The Federal Trade Commission today issued the final rule to implement the Children's Online Privacy Protection Act of 1998 (COPPA). The main goal of the COPPA and the rule is to protect the privacy of children using the Internet. Publication of the rule means that, as of April 21, 2000, certain commercial Web sites must obtain parental consent before collecting, using, or disclosing personal information from children under 13.
"This final step achieves one of the Commission's top goals - protecting children's privacy online," said FTC Chairman Robert Pitofsky. "The rule meets the mandates of the statute. It puts parents in control over the information collected from their children online, and is flexible enough to accommodate the many business practices and technological changes occurring on the Internet."
The COPPA was enacted following a three-year effort by the Commission to identify and educate industry and the public about the issues raised by the online collection of personal information from children and adult consumers. The Commission recommended that Congress enact legislation concerning children following a March 1998 survey of 212 commercial children's Web sites. The survey found that while 89 percent of the sites collected personal information from children, only 24 percent posted privacy policies and only one percent required parental consent to the collection or disclosure of children's information. The COPPA received widespread support from industry and consumer groups.
On October 21, 1998, the COPPA was signed into law. The statute gave the Commission one year to issue rules to implement its privacy protections. On April 27, 1999, the Commission published a proposed rule in the Federal Register and requested public comment on a number of its key provisions. The Commission received 145 comments from a variety of sources including Internet businesses, privacy and children's advocacy groups, technology companies, and individuals.
The statute and rule apply to commercial Web sites and online services directed to, or that knowingly collect information from, children under 13. To inform parents of their information practices, these sites will be required to provide notice on the site and to parents about their policies with respect to the collection, use and disclosure of children's personal information. With certain statutory exceptions, sites will also have to obtain "verifiable parental consent" before collecting, using or disclosing personal information from children. The rule will become effective on April 21, 2000, giving Web sites six months to come into compliance with the rule's requirements.
The issue of how Web sites can obtain "verifiable parental consent" generated the most interest among the commenters and prompted the Commission to hold a workshop devoted to the issue. The statute defines "verifiable parental consent" as "any reasonable effort (taking into consideration available technology) ... to ensure that a parent of a child ... authorizes the collection, use, and disclosure" of a child's personal information. The comments and the workshop testimony (available on the Commission's Web site) showed that certain methods of consent provide greater assurances that the person providing consent is the child's parent, but that some of these methods need additional time to develop and become available for widespread use. As noted below, the final rule temporarily adopts a "sliding scale" approach that will allow Web sites to vary their consent methods based on the intended use of the child's information.
Key Provisions of the Final Rule
A Web site operator must post a clear and prominent link to a notice of its information practices on its home page and at each area where personal information is collected from children. The notice must state the name and contact information of all operators, the types of personal information collected from children, how such personal information is used, and whether personal information is disclosed to third parties. The notice also must state that the operator is prohibited from conditioning a child's participation in an activity on the child's disclosing more personal information than is reasonably necessary. In addition, the notice must state that the parent can review and have deleted the child's personal information, and refuse to permit further collection or use of the child's information.
The final rule temporarily adopts a "sliding scale" approach that allows Web sites to vary their consent methods based on the intended uses of the child's information. For a two-year period, use of the more reliable methods of consent (print-and-send via postal mail or facsimile, use of a credit card or toll-free telephone number, digital signature, or e-mail accompanied by a PIN or password) will be required only for those activities that pose the greatest risks to the safety and privacy of children -- i.e., disclosing personal information to third parties or making it publicly available through chatrooms or other interactive activities. For internal uses of information, such as an operator's marketing back to a child based on the child's personal information, operators will be permitted to use e-mail, as long as additional steps are taken to ensure that the parent is providing consent. Such steps could include sending a confirmatory e-mail to the parent following receipt of consent, or obtaining a postal address or telephone number from the parent and confirming the parent's consent by letter or telephone call. The "sliding scale" will sunset two years after the effective date of the rule, at which time the more reliable methods would be required for all uses of information, unless the Commission determines more secure electronic methods of consent are not widely available.
The rule requires operators to "give the parent the option to consent to the collection and use of the child's personal information without consenting to disclosure of his or her personal information to third parties."
The rule sets forth several exceptions to the requirement of prior parental consent that permit operators to collect a child's e-mail address for certain purposes. For example, no consent is required to respond to a one-time request by a child for "homework help" or other information. In addition, an operator can enter a child into a contest or send a child an online newsletter as long as the parent is given notice of these practices and an opportunity to prevent further use of the child's information.
The Federal Register notice accompanying the rule makes clear that the rule covers only information submitted online, and not information requested online but submitted offline.
The Federal Register notice accompanying the rule makes clear that schools can act as parents' agents or as intermediaries between Web sites and parents in the notice and consent process.
The statute includes a "safe harbor" program for industry groups or others who wish to create self-regulatory programs to govern participants' compliance. Commission-approved safe harbors will provide Web site operators with the opportunity to tailor compliance obligations to their business models with the assurance that if they follow the safe harbor they will be in compliance with the rule. Sites participating in such Commission-approved programs will be subject to the review and disciplinary procedures provided in those guidelines in lieu of formal Commission action.
The statute authorizes the Commission to bring enforcement actions and impose civil penalties for violations of the rule in the same manner as for other rules under the Federal Trade Commission Act.
The Commission vote to publish the final rule in the Federal Register was 4-0. It will be published in the Federal Register shortly.
Copies of the full text of the rule as well as information about the FTC's privacy initiative are available from the FTC's web site at http://www.ftc.gov and also from the FTC's Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580; 877-FTC-HELP (877-382-4357); TDD for the hearing impaired 1-866-653-4261. To find out the latest news as it is announced, call the FTC NewsPhone recording at 202-326-2710.
(FTC File No. 994504)