ChildrenÕs Privacy Rights Protected: Final Rule Adopted Published: Nov. 15, 1999 by Dorie Turnipseed "This final step achieves one of the CommissionÕs top goals Ð protecting childrenÕs privacy online. The rule meets the mandates of the statute. It puts parents in control over the information collected from their children online, and is flexible enough to accommodate the many business practices and technological changes occurring on the Internet." -FTC Chairman Robert Pitofsky (New Rule will Protect Privacy of Children Online (visited Nov. 14, 1999) http://www.ftc.gov/opa/1999/9910/childfinal.htm) The Federal Trade Commission issued its Final Rule to implement the ChildrenÕs Online Privacy Protection Act of 1998 (COPPA, 15 U.S.C. ¤6501 et seq.) on October 20, 1999. Signed into law on October 21, 1998, the goal of COPPA is "to prohibit unfair or deceptive acts or practices in connection with the collection, use, or disclosure of personally identifiable information from and about children on the Internet." 15 U.S.C. ¤¤6501-6505. The statute gave the Commission one year to issue the Final Rule necessary to fulfill its privacy protections, resulting in a proposed rule being published in the Federal Register on April 27, 1999. Public comment was requested on key provisions, and after receiving 145 comments from various sources, including Internet businesses, privacy groups, childrenÕs advocacy groups, technology companies, and individuals, the Commission amended 16 CFR Chapter I by adding Part 312 to implement the privacy protections required by COPPA. Effective April 21, 2000, key requirements of the Final Rule include a privacy notice on the website, verifiable parental consent, online activities for which parental consent is not required, and a specific enforcement provision with a safe harbor program. Affected Parties The statute and Rule apply to commercial websites and online services directed to, or that knowingly collect information from, children under the age of 13. The Act specifically applies to "operators" of web sites, defined as "any person who operates a web site located on the Internet or an online service and who collects or maintains personal information from or about the users or visitorsÉ or on whose behalf such information is collected or maintained." (16 C.F.R. ¤312.2(1999)). The Commission further clarified the scope of this definition by listing a number of factors to consider, such as who owns and controls the information, who pays for its collection and maintenance, the status of pre-existing contractual relationships regarding collection and maintenance of the information, and the role of the web site or online service in collecting and maintaining the information. (64 CFR at 22752 (1999)). The status of entities as operators, who are covered under the Rule, versus third parties, who are not covered under the Rule, is determined by the entityÕs relationship to the information collected under the factors described above. A third party is defined as "any person who is not (1) an operator with respect to the collection or maintenance of personal informationÉ or (2) a person who provides support for the internal operations of the web site or online service and who does not use or disclose information protected under this Rule." (16 C.F.R. ¤312.2 (1999)). If an entity has an interest in the data collected, however, then it too is within the scope of the Rule. In addition, network advertising companies or companies that provide banner ads on web sites or online services are also subject to the Act. If they collect personal information directly from children who click on those ads, and the ads are on web sites or online services directed toward children, the Act applies. If companies collect personal information from visitors who click on their ads at general audience sites, and that information reveals that the visitor is a child, they will be subject to the Act as well. Even if these companies do not collect information from children directly, but have ownership or control over information collected at a host childrenÕs site, they will be considered operators. Privacy Notice on the Web Site COPPA mandates that an operator post a clear and prominent link to a notice of "what information it collects from children, how it uses such information, and its disclosure practices for such information." (16 C.F.R. ¤312(3)(a) (1999)). The link must be clearly labeled as a notice of information practices with regard to children; be placed in a clear and prominent place and manner on the home page of the web site or online service; and must also be placed "at each area on the web site or online service where children directly provide, or are asked to provide, personal information and in close proximity to the requests for information in each such area." (16 C.F.R. ¤312.4(b)(1)(i)(ii)(iii) (1999)). The notice must state the name and contact information of all operators, the types of personal information collected from children, how much information is used, and whether personal information is disclosed to third parties. (16 C.F.R. ¤312.4(b)(2) (1999)). It must explicitly state that the operator is prohibited from conditioning a childÕs participation in an activity on the childÕs disclosure of more personal information than is reasonably necessary. (16 C.F.R. ¤312.4(b)(2)(v) (1999)). Included in the notice must be a statement that a parent can review and remove the childÕs personal information, as well as refuse to permit further collection or use of the childÕs personal information. (16 C.F.R. ¤312.4(b)(2)(vi) (1999)). The specific wording and content of this notice can be found in ¤312.4(c). Verifiable Parental Consent Obtaining "verifiable parental consent" means "making any reasonable effort (taking into consideration available technology) to ensure that before personal information is collected from a child, a parent of the childÉ receives notice of the operatorÕs personal information collection, use, and disclosure practices; and authorizes any collection, use, and/or disclosure of the personal information." (16 C.F.R. ¤312.2 (1999)). An operator must also give the parent "the option to consent to the collection and use of the childÕs personal information without consenting to disclosure of his or her personal information to third parties." (16 C.F.R. ¤312.5(a)(2) (1999)). The Federal Register notice accompanying the Final Rule makes clear that while "parent" is defined as "legal guardian," in the Rule, ¤312.2, schools can act as