compliance should be reviewed by counsel at each stage. It is especially important that once a compliance program is implemented it not be changed without further legal review and the necessary follow-up with parents who may have given consent.
1 For these purposes, 'personal information' is defined as 'individually identifiable information about an individual collected online, including (i) a first and last name; (ii) a home or other physical address including street name and the name of a city or town; (iii) an e-mail address; (iv) a telephone number; (v) a Social Security number; (vi) any other identifier that the FTC determines permits the physical or online contacting of a specific individual; or (vii) information concerning the child or the parents of that child that the website collects online from the child and combines with an identifier described in this definition.' 15 USC Section 6501(8).
Copyright 2000, Cowan, Liebowitz & Latman, P.C.
For further information, contact Midge H. Hyman.