ELECTRONIC FRONTIER FOUNDATION
[Join EFF] [Act Now] [Sign Up] [About EFF]

Children's Online Privacy Protection Rule (COPPA) of 1999 (Pages 81-90)


¤ 312.4 Notice.

  1. General principles of notice. All notices under ¤¤ 312.3(a) and 312.5 must be clearly and understandably written, be complete, and must contain no unrelated, confusing, or contradictory materials.
  2. Notice on the website or online service. Under ¤ 312.3(a), an operator of a website or online service directed to children must post a link to a notice of its information practices with regard to children on the home page of its website or online service and at each area on the website or online service where personal information is collected from children. An operator of a general audience website or online service that has a separate children's area or site must post a link to a notice of its information practices with regard to children on the home page of the children's area.
    1. Placement of the notice.
      1. The link to the notice must be clearly labeled as a notice of the website or online service's information practices with regard to children;
      2. The link to the notice must be placed in a clear and prominent place and manner on the home page of the website or online service; and
      3. The link to the notice must be placed in a clear and prominent place and manner at each area on the website or online service where children directly provide, or are asked to provide, personal information, and in close proximity to the requests for information in each such area.
      82
    2. Content of the notice. To be complete, the notice of the website or online service's information practices must state the following:
      1. The name, address, telephone number, and e-mail address of all operators collecting or maintaining personal information from children through the website or online service. Provided that: the operators of a website or online service may list the name, address, phone number, and e-mail address of one operator who will respond to all inquiries from parents concerning the operators' privacy policies and use of children's information, as long as the names of all the operators collecting or maintaining personal information from children through the website or online service are also listed in the notice;
      2. The types of personal information collected from children and whether the personal information is collected directly or passively;
      3. How such personal information is or may be used by the operator(s), including but not limited to fulfillment of a requested transaction, recordkeeping, marketing back to the child, or making it publicly available through a chat room or by other means;
      4. Whether personal information is disclosed to third parties, and if so, the types of business in which such third parties are engaged, and the general purposes for which such information is used; whether those third parties have agreed to maintain the confidentiality, security, and integrity of the personal information they obtain from the operator; and that the parent has the option to consent to the collection and use of their child's personal information without consenting to the disclosure of that information to third parties;
      5. That the operator is prohibited from conditioning a child's participation in an activity on the child's disclosing more personal information than is reasonably necessary to participate in such activity; and
      6. That the parent can review and have deleted the child's personal information, and refuse to permit further collection or use of the child's information, and state the procedures for doing so.
  3. Notice to a parent.

    Operator's practices with regard to the collection, use, and/or disclosure of the child's personal information, including notice of any material change in the collection, use, and/or disclosure practices to which the parent has previously consented.

    1. Content of the notice to the parent.
      1. All notices must state the following:
        1. that the operator wishes to collect personal information from the child;
        2. the information set forth in paragraph 312.4(b) of this section.
      2. In the case of a notice to obtain verifiable parental consent under ¤ 312.5(a), the notice must also state that the parent's consent is required for the collection, use, and/or disclosure of such information, and state the means by which the parent can provide verifiable consent to the collection of information.
      3. In the case of a notice under the exception in ¤ 312.5(c)(3), the notice must also state the following:
        1. that the operator has collected the child's e-mail address or other online contact information to respond to the child's request for information and that the requested information will require more than one contact with the child;
        2. that the parent may refuse to permit further contact with the child and require the deletion of the information, and how the parent can do so; and
        3. that if the parent fails to respond to the notice, the operator may use the information for the purpose(s) stated in the notice.
      4. In the case of a notice under the exception in ¤ 312.5(c)(4), the notice must also state the following:
        1. that the operator has collected the child's name and e-mail address or other online contact information to protect the safety of the child participating on the website or online service;
        2. that the parent may refuse to permit the use of the information and require the deletion of the information, and how the parent can do so; and
        3. that if the parent fails to respond to the notice, the operator may use the information for the purpose stated in the notice.Under ¤ 312.5, an operator must make reasonable efforts, taking into account available technology, to ensure that a parent of a child receives notice of the

¤ 312.5 Parental consent.

