[Federal Register Volume 64, Number 80 (Tuesday, April 27, 1999)]
[Proposed Rules]
[Pages 22750-22767]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-10250]
[[Page 22749]]
_______________________________________________________________________
Part V
Federal Trade Commission
_______________________________________________________________________
16 CFR Part 312
Children's Online Privacy Protection Rule; Proposed Rule
��Federal Register / Vol. 64, No. 80 / Tuesday, April 27, 1999 /
Proposed Rules��
[[Page 22750]]
FEDERAL TRADE COMMISSION
16 CFR PART 312
Children's Online Privacy Protection Rule
AGENCY: Federal Trade Commission.
ACTION: Notice of proposed rulemaking.
-----------------------------------------------------------------------
SUMMARY: In this document, the Federal Trade Commission (the
``Commission'' or ``FTC'') issues a Notice of Proposed Rulemaking to
implement the Children's Online Privacy Protection Act of 1998 (``the
Act''). Section 1303(b) of the Act directs the FTC to promulgate rules,
not later than 1 year after the date of the enactment of the Act, to
prohibit unfair and deceptive acts and practices in connection with the
collection and use of personal information from and about children on
the Internet.
DATES: Written comments must be submitted on or before June 11, 1999.
The Commission has reserved July 20, 1999 for a workshop on the
proposed rule, if the comments submitted indicate that a workshop would
be necessary or helpful. If a workshop is held, the Commission will
issue a Federal Register Notice listing the topics to be covered.
ADDRESSES: Written comments should be submitted to: Secretary, Federal
Trade Commission, Room H-159, 600 Pennsylvania Avenue, NW, Washington,
DC 20580. The Commission requests that commenters submit the original
plus five copies, if feasible. To enable prompt review and public
access, comments also should be submitted, if possible, in electronic
form, on either a 5\1/4\ or a 3\1/2\ inch computer disk, with a disk
label stating the name of the commenter and the name and version of the
word processing program used to create the document. (Programs based on
DOS or Windows are preferred. Files from other operating systems should
be submitted in ASCII text format.) Alternatively, the Commission will
accept comments submitted to the following e-mail address
[email protected]>. Individual members of the public filing comments
need not submit multiple copies or comments in electronic form. All
submissions should be captioned: ``Children's Online Privacy Protection
Rule--Comment, P994504.'' Rebuttal comments should be submitted
following the same procedures as those stated above. Comments will be
posted on the Commission's website: <http://www.ftc.gov>.
To the extent that the notice requirements of the proposed rule
constitute ``collections of information'' under the Paperwork Reduction
Act, comments on such requirements should also be submitted to the
Office of Information and Regulatory Affairs, Office of Management and
Budget, Room 10235, New Executive Office Building, Washington, DC
20503, Attention: Desk Officer for FTC.
FOR FURTHER INFORMATION CONTACT: Toby Milgrom Levin, (202) 326-3156,
Loren G. Thompson, (202) 326-2049, or Jill Samuels, (202) 326-2066,
Division of Advertising Practices, Bureau of Consumer Protection,
Federal Trade Commission, 601 Pennsylvania Ave., NW, Washington, DC
20580.
SUPPLEMENTARY INFORMATION:
Section A. Background
1. Children's Online Privacy Protection Act of 1998
On October 21, 1998, Congress enacted and the President signed into
law the Children's Online Privacy Protection Act of 1998 (``the
Act''),1 to prohibit unfair and deceptive acts and practices
in connection with the collection and use of personally identifiable
information from and about children on the Internet. The goals of the
Act are: (1) To enhance parental involvement in a child's online
activities in order to protect the privacy of children in the online
environment; (2) to help protect the safety of children in online fora
such as chat rooms, home pages, and pen-pal services in which children
may make public postings of identifying information; (3) to maintain
the security of children's personal information collected online; and
(4) to limit the collection of personal information from children
without parental consent.2
---------------------------------------------------------------------------
\1\ Title XIII, Omnibus Consolidated and Emergency Supplemental
Appropriations Act, 1999, Pub. L.105-277, 112 Stat. 2681,
____________ (October 21, 1998) reprinted at 144 Cong. Rec. H11240-
42 (Oct. 19, 1998). Since the Act has not yet been codified,
citations used in this notice are to the section numbers designated
in Title XIII of the Omnibus Act.
\2\ 144 Cong. Rec. S12741 (Oct. 7, 1998) (Statement of Sen.
Bryan). In the three years prior to the Act's passage, the
Commission sought to educate industry, the public and itself about
the issues raised by the online collection of personal information
from children and adult consumers. In June 1996 and June 1997, the
Commission held public workshops to learn how the rapidly developing
online marketplace was affecting consumers' privacy. In March 1998,
the Commission conducted an extensive survey of commercial websites,
including 212 children's websites, to learn the extent to which they
were disclosing their information practices, and, with regard to the
children's websites, the extent to which they were providing for
parental notice of and consent to the collection and disclosure of
children's personal information. The Commission reported the results
of its survey to Congress in June 1998, and recommended that
Congress enact legislation to protect children's privacy online.
