As the number of organizations, including camps, with Web sites designed to attract and/or seek information from children increases, steps are being taken by the government to protect children’s rights. The Children’s Online Privacy Protection Act (COPPA) became effective April 2, 2000. The regulations apply to the online collection of personal information from children under thirteen.

Basically, if you collect name and address or e-mail address or birth date or gender or any other personal information from children under thirteen at your Web site, you must meet the requirements of this law. These requirements include:

• obtaining verifiable parental consent before collection, using or disclosing information from a child;
• having and posting your privacy policies on the Web site;
• understanding your responsibility to protect childrens’ privacy and safety.

To support the requirements of the Act, camps should establish, prominently display, and implement policies about selling or sharing of information gathered on the Web. These privacy policies should also seek to avoid:

• identifying pictured children or adults by full name and/or hometown; and utilizing password protection to areas where personal matters may be discussed;
• revealing the identity of persons participating in chat rooms or online discussions;
• using photographs of individuals without their knowledge or consent.

The Federal Trade Commission prepared this guide to help you comply with the new requirements for protecting children’s privacy online and understand the FTC’s enforcement authority. Their Web site is listed at the end of this article.

Who Must Comply

If you operate a commercial Web site or an online service directed to children under thirteen that collects personal information from children or if you operate a general audience Web site and have actual knowledge that it collects personal information from children, you must comply with the Children’s Online Privacy Protection Act.

Personal Information

The COPPA Act and Rule apply to individually identifiable information about a child that is collected online, such as full name, home address, e-mail address, telephone number, or any other information that would allow someone to identify or contact the child. COPPA also covers other types of information — for example, hobbies, interests and information collected through cookies or other types of tracking mechanisms — when they are tied to individually identifiable information.

Basic Provisions

Privacy Notice Placement
An operator must post a link to a notice of its information practices on the home page of its Web site or online service and at each area when it collects personal information from children. An operator of a general audience site with a separate children’s area must post a link to its notice on the home page of the children’s area.

The link to the privacy notice
must be clear and prominent.

The link to the privacy notice must be clear and prominent. Operators may want to use a larger font size or a different color type on a contrasting background to make it so. A link in small print at the bottom of the page — or a link that is indistinguishable from other links on your site — is not considered clear and prominent.

Privacy Notice Content
The notice must be clearly written and understandable; it should not include any unrelated or confusing materials. It must state the following information:

• The name and contact information (address, telephone number, and e-mail address) of all operators collecting or maintaining children’s personal information through the Web site or online service. If more than one operator is collecting information at the site, the site may select and provide contact information for only one operator who will respond to all inquiries from parents about the site’s privacy policies. Still, the names of all the operators must be listed in the notice.
• The kinds of personal information collected from children (for example, name, address, e-mail address, hobbies, etc.) And how the information is collected — directly from the child or passively, say, through cookies.
• How the operator uses the personal information (for example, is it for marketing back to the child? notifying contest winners? allowing the child to make the information publicly available through a chat room?)
• Whether or not the operator discloses information collected from children to third parties. If so, the operator also must disclose the kinds of businesses in which the third parties are engaged; the general purposes for which the information is used; whether the third parties have agreed to maintain the confidentiality and security of the information; and that the parent has the option to agree to the collection and use of the child’s information without consenting to the disclosure of the information to third parties.
• That the operator may not require a child to disclose more information than is reasonably necessary to participate in an activity as a condition of participation.
• That the parent can review the child’s personal information, ask to have it deleted and refuse to allow any further collection or use of the child’s information. The notice also must state the procedures for the parent to follow.

Direct Notice to Parents-Content
The notice to parents must contain the same information included on the notice on the Web site. In addition, an operator must notify a parent that it wishes to collect personal information from the child; that the parent’s consent is required for the collection, use and disclosure of the information; and how the parent can provide consent. The notice to parents must be written clearly and understandably, and must not contain any unrelated or confusing information. An operator may use any one of a number of methods to notify a parent, including sending an e-mail message to the parent or a notice by postal mail.

Verifiable Parental Consent

Before collecting, using, or disclosing personal information from a child, an operator must obtain verifiable parental consent from the child’s parent. This means an operator must make reasonable efforts (taking into consideration available technology) to ensure that before personal information is collected from a child, a parent of the child receives notice of the operator’s information practices and consents to those practices.

Until April 2002, the FTC will use a sliding scale approach to parental consent in which the required method of consent will vary based on how the operator uses the child’s personal information. That is, if the operator uses the information for internal purposes, a less rigorous method of consent is required. If the operator discloses the information to others, the situation presents greater dangers to children, and a more reliable method of consent is required. The sliding scale approach will sunset in April 2002 subject to a Commission review planned for October 2001.

Internal Uses

Operators may use e-mail to get parental consent for all internal uses of personal information, such as marketing back to a child based on his or her preferences or communicating promotional updates about site content, as long as they take additional steps to increase the likelihood that the parent has, in fact, provided the consent. For example, operators might seek confirmation from a parent in a follow up e-mail, or confirm the parent’s consent by letter or phone call.

Public Disclosures

When operators want to disclose a child’s personal information to third parties or make it publicly available (for example, through a chat room or message board), the sliding scale requires them to use a more reliable method of consent, including:

• getting a signed form from the parent via postal mail or facsimile;
• accepting and verifying a credit card number;
• taking calls from parents, through a toll-free telephone number staffed by trained personnel;
• e-mail accompanied by digital signature;
• e-mail accompanied by a PIN or password obtained through one of the verification methods above.

But in the case of a monitored chat room, if all individually identifiable information is stripped from postings before it is made public — and the information is deleted from the operator’s records — an operator does not have to get prior parental consent.