  1. General requirements.
    1. An operator is required to obtain verifiable parental consent before any collection, use, and/or disclosure of personal information from children, including consent to any material change in the collection, use, and/or disclosure practices to which the parent has previously consented.
    2. An operator must give the parent the option to consent to the collection and use of the child's personal information without consenting to disclosure of his or her personal information to third parties.
  2. Mechanisms for verifiable parental consent.
    2. An operator must make reasonable efforts to obtain verifiable parental consent, taking into consideration available technology. Any method to obtain verifiable parental consent must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent.
    3. Methods to obtain verifiable parental consent that satisfy the requirements of this provision include: providing a consent form to be signed by the parent and returned to the operator by postal mail or facsimile; requiring a parent to use a credit card in connection with a transaction; having a parent call a toll-free telephone number staffed by trained personnel; using a digital certificate that uses public key technology; and using e-mail accompanied by a PIN or password obtained through one of the verification methods listed above.

      Provided that: For the period until April 21, 2002, methods to obtain verifiable parental consent for uses of information other than the "disclosures" covered by ¤ 312.2 of this Rule may also include use of e-mail coupled with additional steps to provide assurances that the person providing the consent is the parent. Such additional steps include: sending a confirmatory e-mail to the parent following receipt of consent; or obtaining a postal address or telephone number from the parent and confirming the parent's consent by letter or telephone call. Operators who use such methods must provide notice that the parent can revoke any consent given in response to the earlier e-mail.

  3. Exceptions to prior parental consent Verifiable parental consent is required prior to any collection, use and/or disclosure of personal information from a child except as set forth in this paragraph. The exceptions to prior parental consent are as follows:
    1. where the operator collects the name or online contact information of a parent or child to be used for the sole purpose of obtaining parental consent or providing notice under ¤ 312.4. If the operator has not obtained parental consent after a reasonable time from the date of the information collection, the operator must delete such information from its records;
    2. where the operator collects online contact information from a child for the sole purpose of responding directly on a one-time basis to a specific request from the child, and where such information is not used to recontact the child and is deleted by the operator from its records;
    3. where the operator collects online contact information from a child to be used to respond directly more than once to a specific request from the child, and where such information is not used for any other purpose. In such cases, the operator must make reasonable efforts, taking into consideration available technology, to ensure that a parent receives notice and has the opportunity to request that the operator make no further use of the information, as described in ¤ 312.4(c), immediately after the initial response and before making any additional response to the child. Mechanisms to provide such notice include, but are not limited to, sending the notice by postal mail or sending the notice to the parent's e-mail address, but do not include asking a child to print a notice form or sending an e-mail to the child;
    4. where the operator collects a child's name and online contact information to the extent reasonably necessary to protect the safety of a child participant on the website or online service, where such information is
      1. used for the sole purpose of protecting the child's safety;
      2. not used to recontact the child or for any other purpose;
      3. not disclosed on the website or online service; and the operator uses reasonable efforts to provide a parent notice as described in ¤ 312.4(c); and
    5. where the operator collects a child's name and online contact information to the extent reasonably necessary
      1. to protect the security or integrity of its website or online service;
      2. to take precautions against liability;
      3. to respond to judicial process; or
      4. to the extent permitted under other provisions of law, to provide information to law enforcement agencies or for an investigation on a matter related to public safety; and such information is not used for any other purpose.

¤ 312.6 Right of parent to review personal information provided by child.

  1. Upon request of a parent whose child has provided personal information to a website or online service, the operator of that website or online service is required to provide to that parent the following:
    1. a description of the specific types or categories of personal information collected from children by the operator, such as name, address, telephone number, e-mail address, hobbies, and extracurricular activities;
    2. the opportunity at any time to refuse to permit the operator's further use or future online collection of personal information from that child, and to direct the operator to delete the child's personal information; and
    3. notwithstanding any other provision of law, a means of reviewing any personal information collected from the child. The means employed by the operator to carry out this provision must:
      1. ensure that the requestor is a parent of that child, taking into account available technology; and
      2. not be unduly burdensome to the parent.
  2. Neither an operator nor the operator's agent shall be held liable under any Federal or State law for any disclosure made in good faith and following reasonable procedures in responding to a request for disclosure of personal information under this section.
  3. Subject to the limitations set forth in ¤ 312.7, an operator may terminate any service provided to a child whose parent has refused, under paragraph (a)(2) of this section, to permit the operator's further use or collection of personal information from his or her child or has directed the operator to delete the child's personal information.

¤ 312.7 Prohibition against conditioning a child's participation on collection of personal information.

An operator is prohibited from conditioning a child's participation in a game, the offering of a prize, or another activity on the child's disclosing more personal information than is reasonably necessary to participate in such activity.

¤ 312.8 Confidentiality, security, and integrity of personal information collected from children.

The operator must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.

¤ 312.9 Enforcement.