(Federal Trade Commission, Privacy Online: A Report to Congress,
June 1998.) The Commission's survey found that few children's
websites were disclosing their information practices or providing
for parental consent.
---------------------------------------------------------------------------
Section 1303 of the Act directs the FTC to adopt regulations
prohibiting unfair and deceptive acts and practices in connection with
the collection and use of personal information from and about children
on the Internet. Section 1303(b) sets forth a series of privacy
protections to prevent unfair and deceptive online information
collection from or about children. The Act specifies that operators of
websites directed to children or who knowingly collect personal
information from children (1) provide parents notice of their
information practices; (2) obtain prior parental consent for the
collection, use and/or disclosure of personal information from children
(with certain limited exceptions for the collection of online contact
information, e.g., an e-mail address); (3) provide a parent, upon
request, with the ability to review the personal information collected
from his/her child; (4) provide a parent with the opportunity to
prevent the further use of personal information that has already been
collected, or the future collection of personal information from that
child; (5) limit collection of personal information for a child's
online participation in a game, prize offer, or other activity to
information that is reasonably necessary for the activity; and (6)
establish and maintain reasonable procedures to protect the
confidentiality, security, and integrity of the personal information
collected.3
---------------------------------------------------------------------------
\3\ Supra note 1.
---------------------------------------------------------------------------
The Act authorizes the Commission to bring enforcement actions for
violations of the final Rule in the same manner as for other rules
defining unfair and deceptive acts or practices under section 5 of the
Federal Trade Commission Act.4 In addition, section 1305 of
the Act authorizes state attorneys general to enforce compliance with
the final Rule by filing actions in federal court after serving prior
written notice upon the Commission when feasible.
---------------------------------------------------------------------------
\4\ Section 1306(d) of the Act provides that the rule shall be
treated as a rule issued under Sec. 18 (a)(1)(B) of the FTC Act (15
U.S.C. 57a (a)(1)(B)).
---------------------------------------------------------------------------
Section B. Overview of the Proposed Rule
The Internet offers children unprecedented opportunities for
learning, recreation, and communication in ways scarcely imagined a
decade ago. Children are actively engaged in a wide variety of online
activities. They communicate
[[Page 22751]]
with one another in online chat rooms and bulletin boards, through
online pen-pal services, and by posting personal home pages. They
participate in games and contests sponsored by websites, and they use
the Internet to access information on all manner of subjects.
Despite its obvious attraction for children, the Internet is also a
medium in which children can be placed at risk. As they use the
Internet, children, like others, are often asked to provide a wide
variety of personal information about themselves. Websites and online
services collect this information by such means as registration pages,
order forms, contests, surveys, chat rooms, and bulletin boards. In
general, they have collected this information, and have in some
instances shared it with third parties, without notice to children or
their parents. In addition, public posting of children's personal
information makes it available to anyone on the Internet, including
those who would harm children.
The proposed Rule is designed to assist parents in controlling the
flow of their children's personal information on the Internet. It
contains a general requirement that operators of websites or online
services directed to children (``operators'') not condition children's
participation in online activities on the provision of more personal
information than is reasonably necessary to participate in the
activity. This will prevent operators from using popular games and
activities as a means of obtaining children's information.
Operators are also required to post prominent links on their
websites to a notice of how they collect and use personal information
from children. In most circumstances, the proposed Rule requires
operators to notify parents that they wish to collect personal
information from their children and to obtain parental consent prior to
collecting, using, or disclosing such information. Parents then have
the option of prohibiting operators from disclosing their child's
personal information to third parties. In addition, operators must
allow parents the opportunity to review and make changes to any
information provided by their children. Parents at any time may also
require the operator to delete their children's information and
prohibit the operator from collecting any more information from their
children in the future. The proposed Rule also requires that operators
establish procedures to protect the confidentiality, security, and
integrity of the personal information collected from children.
Because the proposed Rule applies to the use or disclosure of
personal information and not just its collection, it protects personal
information collected from children prior to the effective date of the
final Rule if an operator wishes to use such information in the future.
Thus, for example, an operator that maintains a database of children's
personal information must provide notice to the parent and obtain
parental consent prior to using such information once the Rule is
effective.
Finally, under the proposed Rule, industry groups or others may
seek Commission approval for self-regulatory guidelines. Operators who
participate in such approved programs may be subject to the review and
disciplinary procedures provided in these guidelines in lieu of formal
Commission investigation and law enforcement.
Section 312.1 describes the scope of the regulations under this
Act. Section 312.2 contains the definitions of the terms used in the
proposed Rule, such as ``operator'' and ``personal information.''
Section 312.3 sets out the general requirements that operators must
follow when seeking to collect, use, and/or disclose personal
information from children. Section 312.4 contains the requirements for
providing notice on the website and to parents under the various
requirements of the proposed Rule. Section 312.5 sets out the
procedures by which operators can obtain consent from parents to the
collection, use, and/or disclosure of personal information from
children. Section 312.6 requires operators to allow parents to review,
make changes to, or have deleted the personal information collected
from their children. Section 312.7 prohibits operators from
conditioning a child's participation in online activities on the
provision of more personal information than is reasonably necessary to
participate in those activities. Section 312.8 requires operators to
establish reasonable procedures to maintain the confidentiality,
security, and integrity of the information collected from children.
