WHO MUST COMPLY?
(1) If you operate a commercial Web site or an online service directed to children under 13
that collects personal information from children; OR
(2) If you operate a general audience website and have actual knowledge that you are
collecting personal information form children, you must comply with COPPA.
* DOES NOT APPLY TO PERSONAL INFORMATION ABOUT CHILDREN FROM PARENTS
OR OTHER ADULTS, however operators should keep confidential any information
obtained from parents in the course of obtaining parental consent or providing parental
access pursuant to COPPA.
WHAT IS AN “OPERATOR”?
To determine whether an entity is an “operator” with respect to the information collected on the
site, the FTC will consider the following factors:
a.) Who owns/ controls the information;
b.) Who pays for the collection and maintenance of the information;
c.) What pre-existing contractual relationships are in connection with the information; and
d.) What role the Web site plays in collecting or maintaining the information.
WHAT IS “DIRECTED TO CHILDREN”?
Factors considered as to whether or not a website is “directed to children” are:
a.) Whether subject matter and language are child-oriented;
b.) Whether it uses animated characters;
c.) Whether advertising appearing on the site is directed at children; and
d.) Empirical evidence (re: actual and intended visitors and ages (See 16 C.F.R. §312.2
“definition of website or online service directed to children”)
WHAT IS “PERSONAL INFORMATION”?
Individually identifiable information about a child that is collected online such as:
a.) Full name (but not first name only);
b.) Home address;
c.) E-mail address;
d.) Telephone Number;
e.) Hobbies, Interests ;
f.) Other information collected through cookies or other types of tracking mechanisms, but
only if tied to individually indentifiable information; and
g.) Any other information that would allow someone to identify or contact the child.
BASIC PROVISIONS
Privacy Notice on Web site
Placement:
An operator MUST post a link to a notice of its information practices on (1) the home
page of its Web site or online service AND (2) at each area where it collects personal
information from children.
An operator of a general audience site with a separate children’s area must post a link to
its notice on the home page of the children’s area.
The link:
a.) Must be clear and prominent (larger font, different color on a contrasting
background)
NOTE: a link in small print at the bottom of the page- or a link that is
indistinguishable from other links on your site, is NOT considered clear
and prominent.
Content:
The notice must be clearly written and understandable and may not contain unrelated or
confusing materials and MUST state the following:
a.) Name and contact information (address, telephone number and e-mail
address) of all operators collecting or maintaining children’s personal
information through the Web site or online service;
NOTE: If more than one operator is collecting information at the site, the site
may elect to provide contact information for only one operator who will
respond to all inquiries. Still, the NAMES of all the operators must be
listed in the notice.
b.) Kinds of personal information collected and how collected (directly or
passively);
c.) How the operator uses the personal information; (FOR EXAMPLE: Direct
marketing to children? Notifying contest winners? Allowing the child to make
information publicly available in a chat room or profile?)
d.) Whether the operator discloses information collected from children to third
parties;
IF SO, then operator must also disclose:
(i) Kinds of businesses in which the third parties are engaged;
(ii) General purposes for which the information is used; and
(iii) Whether third parties have agreed to maintain the confidentiality
and security of the information.
e.) That the parent has the option to agree to the collection and use of the child’s
information without consenting to the disclosure of information to third parties;
f.) That the operator may not require a child to disclose more information than is
reasonably necessary to participate in an activity as a condition of
participation;
g.) That the parent can:
(i) review the child’s personal information;
(ii) ask to have the information deleted and refuse to allow any further
collection or use of the child’s information; and
h.) The procedures for the parent to follow.
Direct Notice to Parents & Verifiable Parental Consent
Before collecting, using or disclosing personal information from a child, an operator must obtain
verifiable parental consent from the child’s parent. This means an operator must make reasonable
efforts (taking into consideration available technology) to ensure that before personal information
is collected from a child, a parent of the child receives notice of the operator’s information
practices and consents to those practices. An operator may use any of a number of methods to
notify a parent, including: sending an email message to the parent of a notice by postal mail (see
below for more information.)
Content:
The Notice to Parents must contain the same information included
on the notice on the Web site. In addition, an operator must:
a.) Notify a parent that it wishes to collect personal information from the child;
b.) Notify the parent that the parent’s consent is required for the collection, use
and disclosure of the information;
c.) Notify the parent as to how the parent can provide consent.
