The rule was promulgated after the enactment of the Children's Online Privacy Protection Act of 1998, which followed a Federal Trade Commission investigation into the lack of privacy protection afforded to children who use the Internet. Portions of the statute included vague standards, which have since been filled in with FTC requirements that are sometimes broad and onerous.
Who Is Subject to the Rule?
The rule applies to commercial Web sites and online services that are directed toward or knowingly collect information from children under 13. It covers all personal information collected after April 21 regardless of any prior relationship an operator has had with a child. A marketer becomes subject to the rule when it collects personal information by operating a commercial Web site targeted to children under 13 or when it has knowledge that personal information from children under 13 is being collected from a general audience Web site it operates.
The general audience provision potentially affects millions of Web site operators that do not otherwise target children but whose sites attract them. The rule provides factors that the FTC will consider in determining whether a Web site is directed at children under 13. These include the site's subject matter, the site's visual or audio content, the age of models on the site and whether the advertising promoting or appearing on the site is directed to children. For example, sites that include child models, animated characters or child-oriented activities are more likely to trigger compliance obligations than purely adult-oriented Web sites.
What Must Be Disclosed?
An operator must provide notice of what information it collects from children, how it uses such information and its information disclosure policy. The notice must include the operator's name, address, telephone number, e-mail address, the type of personal information collected (such as names, addresses, hobbies and e-mail addresses), how the information is collected (either directly or passively - i.e., through cookies), how the operator uses the personal information, and whether and how the operator discloses information collected from children to third parties. If the operator discloses information to third parties, significant additional disclosures are required.
The privacy notice also must include a statement that the operator cannot limit or prohibit a child's participation for failing to disclose more personal information than is necessary to participate in the activity. The notice must advise parents that they can review and delete their child's personal information and that parents can refuse further collection or use of the information. The privacy notice must be clearly identified and linked on the home page of the children's area and on the page where personal information is collected (including e-mail information) from children.
Obtaining Verifiable Parental Consent
The operator must make reasonable efforts to ensure that the parent receives the privacy notice, along with a statement that the operator wishes to collect personal information from the child. Before collecting, using or disclosing personal information from a child, an operator must obtain verifiable parental consent from the child's parent. The consent can be limited to permitting the collection of information, while prohibiting the disclosure of the child's information to third parties.
A parent's consent may be in the form of a confirming e-mail, letter or telephone call, depending on the use of the child's privacy information. For the next two years, the FTC will operate under a "sliding scale" approach that requires verification commensurate with the amount of disclosure of personal information. Public disclosure to third parties triggers an obligation to obtain a signed form from the parent returned via fax or mail, accepting and verifying a credit card number, or taking calls from the parent through a toll-free number or an e-mail confirmed by a personal ID number.
There are exceptions to the parental consent requirement permitting an operator to obtain a child's e-mail address without obtaining parental advance consent. These exceptions include an operator collecting a child's or parent's e-mail address solely to provide notice and seek consent, or an operator collecting an e-mail address to respond to a one-time request from a child and then deleting it. There is a modified exemption for children's newsletter requests.
Once the rule takes effect, the FTC advises that it may bring enforcement actions and impose civil penalties for violations in the same manner as for other rules under the FTC Act. In the meantime, the commission also retains authority under Section 5 of the FTC Act to examine information practices in use before the rule's effective date for deception and unfairness. Given the FTC's impressive efforts relating to Internet commerce and its particular interest in children, one can reasonably expect the agency to vigorously enforce rule provisions.
This article addresses only portions of the rule. Given the important and complex compliance requirements under the rule and the significant potential exposure for violating the rule, any Web site operator that believes it may be subject to the rule should review the provisions directly with knowledgeable counsel.