Prepare for the Children's Online Privacy Protection Act
The act regulates the online collection and use of personal information provided by and concerning children under the age of 13. Last month, the Federal Trade Commission published the final rules that set forth the manner in which marketers and other online entities are expected to comply with the act as well as the FTC will enforce it.
The Act requires operators of Web sites and online services directed to children under 13 or with actual knowledge that such children provide information to the site to provide notice of the information it collects, how it is collected, and how will be used.
Web sites and online services also must give parents the opportunity to review and delete information collected from their children and allow parents to authorize the manner in which the information is used.
In addition, sites and online services must get verifiable parental consent before collecting or using certain personal information provided by children. Web sites must securely maintain the information, and not collect more information than is reasonably necessary to allow children to participate in activities on their Web sites.
Banner advertisers must comply with the act if the advertiser captures personal information from a banner ad on a site directed to children or if there is actual knowledge that information is being obtained from a child.
The act does not apply to ISPs and cable operators that merely give users access to the Internet. Also exempt are Web sites that link to other sites covered by the act but that do not themselves engage in activities governed by the act.
All sites covered by the act must have a notice that discloses complete contact information for inquiries from parents. Also, all entities that will collect personal information must be identified.
Web sites and online services must disclose in the notice the type of information they will collect. Categories should be descriptive enough so parents can make informed decisions about whether to consent to the collection and use of information provided by their children.
The FTC rules makes a distinction between personal and general information. Personal information refers to name, address and phone number, e-mail address, instant messaging identifiers and other information that can be used to locate an individual online or offline. General information, such as hobbies or preferences, is not considered personal. Static IP addresses or processor serial numbers also are not considered personal information, unless they are associated with identifiable personal information. A screen name or photograph may be personal information if it reveals individually identifiable information.
The notice must disclose how the operator will collect information. For example, a site may ask the user to provide information to register, make a purchase, answer a survey, or play a game. A Web site or online service must disclose whether it will maintain submissions made by users to chat rooms and message boards and whether it collects information without the user's knowledge, such as by using cookies and other tracking methods.
The notice must also indicate how the operator intends to use collected information. For example, a Web site or online service might use the information for internal purposes only, make it available to all users of that site or share it with third parties.
If the information is shared with third parties, the notice must state generally with whom the information will be shared, how these parties will use it, and whether the third party has agreed to maintain the confidentiality of the information.
Finally, the notice must state that the Web site or online service will not condition a child's participation in an activity on the disclosure of more personal information by the child than is necessary.
Sites directed to children under 13 must make the notice accessible via a hyperlink from the home page. General audience sites must make the notice accessible from the home page of the children's section. A link to the notice also must appear at each area where information is collected. Links must be clearly labeled and placed in a clear and prominent place and manner. For example, the text for the link should be in a larger font than other type on the page and set against a contrasting background.
Parental Consent and Access
With few exceptions, a Web site or online service must obtain "verifiable parental consent" before collecting, using and/or disclosing personal information from children. The act defines verifiable parental consent as any reasonable effort, given available technology, to ensure that a parent receives notice of the operator's information practices and consents to those practices before personal information is collected from a child.
Instead of proscribing only one way to obtain verifiable parental consent, the FTC adopted a "sliding scale" approach. The measures used to obtain verifiable parental consent depend on what the site or service intends to do with the personal information.
In general, the rule requires stricter measures for obtaining parental consent if the site or operator intends to share information with others than if it intends only to use information internally. This sliding scale will expire on April 21, 2002, at which time the FTC will consider the availability and effectiveness of new technologies to serve this purpose.
A Web site or online service must provide reasonable means for a parent to review personal information collected from his or her child online and prevent its further use or maintenance. If a parent seeks access to specific information about the child, the operator must verify that the person making the request is the child's parent or guardian. The rule does not allow a parent to change information about his or her child.
Keeping the Information Secure
The FTC rule requires the site or online service to establish and maintain reasonable procedures to protect the confidentiality, security and integrity of personal information collected from children. For example, an operator should use secure Web servers and firewalls, delete personal information once it is no longer used, limit employee access to data, provide training for those with access and screen third parties to whom information is disclosed.
The act provides that a Web site or online service may be deemed to comply if it follows self-regulatory guidelines approved by the FTC. These guidelines should substantially mirror the provisions of the act and the FTC's rules, have a mechanism for independent assessment of compliance with the guidelines and provide incentives for compliance.
An operator does not need to independently apply for approval if it complies with already approved guidelines applicable to its business. Industry groups or other persons seeking safe harbor treatment must maintain all documents required by the safe harbor provision for 3 years.
Although the act does not take effect until April, online marketers should begin developing procedures immediately to comply with the provisions of the act and its implementing rule. Web site operators not subject to mandated consent requirements before enforcement of the act, must rethink their online marketing strategy. They must determine whether they are covered by the act, and if so, how they will use personal information collected and how they will obtain verifiable parental consent.
Unfortunately, because of the newness of the act and rule, there is no legal precedent for guidance. In the absence of such instruction, Web site operators should consult with legal counsel acutely familiar with the provisions of the act and rule, past FTC enforcement initiatives and current technology matters.