Subject to ¤¤ 6503 and 6505 of the Children's Online Privacy Protection Act of 1998, a violation of a regulation prescribed under ¤ 6502 (a) of this Act shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under Section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).

¤ 312.10 Safe harbors.

  1. In general. An operator will be deemed to be in compliance with the requirements of this Rule if that operator complies with self-regulatory guidelines, issued by representatives of the marketing or online industries, or by other persons, that, after notice and comment, are approved by the Commission.
  2. Criteria for approval of self-regulatory guidelines. To be approved by the Commission, guidelines must include the following:
    1. a requirement that operators subject to the guidelines ("subject operators") implement substantially similar requirements that provide the same or greater protections for children as those contained in ¤¤ 312.2-312.9 of this Rule;
    2. an effective, mandatory mechanism for the independent assessment of subject operators' compliance with the guidelines. This performance standard may be satisfied by:
      1. periodic reviews of subject operators' information practices conducted on a random basis either by the industry group promulgating the guidelines or by an independent entity;
      2. periodic reviews of all subject operators' information practices, conducted either by the industry group promulgating the guidelines or by an independent entity;
      3. seeding of subject operators' databases, if accompanied by either (i) or (ii); or
      4. any other equally effective independent assessment mechanism; and
    3. effective incentives for subject operators' compliance with the guidelines. This performance standard may be satisfied by:
      1. mandatory, public reporting of disciplinary action taken against subject operators by the industry group promulgating the guidelines;
      2. consumer redress;
      3. voluntary payments to the United States Treasury in connection with an industry-directed program for violators of the guidelines;
      4. referral to the Commission of operators who engage in a pattern or practice of violating the guidelines; or
      5. any other equally effective incentive.

      The assessment mechanism required under paragraph (b)(2) of this section can be provided by an independent enforcement program, such as a seal program. In considering whether to initiate an investigation or to bring an enforcement action for violations of this Rule, and in considering appropriate remedies for such violations, the Commission will take into account whether an operator has been subject to self-regulatory guidelines approved under this section and whether the operator has taken remedial action pursuant to such guidelines, including but not limited to actions set forth in paragraphs (b)(3)(i) through (iii) of this section.

  3. Request for Commission approval of self-regulatory guidelines.
    1. To obtain Commission approval of self-regulatory guidelines, industry groups or other persons must file a request for such approval. A request shall be accompanied by the following:
      1. a copy of the full text of the guidelines for which approval is sought and any accompanying commentary;
      2. a comparison of each provision of ¤¤ 312.3 through 312.8 of this Rule with the corresponding provisions of the guidelines; and
      3. a statement explaining:
        1. how the guidelines, including the applicable assessment mechanism, meet the requirements of this Rule; and
        2. how the assessment mechanism and compliance incentives required under paragraphs (b)(2) and (3) of this section provide effective enforcement of the requirements of this Rule.
    2. The Commission shall act upon a request under this section within 180 days of the filing of such request and shall set forth its conclusions in writing.
    3. Industry groups or other persons whose guidelines have been approved by the Commission must submit proposed changes in those guidelines for review and approval by the Commission in the manner required for initial approval of guidelines under subsection (1). The statement required under subsection (1)(iii) must describe how the proposed changes affect existing provisions of the guidelines.
  4. Records. Industry groups or other persons who seek safe harbor treatment by compliance with guidelines that have been approved under this Rule shall maintain for a period not less than three years and upon request make available to the Commission for inspection and copying:
    1. consumer complaints alleging violations of the guidelines by subject operators;
    2. records of disciplinary actions taken against subject operators; and
    3. results of the independent assessments of subject operators' compliance required under paragraph (b)(2) of this section.
  5. Revocation of approval. The Commission reserves the right to revoke any approval granted under this section if at any time it determines that the approved self-regulatory guidelines and their implementation do not, in fact, meet the requirements of this Rule.

¤ 312.11 Rulemaking review.

No later than five years after the effective date of this Rule, the Commission shall initiate a rulemaking review proceeding to evaluate the implementation of this rule, including the effect of the implementation of this Rule on practices relating to the collection and disclosure of information relating to children, children's ability to obtain access to information of their choice online, and on the availability of websites directed to children; and report to Congress on the results of this review.

¤ 312.12 Severability.

The provisions of this Rule are separate and severable from one another. If any provision is stayed or determined to be invalid, it is the Commission's intention that the remaining provisions shall continue in effect.

By direction of the Commission.
 
Donald S. Clark
 
Secretary

Please send any questions or comments to webmaster@eff.org

Return to   EFF   Welcome Page