New federal regulations to protect children's online privacy will take effect on April 21, 2000. These Federal Trade Commission (FTC) rules will implement the Children's Online Privacy Protection Act which was passed by Congress in October 1998. Companies covered by the new rules should prepare now.
The FTC's new rules will apply to all commercial web sites and online services which are either (1) directed at children and collect personal information from children under age 13 or (2) maintained by operators who have "actual knowledge" that personal information is being collected from children under age 13.
The rules will require web site operators and online service providers to:
- post information privacy policies;
- notify parents, and obtain parental consent, before collecting personal information from children;
- allow children's participation with minimal information collection;
- enable parents to review information about their children and prohibit future information collection; and
- adopt procedures to protect the information.
Personal Information. The FTC rules will apply only to "personal information" concerning children. This includes information which can be used to identify a child or to permit direct physical or online contact with a child. In addition to a child's name, mailing address, telephone number, e-mail address, and social security number, the rules would cover any identifier which can be combined with other information to identify or contact a child. The rules will cover information provided by a child as well as information obtained through automated tracking or profiling software, such as "cookies."
Privacy Policies. Companies covered by the new rules must post "clear" and "prominent" links to their children's privacy policies on their home pages and on any pages which collect personal information from children. A children's privacy policy may be part of a general privacy policy, as long as it includes:
- contact information for parents;
- a description of the information collected, how it is used, and the terms under which it may be disclosed to third parties;
- procedures for parents to limit access by third parties; and
- statements affirming the child's right to participate without providing unnecessary information and the parents' right to review and restrict access to information about their children.
Notice and Consent. In most cases, the web site operator must notify the child's parent or legal guardian and obtain a "verifiable consent" before personal information can be collected from a child. In some situations, children's e-mail addresses may be collected without prior parental consent. For example, a child's name and e-mail address may be collected without consent if the information is used only to obtain parental consent, to respond directly to specific requests from a child, or to protect a child's safety. The form of consent depends upon how the information will be used: If the information will be used only internally by the collector, then an e-mail consent is sufficient. Written, telephone, or verified electronic consent is required if the information is intended for public release, such as through a chat room. If the information is intended for release to a specific third party, then parents must be allowed to "opt out" of that disclosure without affecting the child's participation.
Parental Review and Restriction. After personal information is collected from a child, parents must be allowed to review the information, have it deleted, and refuse to permit further collection or use of personal information.
Ban on Conditional Participation. Web site operators and online service providers may cut off a child's access if a parent refuses to provide or revokes consent to collect personal information which is needed for the child's participation. However, a child's participation may not be conditioned on the disclosure of any information which is not "reasonably necessary" to participate in the online activity.
Previously-Collected Information. The FTC's rules will apply to personal information collected from children on or after April 21, 2000, whether or not other personal information has previously been collected. If the online activity involves an ongoing collection of information from children (such as a chat room), then the rules will require parental consent for all children participating as of April 21. In order to avoid breaks in children's access, parental consent should be obtained before the effective date.
Future Safe Harbors. In order to promote self-regulation by Internet companies, the FTC intends to review and endorse industry-approved children's privacy guidelines which will indicate a company's compliance with the FTC rules.
Penalties. Violations of these rules will be treated as "unfair" or "deceptive" trade practices, which are punishable by cease-and-desist orders, public admonition, and substantial fines. These new rules solidify the FTC's role as the federal government's guardian of Internet privacy, and may indicate how the FTC plans to combine traditional regulation with self-regulation as the agency struggles to address broader Internet privacy and consumer protection issues.