Internet marketers that operate Web sites or online services directed to or visited by children under the age of 13 will be required by law on April 21 to post certain notices on the site or service concerning their information collection and use practices. In certain instances, they will have to obtain verifiable consent from parents before collecting information about the children.
This law, the Children’s Online Privacy Protection Act, was enacted by Congress in October 1998 and required the Federal Trade Commission to promulgate rules implementing COPPA by October of this year. After seeking industry, government and consumer comments on its proposed rules and conducting numerous workshops to supplement those comments, the FTC issued its final rules on Oct. 21. In light of these developments, all online marketers – from small Web masters to chief information officers – are advised to consider how COPPA will affect their business.
COPPA and its implementing rules apply to operators of Web sites and online services either directed to children under 13 or that have actual knowledge that such children provide information to the Web site or service.
When considering whether a Web site or service is directed to children, the FTC will consider the content – including the subject matter, visual or audio content, age of models and other characteristics.
Advertisers that place banner ads on Web sites also must comply with COPPA if the advertiser is able to capture personal information from users who click on or provide information to a banner, if the ad is on a site directed to children or if there is actual knowledge that information is being obtained from a child.
COPPA does not apply to Internet service providers and cable operators that merely provide users with access to the Internet. Also exempt are Web sites that link to other sites covered by the Act but do not themselves engage in activities governed by the Act.
The general notice required by COPPA must be accessible via a hyperlink from the home page of the Web site if the site is directed to children under 13 or from the home page of the children’s section of a general audience site. A link to the notice also must appear at each area where information is collected.
The notice must disclose the name, street address, e-mail addresses and telephone number of the Web site operator or online service responsible for responding to inquiries from parents. Web sites and online services must disclose the types of information they will collect. Categories should be descriptive enough so that parents are able to make an informed decision about whether to consent to the collection and use of information provided by their children.
The rules distinguish between personal information and general information. Personal information refers to name, address, phone number, e-mail address, instant messaging user identifiers and other types of information that can be used to locate an individual online or offline. General information such as a favorite music group or color is not considered personal. A screen name or photograph may be considered personal information if it reveals or is linked to any individually identifiable information.
The notice must disclose how the operator will collect information. For example, a site may ask the user to provide information to register with the site, make a purchase, answer a survey or play a game. A Web site or online service must disclose whether it will maintain postings to chat rooms and message boards and whether it’s collecting information without the child’s knowledge such as by using cookies and other tracking methods.
The notice must indicate how the operator intends to use the collected information. If the information will be shared with third parties, the notice must state generally with whom the information will be shared, how these parties will use the information and whether the third party has agreed to maintain the confidentiality of the information.
Finally, the notice must state that the Web site or online service will not condition a child’s participation in a certain activity on the child’s disclosing more personal information than is necessary.
Parental Consent and Access
Probably the most challenging aspect of COPPA for i-marketers is the requirement to obtain, with few exceptions, “verifiable parental consent” before collecting, using or disclosing personal information from children under 13 or allowing such children to participate in a forum, such as a chat room or message board, where they may post personally-identifiable information about themselves. In order to balance the requirements of COPPA with industry concerns, the FTC adopted a sliding scale to this requirement.
In general, the rules apply stricter measures for obtaining parental consent if the site or operator intends to share the child’s information with others or allow the child to participate in a chat room or message board, than if the site or service intends only to use the information internally. Examples of the former include a “print and fax/send” option, or providing a credit card for verification purposes, a toll-free telephone number or digital signature.
The latter requirement may be met by receiving consent from a parent via e-mail with some additional step, such as confirming such consent via e-mail or regular mail. This sliding scale expires on April 21, 2002, at which time the FTC will consider the availability and effectiveness of new technologies to serve this purpose.
A Web site or online service must provide reasonable means for a parent to review personal information provided from and maintained about his or her child online and prevent its further use or maintenance. Upon request by a parent, an operator is required to disclose what general types of information have been collected from the child. If a parent seeks access to specific information about their child, the operator must verify that the person making the request is the child’s parent or guardian. The rule does not allow a parent to change information about his or her child.
A Web site or online service must establish and maintain reasonable procedures to protect the confidentiality, security and integrity of personal information collected from children. For example, an operator should use secure Web servers and firewalls, delete personal information once it is no longer used, limit employee access to data and provide training for those with access, and screen third parties to whom information is disclosed. COPPA also provides a “safe harbor” for Web sites or online services that comply with self-regulatory guidelines that have been approved by the FTC.
Although COPPA does not take effect until April, i-marketers are advised to immediately review the provisions and the FTC’s rules with appropriate counsel. Unlike legislation affecting the direct marketing industry in the past, COPPA mandates that significant information be provided to consumers and that parental consent be obtained before information from children may be collected and maintained. These obligations should not be taken lightly, as the FTC will surely enforce these requirements with considerable vigor next spring.
Marc Roth is an attorney with Brown Raysman Millstein Felder and Steiner LLP, New York. His e-mail address is [email protected]