Skip to main content
Find a Lawyer

Legal Deadline Looms for Web Sites Collecting Data From Children

This article was edited and reviewed by FindLaw Attorney Writers | Last reviewed March 26, 2008

This article has been written and reviewed for legal accuracy, clarity, and style by FindLaw’s team of legal writers and attorneys and in accordance with our editorial standards.

The last updated date refers to the last time this article was reviewed by FindLaw or one of our contributing authors. We make every effort to keep our articles updated. For information regarding a specific legal issue affecting you, please contact an attorney in your area.

As of April 21, 2000, operators of web sites that collect personal information from children under the age of 13 must comply with stringent new regulations from the Federal Trade Commission implementing the 1998 Children's Online Privacy Protection Act (COPPA). Under the new requirements, operators must post clear and prominent notices explaining how a site collects, uses, and discloses personal information from children and give parents an opportunity to consent before information is collected.

Who Must Comply

If you operate a commercial web site or an online service that is directed to children under 13 and collects .personal information, or if you operate a general audience web site and have actual knowledge that children under 13 are providing you with .personal information,. you must comply with COPPA.

What Constitutes .Personal Information.?

COPPA and the new FTC regulations apply to individually identifiable information about a child that is collected online, such as full name, home address, e-mail address, telephone number or any other information that would allow someone to identify or contact the child. The law also covers other information, such as hobbies or interests collected through cookies, when the data are tied to individually identifiable information. Any personal information collected from children after April 21, 2000, is covered by the new rules, regardless of any prior interactions the operator may have had with children visiting the site.

Basic Provisions of COPPA

Web sites covered by the new law must provide notice on the site and to parents about their policies with respect to collecting, using, and disclosing children.s personal information. With certain exceptions, sites will also have to obtain "verifiable parental consent" before gathering personal information from children.

Privacy Policy Notice

Placement

An operator must post a clear and prominent link to a notice of its information practices on the home page of its web site or online service and at each area where it collects personal information from children. An operator of a general audience site with a separate children.s area must post a link to its notice on the home page of the children.s area.

The link to the privacy notice must be clear and prominent. A link in small print at the bottom of the page . or a link that is indistinguishable from other links on your site . is not sufficient.

Content

The privacy policy notice must be clearly written and understandable and must include the following information:

  • The name and contact information of all operators collecting or maintaining children.s personal information through the web site or online service.
  • The kinds of personal information collected from children (for example, name, address, email address, hobbies, etc.) and how the information is collected . directly from the child or passively, e.g., through cookies.
  • How the operator uses the personal information. For example, is it for marketing back to the child? Notifying contest winners? Allowing the child to make the information publicly available through a chat room?
  • Whether the operator discloses information collected from children to third parties. If so, the operator also must disclose the kinds of businesses in which the third parties are engaged; the general purposes for which the information is used; whether the third parties have agreed to maintain the confidentiality and security of the information; and that the parent may consent to the collection and internal use of the child.s information but prohibit the disclosure of the information to third parties.
  • That the operator may not require a child to disclose more information than is reasonably necessary to participate in an activity as a condition of participation.
  • That the parent can review the child.s personal information that has been collected by the site, ask to have it deleted and refuse to allow any further collection or use of the child.s information. The notice also must state the procedures for the parent to follow.

Direct Notice to Parents

In addition to the information included in the privacy notice on the web site, the operator must notify a parent that it wishes to collect personal information from the child; that the parent.s consent is required before the site can collect, use or disclose personal information; and how the parent can provide consent. An operator may use any one of a number of methods to notify a parent, including sending an email message to the parent or a notice by postal mail.

Verifiable Parental Consent

Before collecting, using or disclosing personal information from a child, an operator must obtain .verifiable parental consent. from the child.s parent. Until April 2002, the FTC will use a .sliding scale. approach to parental consent, in which the required method of consent will vary based on how the operator uses the child.s personal information. If the operator uses the information only for internal purposes, a less rigorous method of consent is required than if the operator discloses the information to others. In the latter case, a more reliable method of consent is required.

Web Sites Using Personal Information for Internal Purposes Only

Operators may use e-mail to get parental consent for all internal uses of personal information, such as marketing back to a child based on his or her preferences or communicating promotional updates about site content. However, operators must also take additional steps to increase the likelihood that the parent has, in fact, provided the consent. For example, operators might seek confirmation from a parent via a follow up email, or confirm the parent.s consent by letter or phone call.