Disclosures to Third Parties

An operator must give a parent the option to agree to the collection and use of the child’s personal information without agreeing to the disclosure of the information to third parties. That is, a parent can grant consent to allow his/her child to participate in activities on the site without consenting to the disclosure of the child’s information to third parties.

Exceptions

The regulations include several exceptions that allow operators to collect a child’s e-mail address without getting the parent’s consent in advance. These exceptions cover many popular online activities for kids, including contests, online newsletters, homework help and electronic postcards. Prior parental consent is not required when:

• an operator collects a child’s or parent’s e-mail address to provide notice and seek consent;
• an operator collects an e-mail address to respond to a one-time request from a child and then deletes it;
• an operator collects an e-mail address to respond more than once to a specific request — say, for a subscription to a newsletter. In this case, the operator must notify the parent that it is communicating regularly with the child and give the parent the opportunity to stop the communication before sending or delivering a second communication to a child;
• an operator collects a child’s name or online contact information to protect the safety of a child who is participating on the site. In this case, the operator must notify the parent and give him or her the opportunity to prevent further use of the information;
• an operator collects a child’s name or online contact information to protect the security or liability of the site or to respond to law enforcement, if necessary, and does not use it for any other purpose.

October 2001/April 2002

In October 2001, the Commission will seek comment from interested parties to determine whether technology has progressed as expected and whether secure electronic methods are widely available and affordable. Subject to the Commission’s review, the sliding scale will expire in April 2002. Until then, operators are encouraged to use the more reliable methods of consent for all uses of children’s personal information.

New Notice for Consent

An operator is required to send a new notice and request for consent to parents if there are material changes in the collection, use or disclosure practices to which the parent had previously agreed. Take the case of the operator who got parental consent for a child to participate in contests that require the child to submit limited personal information, but who now wants to offer the child chat rooms. Or, consider the case of the operator who wants to disclose the child’s information to third parties who are in materially different lines of business from those covered by the original consent — for example, marketers of diet pills rather than marketers of stuffed animals. In these cases, the Rule requires new notice and consent.

Timing

The Rule covers all personal information collected after April 21, 2000, regardless of any prior relationship an operator has had with a child. For example, if an operator collects the name and e-mail address of a child before April 21, 2000, but plans to seek information about the child’s street address after that date, the later collection would trigger the Rule’s requirements. In addition, come April 21, 2000, if an operator continues to offer activities that involve the ongoing collection of information from children — like a chat room — or begins to offer such activities for the first time, notice and consent are required for all participating children regardless of whether the children had already registered at the site.

Access Verification

At a parent’s request, operators must disclose the general kinds of personal information they collect for children (for example, name, address, telephone number, e-mail address, hobbies), as well as the specific information collected from children who visit their sites. Operators must ensure they are dealing with the child’s parent before they provide access to the child’s specific information. They can use a variety of methods to verify the parent’s identity, including:

• obtaining a signed form from the parent via postal mail or facsimile;
• accepting and verifying a credit card number;
• taking calls from parents on a toll-free telephone number staffed by trained personnel;
• e-mail accompanied by digital signature;
• e-mail accompanied by a PIN or password obtained through one of the verification methods above.

Operators who follow one of these procedures acting in good faith to a request for parental access are protected from liability under federal and state law for inadvertent disclosures of a child’s information to someone who purports to be a parent.

Revoking and Deleting

At any time, a parent may revoke his/her consent, refuse to allow an operator to further use or collect their child’s personal information, and direct the operator to delete the information. In turn, the operator may terminate any service provided to the child, but only if the information at issue is reasonably necessary for the child’s participation in that activity. For example, an operator may require children to provide their e-mail addresses to participate in a chat room so the operator can contact a youngster if he is misbehaving in the chat room. If, after giving consent, a parent asks the operator to delete the child’s information, the operator may refuse to allow the child to participate in the chat room in the future. If other activities on the Web site do not require the child’s e-mail address, the operator must allow the child access to those activities.

Enforcement

Once the Rule became effective (April 2000), the Commission became able to bring enforcement actions and impose civil penalties for violations in the same manner as for other Rules under the FTC Act. In the meantime, the Commission also retains authority under Section 5 of the FTC Act to examine information practices in use before the Rule’s effective date for deception and unfairness. In interpreting Section 5 of the FTC Act, the Commission has determined that a representation, omission or practice is deceptive if it is likely to:

• mislead consumers; and
• affect consumers’ behavior or decisions about the product or service.

Specifically, it is a deceptive practice under Section 5 to represent that a Web site is collecting personal identifying information from a child for one reason (say, to earn points to redeem a premium) when the information will be used for another reason that a parent would find material-and when the Web site does not disclose the other reason clearly or prominently.

In addition, an act or practice is unfair if the injury it causes, or is likely to cause is:

• substantial;
• not outweighed by other benefits; and not reasonably avoidable.

For example, it is likely to be an unfair practice in violation of Section 5 to collect personal identifying information from a child, such as e-mail address, home address or phone number, and sell or otherwise disclose that information to a third party without giving parents adequate notice and a chance to control the collection and use of the information.

This information is available online at http://www.ftc.gov./bcp/conline/pubs/buspubs/coppa.htm

For More Information

If you have questions about complying with the Children’s Online Privacy Protection Act, visit the FTC online at www.ftc.gov. Click on Privacy Initiatives. Or, call the FTC’s Consumer Response Center toll-free at 1-877-FTC-HELP (382-4357), or write Consumer Response Center, Federal Trade Commission, 600 Pennsylvania Avenue, N.W., Washington, DC 20580.

If you want to see samples of privacy policies, or how other Web sites handle methods of data collection, type "kids sites" into your Web browser. You will find many examples.

Originally published in the 2000 Fall issue of The CampLine.