agents of the parents or as intermediaries between web sites and parents in the notice and consent process. Under ¤312.5, the Final Rule adopts a "sliding scale" approach, allowing web sites to vary their consent methods depending upon the intended uses of the childÕs information. For the first two years, use of more traditional and reliable methods of consent such as postal mail, facsimile, credit card, toll-free telephone number, digital signature, or e-mail with a PIN or password, are required only for activities that involve the greatest risks to children. These methods of consent are required, for example, when personal information is disclosed to third parties or is publicly available through interactive activities, like chatrooms. A less stringent form of consent is required for internal uses of a childÕs information. If an operator is simply marketing back to a child based on personal information, e-mail is permitted as a form of consent, so long as additional steps are taken to ensure that the parent is providing that consent. To make this confirmation, steps might include sending a confirmatory e-mail to the parent after receipt of the consent, or confirming the consent by letter or telephone call. This "sliding scale" will only be in effect, however, for two years after the effective date of the rule. After April 21, 2002, the Commission will reevaluate whether other electronic methods of consent are available, and more reliable methods will be required for all uses of information. Online Activities That Do Not Require Parental Consent Exceptions to the requirement of prior parental consent are set forth in ¤312.5(c). Operators are permitted to collect a childÕs e-mail address for certain purposes. The operator may collect "the name or online contact information of a parent or child to be used for the sole purpose of obtaining parental consent or providing notice under ¤312.4," but if the parental consent has not been obtained "after a reasonable time from the date of the information collection, the operator must delete such information from its records." (16 C.F.R. ¤312.5(c)(1) (1999)). An operator may also collect information "for the sole purpose of responding directly on a one-time basis to a specific request from the child," and when the information obtained is not used "to recontact the child and is deleted by the operator from its records." (16 C.F.R. ¤312.5(c)(2) (1999)). Information may also be collected from a child "to the extent reasonably necessary," to protect "the security or integrity" of the web site; "to take precautions against liability; to respond to judicial processÉ or to provide information to law enforcement agencies or for an investigation on a matter related to public safety;" so long as the information is not used for any other purpose. (16 C.F.R. ¤312.5(c)(5) (1999)). Practically, ¤312.5 stands for the proposition that no consent is required for such actions as responding to a one-time request by a child for homework help. On the other hand, an operator may only safely enter a child into a contest or send a child an online newsletter if the parent is given notice of the web siteÕs practices and an opportunity to prevent further use of the childÕs information. In addition, the Federal Register notice clarifies that this rule covers only information submitted online, and not information requested online, but submitted offline. Enforcement and the Safe Harbor Program Subject to ¤¤ 6503 and 6505 of COPPA, a violation of a regulation is treated "as a violation of a rule defining an unfair or deceptive act or practice prescribed under Section 18(a)(1)(B) of the Federal Trade Commission Act 15 U.S.C. ¤57a(a)(1)(B)." (16 C.F.R. ¤312.9 (1999)). An operator may protect itself, however, by complying with requirements of self-regulatory programs of industry groups. An operator will automatically be "deemed to be in compliance with the requirements of [the] Rule" if it complies with Commission-approved safe harbors. (16 C.F.R. ¤312.10(a) (1999)). This alternative offers operators the opportunity to tailor obligations of compliance to their specific businesses with the assurance that so long as they follow the safe harbor they are in compliance with the Rule. Self-regulatory guidelines must be approved by the Commission under specific criteria with periodic reviews and internal disciplinary procedures in lieu of formal Commission action, (16 C.F.R. ¤312.10(b) (1999)). Records must be maintained by industry groups, readily available to the Commission for inspection and copying for a period of three years, ¤312.10(d), and the Commission "reserves the right to revoke any approval granted," if it determines at any time "that the approved self-regulatory guidelines and their implementation do not, in fact, meet the requirements of [the] Rule." (16 C.F.R. ¤312.10(e) (1999)). For operators of web sites and providers of online services, there is an extremely powerful incentive for creating and/or opting into a safe harbor program under this Rule. Not only does it protect them from the reach and sanction of the Commission, but it also provides the opportunity to tailor compliance obligations under the Rule with individual business plans. The industry itself, then, becomes a self-regulating mechanism, with a powerful stake in the enforcement of actions under this Rule. Potential Concerns Many web site operators have expressed concerns over the new Rule, and speculate as to what its implementation will mean for both children and the industry itself. To begin with, operators are concerned about resorting to cumbersome "offline" methods in order to obtain the required parental consent. In addition, many operators will be forced to completely overhaul web sites in order to comply with the Rule. Since many children use the Internet at school or at the library, it may be difficult for parents to give immediate online consent. Some worry this may discourage minors from pursuing information on the Internet altogether, especially if they are aware that their parents will be notified of the sites they are visiting on the Internet. Even if these obstacles are crossed, the issue remains that it is nearly impossible to ensure that the parent is the person actually providing the required consent. There is no way to determine the identity or age of an Internet user, and children today often know much more about the Internet than their parents. It would not be a difficult task for a child to impersonate his or her parents and provide