Web Sites Making Public Disclosure of Personal Information

When operators want to disclose a child.s personal information to third parties or make it publicly available (for example, through a chat room or message board), the sliding scale requires them to use a more reliable method of consent, including:

  • getting a signed form from the parent via postal mail or fax (and deleting any information from internal records if the consent is not obtained after a reasonable time);
  • accepting and verifying a credit card number;
  • taking calls from parents, through a toll-free telephone number staffed by trained personnel;
  • e-mail accompanied by digital signature;
  • e-mail accompanied by a PIN or password obtained through one of the verification methods above.

Web Sites Making Disclosures of Personal Information to Third Parties

An operator must give a parent the option to agree to the collection and use of the child.s personal information without authorizing the disclosure of the information to third parties.

Exceptions

The regulations include several exceptions that allow operators to collect a child.s e-mail address without getting the parent.s consent in advance. These exceptions cover many popular online activities for kids, including contests, online newsletters, homework help and electronic postcards. Prior parental consent is not required when:

  • an operator collects a child.s or parent.s email address in order to provide notice and seek consent;
  • an operator collects an email address to respond to a one-time request from a child and then deletes it;
  • an operator collects an email address to respond more than once to a specific request - say, for a subscription to a newsletter. In this case, the operator must notify the parent that it is communicating regularly with the child and give the parent the opportunity to stop the communication before sending or delivering a second communication with a child;
  • an operator collects a child.s name or online contact information to protect the identity of a child who is participating on the site. In this case, the operator must notify the parent and give him or her the opportunity to prevent further use of the information;
  • an operator collects a child.s name or online contact information to protect the security or liability of the site or to respond to law enforcement, if necessary, and does not use it for any other purpose.

New Notice and Consent Required if Use of Data Changes

An operator is required to send a new notice and request for consent to parents any time there are material changes in the collection, use or disclosure practices to which the parent had previously agreed.

Verifying Parental Identity Before Providing Access

At a parent.s request, operators must disclose the general kinds of personal information they collect from children (for example, name, address, telephone number, email address, hobbies), as well as the specific information collected from children who visit their sites. Operators must ensure they are dealing with the child.s parent before they provide access to the child.s specific information. They can use a variety of methods to verify the parent.s identity, including:

  • obtaining a signed form from the parent via postal mail or fax;
  • accepting and verifying a credit card number;
  • taking calls from parents on a toll-free telephone number staffed by trained personnel;
  • e-mail accompanied by digital signature;
  • e-mail accompanied by a PIN or password obtained through one of the verification methods above.

Giving Parents Options and Control

At any time, a parent may revoke his/her consent, refuse to allow an operator to further use or collect his/her child.s personal information and direct the operator to delete the information. In turn, the operator may terminate any service provided to the child, but only if the information at issue is reasonably necessary for the child.s participation in that activity.

Safe Harbors

Industry groups or others can create self-regulatory programs to govern participants. compliance with COPPA. These guidelines must include independent monitoring and disciplinary procedures and must be submitted to the FTC for approval. The FTC will publish the guidelines and seek public comment in considering whether to approve the guidelines. An operator.s compliance with FTC-approved self-regulatory guidelines will serve as a "safe harbor" in any enforcement action for violations of COPPA.

Enforcement

The FTC may bring enforcement actions and impose civil penalties for violations in the same manner as for other FTC Rules and the FTC Act. In addition, COPPA authorizes states. Attorneys General to bring lawsuits to enjoin unlawful practices, enforce the regulations and recover damages and restitution on behalf of state citizens. Moreover, the FTC retains its pre-existing statutory authority to sanction any deceptive practices occurring on Internet web sites.

Future FTC Review of COPPA Rule

In October 2001, the FTC will seek comment from interested parties to determine whether technology has progressed as expected and whether secure electronic methods are widely available and affordable. Subject to the FTC.s review, the sliding scale will expire in April 2002. Until then, operators are encouraged to use the more reliable methods of obtaining and verifying consent for all uses of children.s personal information.


Was this helpful?

Copied to clipboard