Introduction
The Children's Online Privacy Protection Act (COPPA), passed by Congress in October 1998, requires the Federal Trade Commission (FTC) to issue and enforce rules concerning children's online privacy. The FTC issued the Children's Online Privacy Protection Rule in November 1999; it has been in effect since April 21, 2000. The Rule's primary goal: to place parents in control over what information is collected from their children online.
The Rule applies to:
-
Operators of commercial websites or online services directed to children under 13 that collect personal information from children;
-
Operators of general audience sites that knowingly collect personal information from children under 13; and
-
Operators of general audience sites that have a separate children's area and that collect personal information from children.
The Rule requires these operators to:
-
Post a privacy policy on the homepage of the website and link to the privacy policy everywhere personal information is collected.
-
Provide notice to parents about the site's information collection practices and, with some exceptions, get verifiable parental consent before collecting personal information from children.
-
Give parents the choice to consent to the collection and use of a child's personal information for internal use by the website, and give them the chance to choose not to have that personal information disclosed to third parties.
-
Provide parents with access to their child's information, and the opportunity to delete the information and opt out of the future collection or use of the information.
-
Not condition a child's participation in an activity on the disclosure of more personal information than is reasonably necessary for the activity.
-
Maintain the confidentiality, security and integrity of the personal information collected from children.
The Basic Requirements
A privacy policy tells the visitor about the information collection practices of the website. For sites that are covered by COPPA, the policy must explain what types of personal information are collected, how it is collected, and how the website will use the information. It also needs to tell the visitor whether the website gives the personal information to anyone else. If so, the policy must identify the third parties and tell the visitor how the third parties will in general use the information. The privacy policy must be placed where it can be found easily, and it must be written so that the average person can understand what it says.
Location
To comply with the Rule, a website directed to children must put the link to its privacy policy in a clear and prominent place on the home page and at every area on the website where children are asked to provide personal information. The links to the privacy policy also must be close to the requests for information.
General audience websites with separate children's areas must post a clear and prominent link on the home page of the children's area, as well as at every area where personal information is collected from children. A general audience website is not required to have a separate privacy policy for its children's area, and may combine its general audience and children's privacy policies into one document. However, a website without a separate privacy policy for its children's area should clearly disclose at the top of its privacy policy that a specific section discusses the site's information practices with respect to children. A general audience site also can link from the children's area directly to the part of its privacy policy that pertains to children.
Clear and Prominent Links
The Rule requires that the link to the privacy policy be placed in a clear and prominent place on the home page and everywhere that children provide - or are asked to provide - personal information. "Clear and prominent" means that the link stands out and is noticeable to visitors through the use of different type sizes, different fonts, different colors, or contrasting backgrounds. A link that is in tiny print at the bottom of the home page - or one that is indistinguishable from adjacent links - is not considered clear and prominent.
Clear Labels
The link must be labeled clearly, which allows the visitor to know the link goes to the site's privacy policy and a description of its information collection practices. For example, a link that says Privacy Policy, Privacy Statement or Information Collection Practices Statement is considered to be labeled clearly. Links labeled Important Information, Legal Notice or Note to Parents would not be as effective in letting the visitor know that a click would take him or her to the site's privacy policy.
Content
A privacy policy tells visitors about the types of information the website collects, how the site handles the information, and whether the site gives the information to anyone else. The Rule requires that the privacy policy be clear and understandable. The policy must give a complete description of the site's information practices; it must not contain confusing or contradictory information.
The privacy policy plays a very important role in a parent's decision to agree to a website's request for information from their children. One that is clearly written, easy-to-understand, and full of relevant information helps parents make an informed decision.
To be COPPA-compliant, a privacy policy must contain the following information:
-
Contact information, including the name, mailing address, telephone number, and email address of all operators collecting or maintaining personal information from children through the website. This requirement lets parents know who will see and use their children's personal information; it gives them the information they need to get in touch with the operators who collect or maintain their children's personal information.
According to the Rule, if several operators are collecting information through the website, the site operator may list the name, address, phone number, and email address of one operator who will respond to all inquiries from parents about the operators' privacy policies and uses of children's information - but only if it makes the names of all the operators available, either by listing them in the policy or linking to them from the policy.
-
What types of personal information are collected, and how. Website operators should be specific enough about the types of personal information they collect from children to allow parents to make an informed decision about whether to agree to the collection and use of the information. A policy that uses descriptors like name, address, telephone number, hobbies, gender, and age tells parents exactly the types of personal information that the website collects from children. A privacy policy that notes it collects "contact information" gives parents no idea whether the website is collecting an email address or a home telephone number.
In addition, the privacy policy must state whether personal information is collected actively or passively. Active collection includes registration forms and email newsletter sign-up boxes. Passive collection includes the use of cookies or other identifiers when the information is combined with "personal information."
-
How the website will use the personal information. The privacy policy should state if the personal information is to be used to fulfill a requested transaction, keep records or market back to the child. For example, it should explain that email addresses are used to send weekly newsletters, or that a mailing address is used to send a prize or magazine subscription or fulfill another request.
In addition, the privacy policy must state whether the website offers activities that allow the child or the site to disclose the child's personal information publicly - for example, through chat rooms, message boards or email accounts.
If the website shares personal information with third parties, the privacy policy must explain the types of businesses the third parties are in and the general purposes for which they will use the information. The privacy policy also must tell the visitor whether the third parties have agreed to maintain the confidentiality, security and integrity of the personal information they obtain from the website operator.
Third Parties
The Rule defines a third party as a person who is not an operator of the website or who does not provide support for the internal operations of the website.
If the website is sharing the personal information with a company or person whose only role is to provide support for the internal operations of the website - like a fulfillment house or a shipping company - the disclosure of the personal information is not to a "third party" and does not have to be spelled out in the privacy policy. The Rule specifically defines "third party" to exclude people who provide internal support. These providers are obligated to use the personal information only to carry out their specific obligations. They cannot use the information for any other purpose.
Whether an "affiliated or related company" is considered a third party and triggers the third-party disclosure requirements, depends on the affiliated or related company's relationship to the personal information. If the affiliated or related company is an operator of the website because it collects personal information on the site, or because personal information is being collected on its behalf, it is not considered a third party. Rather, it is considered an operator - and subject to the Rule. If the affiliated or related company is not an operator and isn't providing internal support services, it is considered a third party. The privacy policy must tell parents about the sharing of personal information with this affiliated or related company and must give parents the choice to allow the disclosure of information - or not.
The Ban on Conditioning: Participation on Information Collection
The Rule prohibits website operators from conditioning a child's participation in an activity - like a game or prize offer - on the child's disclosure of more personal information than is reasonably necessary to participate in the activity. This provision prevents tying personal information from children to popular and persuasive incentives like games and prizes, and preserves a child's access to such activities. For example, to send a child a prize, it is reasonably necessary for a website to collect the child's mailing address. Asking the child for a postal or mailing address when offering an email newsletter would not be reasonably necessary. The Rule requires that privacy policies state this prohibition explicitly.
Parental Rights
The privacy policy must state that a parent can review the child's personal information, have it deleted, and refuse to allow the further collection or use of the child's information - and explain the procedures for doing so. For example, the privacy policy could provide contact information, like an email address or toll-free telephone number, for the parent to use.