NOTE: Must be written clearly and understandably and cannot contain any
unrelated or confusing information.
Internal Uses:
Operators may use email to get parental consent for all internal uses of personal information,
such as marketing back to a child based on his or her preferences, or communicating promotional
updates about site content, as long as they take additional steps to increase the likelihood that the
parent has, in fact, provided consent.
FOR EXAMPLE: Operators may seek confirmation from a parent in a delayed confirmatory
email, or confirm the parent’s consent by letter or phone call.
Public Disclosures:
When operators want to disclose a child’s personal information to third parties OR make it
publicly available (for example, through chat room or profile or message board,) then more
reliable methods of consent are required including:
a.) Getting signed form from the parent via postal mail or fax;
b.) Accepting and verifying a credit card number in connection with the
transaction;
c.) Taking calls from parents through a toll-free number staffed by trained
personnel;
d.) E-mail accompanied by digital signatures.
NOTE: In the case of monitored chat rooms, if (1) all individually identifiable information
is stripped from postings before it is made public AND (2) the information is deleted from
the operator’s records, an operator does not have to get prior parental consent.
Disclosures to Third Parties:
An operator must give a parent the option to agree to the collection and use of the child’s
personal information without agreeing to the disclosure of information to third parties.
NOTE: When a parent consents to the collection and use of their child’s personal
information, the operator may release that information to others who use it solely to provide
support services for the internal operations of the Web site or service, including technical support
and order fulfillment.
EXCEPTIONS:
The regulations include several exceptions that allow operators to collect a child’s e-mail address
without getting the parent’s consent in advance. These exceptions cover many popular online
activities for kids including contests, online contests and homework help and electronic postcards.
Prior parental consent is not required when:
a.) An operator collects a child’s or parent’s email address to provide notice and seek
consent;
b.) An operator collects and email address to respond to a one-time request from a child
and then deletes it;
c.) An operator collects an email address to respond to more than one specific request
(for example, a newsletter) BUT in this case, the operator MUST notify the parent that
it is communicating regularly with the child AND give the parent the opportunity to
stop the communication before sending or delivering the second communication to a
child;
d.) An operator collects a child’s name or online contact information to protect the safety
of a child who is participating on the site. In this case, the operator MUST notify the
parent and give him or her the opportunity to prevent further use of the information;
e.) An operator collects a child’s name or online contact information to protect the security
or liability of the site or to respond to law enforcement, if necessary, and does not use
it for any other purpose.
NEW NOTICE OF CONSENT:
An operator is required to send a new notice and request for consent if there are material
changes in the collection, use of disclosure practices to which the parent had previously agreed.
(For example, original consent for contests but now child is being offered chat rooms, or
disclosure to third parties who are in materially different lines of business.)
ACCESS:
Verification:
At a parent’s request, operators MUST disclose the general kinds of personal information they
collect online from children (for example, name, address, phone number, email address,
hobbies,) as well as the specific information collected from children who visit their sites.
Operators must use reasonable procedures to ensure they are dealing with the child’s parent
before they provide access to the child’s specific information.
The operator can use a variety of methods to verify the parent’s identity, including:
a.) Obtaining a signed form from the parent via postal mail or facsimile;
b.) Accepting and verifying credit card numbers;
c.) Taking calls from parents on a toll free telephone number staffed by trained personnel;
d.) Email accompanied by digital signature;
e.) Email accompanied by PIN or password obtained through one of the verification
methods above.
NOTE: Operators who follow one of these procedures acting in good faith to a
request for parental access are protected from liability under federal and state law for
inadvertently disclosing a child’s personal information to someone who purports to be
a parent.
Revoking and Deleting:
At any time a parent may:
a.) Revoke his/ her consent;
b.) Refuse to allow an operator to further use or collect their child’s personal
information; and
c.) Direct the operator to delete the information.
The operator may, at any time, terminate any service provided to the child, but only if the
information at issue is reasonably necessary for the child’s participation in that activity, (if, for
example, there are other activities that do not require the child’s personal information in order to
participate, the operator MUST allow the child access to those activities.)
This primer is for informational purposes only.
For more information, please contact Adriana Rosas at Pearce Ferguson, PC at (972) 378-9111
or arosas@pffirm.com.
