Children's Online Privacy Proposed Rule Issued by FTC

The Federal Trade Commission today issued a proposed rule designed to protect the privacy of children who surf the Internet. The proposed rule, which would apply to certain commercial websites, is the first step in the implementation of the Children's Online Privacy Protection Act of 1998. The main goal of the statute and the proposed rule is to put parents in control of information collected online from children under 13. The Commission also announced a "KIDS PRIVACY ALERT" to notify websites about the proposed rule.

"Protecting kids who surf the Internet has been a top priority of the Commission's online privacy initiative," said Robert Pitofsky, Chairman of the FTC. "This proposed rule aims to achieve that goal by putting parents in control of personal information that is collected from their children on the Web. The proposed rule also provides flexibility to accommodate varied business practices and the fast pace of technological change."

The Commission's three year effort to identify and educate industry and the public about the issues raised by the online collection of personal information from children and adult consumers highlighted the importance of protecting children's privacy on the Internet. The Commission recommended that Congress enact legislation after a March 1998 survey of 212 commercial children's websites. That survey found that while 89 percent of the surveyed sites collected personal information from children, only 24 percent posted privacy policies and only one percent required prior parental consent to the collection or disclosure of children's information. The Children's Online Privacy Protection Act was enacted on October 21, 1998.

The proposed rule, which is subject to public comment, applies to commercial websites directed to, or that knowingly collect information from, children under 13. With certain exceptions, these sites will have to obtain parental consent before collecting, using, or disclosing personal information from children. To inform parents of their information practices, these sites also will be required to provide notice on the site and to parents about their policies with respect to the collection, use and disclosure of children's personal information.

Parental consent would have to be verifiable, the proposed rule states. Operators may develop any number of ways to implement this requirement. The proposed rule does not commit to any particular method of obtaining verifiable parental consent but invites comments on the feasibility, costs, and benefits of various methods. Possible options are: (1) a consent form to be signed by the parent and returned to the operator by postal mail or facsimile, (2) the use of a credit card by the parent, (3) a toll-free telephone number that parents could call, and/or (4) an e-mail accompanied by a valid digital signature. The Commission also is considering whether there are other e-mail-based mechanisms that would ensure that the person providing the consent is the child's parent, the proposed rule states.

Under the proposed rule, sites must give parents a choice as to whether their child's information can be disclosed to third parties, and give parents a chance to prevent further use or future collection of personal information from their child. Parents must also, upon request, be given access to the personal information collected from their child and a means of reviewing that information.

There are certain limited exceptions to the proposed rule's requirements of prior parental consent. For example, a site may collect a parent's or child's e-mail address without prior parental consent in order to seek parental consent or provide parental notice. And, in order to preserve the interactive nature of the Internet, a site may collect a child's e-mail address without prior parental consent in order to respond directly to a specific request of the child. These exceptions, however, trigger additional privacy protections under the rule, the Commission said.

The statute includes a "safe harbor" program for industry groups or others who wish to create self-regulatory programs to govern participants' compliance. Commission-approved safe harbors will provide website operators the opportunity to tailor compliance obligations to their business models with assurance that if they follow the safe harbor they will be in compliance with the new law. Sites participating in such Commission-approved programs will, in some circumstances, be subject to the review and disciplinary procedures provided in those guidelines in lieu of formal Commission action. The proposed rule outlines the process by which industry groups and others may obtain certification of their guidelines.

The Commission vote to publish the proposed rule in the Federal Register for public comment was 4-0.

The proposed rule will be published in the Federal Register shortly. Written comments will be accepted until June 11, 1999. Comments may be submitted by e-mail to the address:

KidsRule@ftc.gov (no period). Written comments (original plus five copies, if feasible) should be submitted to: Secretary, Federal Trade Commission, Room H-159, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580.

Copies of the full text of the proposed rule, detail information about how to submit comments on the proposed rule, the statute as well as information about the FTC's privacy initiative are available from the FTC's web site at: http://www.ftc.gov and also from the FTC's Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 2058; 202-FTC-HELP (202-382-4357); TDD for the hearing impaired 1-866-653-4261. To find out the latest news as it is announced, call the FTC NewsPhone recording at 202-326-2710.

(FTC File No. 994504)