consent online. There is also a major concern over the jurisdictional reach of this Rule. While the Internet is a global medium, the United States does not have the jurisdictional reach to enforce its Internet rules on foreign web sites. An unfair competitive edge might be created in favor of foreign web operators who do not have to submit to similar rules and regulations since this Rule can only be enforced in the United States. Regardless of the potential problems that may arise, this Final Rule goes into effect on April 21, 2000, and all operators who market or provide services to children on the Internet must take caution. ChildrenÕs web site operators should review the Act as well as the Final Rule, and make any and all efforts to comply as soon as possible. For a copy of the complete Final Rule go to: http://www.ftc.gov/os/1999/9910/childrensprivacy.pdf Ê Please email Questions, Comments and Suggestions to: feedback@tilj.com Internet Law Journal © 1998-2003 All Rights Reserved ompliance with the children's online privacy protection act (COPPA) requirements10 The Children's Online Privacy Protection Act (COPPA) requires the Federal Trade Commission (FTC) to issue and enforce rules concerning children's online privacy.11 In doing so, the FTC stated its primary goal as placing parents in control over the information that may be collected from their children online. Specifically, the COPPA rules apply to three groups of website operators: operators of commercial websites or online services directed to children under 13 that collect personal information from children; operators of general audience sites that collect personal information from children under 13; and operators of general audience sites that have a separate children's area and that collect personal information from children. These three groups of operators are required to perform certain tasks. First, these operators must post a privacy policy, provide notice to parents about the site's information collection practices, and in many instances, obtain parental consent prior to collecting personal information from children. In addition, the operators must provide parents access to their child's information and the opportunity to delete information, they may not condition a child's participation in an activity on the disclosure of more information than is reasonably necessary, and they must maintain the confidentiality, security and integrity of the personal information collected from children. As stated above, the kids.us domain must be in strict compliance with existing laws, including of course, the requirements of the COPPA, however, neither NeuStar, the DOC nor any Content Manager will be responsible for enforcing these requirements. Compliance with children's advertising review unit (CARU) advertising standards One example of widely adopted policies relating to advertising includes the efforts of the Children's Advertising Review Unit (CARU) of the Better Business Bureau. The CARU reviews and evaluates advertising in all media directed to children under 12. This includes print, broadcast and cable television, radio, video, CD-ROM, 900/976 teleprograms, and interactive electronic media. CARU reviews advertising to determine consistency with its guidelines. If advertising is found to be misleading, inaccurate, or inconsistent with the guidelines, CARU works to achieve voluntary cooperation from the relevant parties to ensure compliance. All kids.us registrants are encouraged to be in compliance with the CARU Guidelines.12 Technology restrictions Because there is no foolproof method for protecting children online at this time, the kids.us Act specifies limitations put on specific technologies commonly used on the Internet today. These technologies are prohibited from use in any kids.us domains: * Two-way and multi-user interactive services, which includes: e-mail, chat, instant messaging, Usenet, Message Boards of like user forum, and peer-to-peer connections, place "unless the registrant certifies to the registrar that such service will be offered in compliance with content standards established É and is designed to reduce the risk of exploitation of minors using such two-way and multi-user interactive services"; and * Hyperlinks that take a user outside of the kids.us domain. [main menu] 3. Enforcement Processes and Procedures Pursuant to the kids.us Act, the registry operator has responsibility for creating "a process for removing from the new domain any content that is not in accordance with the [content] standards and requirements of the registry." This enforcement power, though severe, is not absolute and finite, as the registry is also required to create "a process to provide registrants to the new domain with an opportunity for a prompt, expeditious, and impartial dispute resolution process regarding any material of the registrant excluded from the new domain."13 The purpose of providing this enforcement power to the registry operator is to strengthen a core objective of the kids.us Act, which is both to create an online arena that is free from material that is harmful to minors and to ensure that the kids.us domain remains safe from such harmful material. At the time of initial content review, all potential websites must completely abide by the kids.us Content Guidelines and Restrictions before any content may reside within the kids.us domain. Once content is available, the Registry can be made aware of any true or alleged content infractions from the Content Manager or through feedback received directly from the Internet community14. On an on-going basis, the Registry will follow a defined process for removing appropriate content from the kids.us domain. This process is designed to balance the needs of maintaining a stable domain space as well as ensuring a timely and expeditious means for registrants to resolve any true or alleged content infractions. In order to aid the registry operator in its enforcement, these content restrictions have been assigned a "severity level" that will guide the registry in addressing content violations. Because the registry does not have direct access to the content within a website, actions by the registry are limited to removing a domain name from the authoritative database, thereby blocking the site in its entirety15. Although complete removal of a domain name may appear to be an extreme course of action in some instances, the objective of protecting children is paramount and must be the guiding factor in the enforcement process.