Section 312.9 establishes that violations of the proposed Rule will be
treated as a violation of a rule defining an unfair or deceptive act or
practice under the FTC Act. Section 312.10 establishes procedures by
which industry groups or other persons can request Commission approval
for their self-regulatory guidelines. Sections 312.11 and 312.12
address Commission review of the proposed Rule and the proposed Rule's
severability.
Each of the provisions is indented, followed by a brief discussion
where needed. The full text of the proposed Rule appears in Section J
of this Notice.
Section 312.1 Scope of Regulations in This Part
This Rule implements the Children's Online Privacy Protection Act
of 1998, to be codified at 15 U.S.C. ____________, et seq., which
prohibits unfair and deceptive acts and practices in connection with
the collection, use, and/or disclosure of personal information from and
about children on the Internet.
Section 312.2 Definitions
Child means an individual under the age of 13.
Collects or collection means the direct or passive gathering of any
personal information from a child by any means, including but not
limited to:
(a) Any online request for personal information by the operator
regardless of how that personal information is transmitted to the
operator;
(b) Collection using a chat room, message board, or other public
posting of such information on a website or online service; or
(c) Passive tracking or use of any identifying code linked to an
individual, such as a cookie.
This term includes all online requests for personal information
regardless whether the personal information is ultimately transmitted
online or offline. Thus, it would include a situation where the website
or online service directs the child to print out a form, respond in
writing to the questions, and mail the form back to the website or
online service.
Commission means the Federal Trade Commission.
Delete means to remove personal information such that it is not
maintained in retrievable form and cannot be retrieved in the normal
course of business.
Disclosure means, with respect to personal information:
(a) The release of personal information collected from a child in
identifiable form by an operator for any purpose, except where an
operator provides such information to a person who provides support for
the internal operations of the website or online service and who does
not disclose or use that information for any other purpose, where
(1) Release of personal information means the sharing, selling,
renting, or any other means of providing personal information to any
third party, and
(2) Support for the internal operations of the website or online
service means those activities necessary to maintain the technical
functioning of the website or online service, or to fulfill a request
[[Page 22752]]
of a child as permitted by Secs. 312.5(c) (2) and (3); and
(b) Making personal information collected from a child by an
operator publicly available in identifiable form, by any means,
including by a public posting through the Internet, or through a
personal home page posted on a website or online service; a pen-pal
service; an electronic mail service; a message board; a chat room; or
any other means that would enable a child to reveal personal
information to others online.
Contractors who provide technical support or fulfillment services
for a website or online service are considered to be providing support
for the website or online service's internal operations. Technical
support includes providing the server for the website, online service,
chat, or e-mail services. Fulfillment services include supplying
children with the items they request from the operator. This provision
permits an operator to contract for technical and fulfillment
operations that may involve the handling of personal information
without triggering a disclosure in the notice.
The proposed Rule, however, requires operators, among other things,
to maintain the confidentiality, security, and integrity of the
personal information it collects from children. (See Sec. 312.7.) Thus
the operator is responsible for ensuring that any person with whom it
contracts for these technical services does not disclose the personal
information and complies with the information safeguards of the
proposed Rule. As described in the discussion of Sec. 312.7 below, such
safeguards may include, for example, maintaining the data off the
server, requiring a password to access the data, and limiting employee
access to the data.
Federal agency means an agency, as that term is defined in section
551(1) of title 5, United States Code.
Internet means collectively the myriad of computer and
telecommunications facilities, including equipment and operating
software, which comprise the interconnected world-wide network of
networks that employ the Transmission Control Protocol/Internet
Protocol, or any predecessor or successor protocols to such protocol,
to communicate information of all kinds by wire, radio, or other
methods of transmission.
By including the phrase ``other methods of transmission,'' this
definition ensures that the proposed Rule adequately addresses future
technological developments such as wireless transmission and access to
what is now referred to as the ``Internet.''
Online contact information means an e-mail address or any other
substantially similar identifier that permits direct contact with a
person online.
Operator means any person who operates a website located on the
Internet or an online service and who collects or maintains personal
information from or about the users of or visitors to such website or
online service, or on whose behalf such information is collected or
maintained, where such website or online service is operated for
commercial purposes, including any person offering products or services
for sale through that website or online service, involving commerce
(a) Among the several States or with 1 or more foreign nations;
(b) in any territory of the United States or in the District of
Columbia, or between any such territory and
(1) Another such territory, or
(2) Any State or foreign nation; or
(c) Between the District of Columbia and any State, territory, or
foreign nation. This definition does not include any nonprofit entity
that would otherwise be exempt from coverage under section 5 of the
Federal Trade Commission Act (15 U.S.C. 45).
The term ``operator'' includes both a person who collects or
maintains personal information directly from a visitor through a
website or online service and a person who collects or maintains such
information through another's website or online service. The statute
places the regulatory obligations on the operator. In determining who
is the operator for purposes of the proposed Rule, the Commission will
consider such factors as who owns the information, who controls the
information, who pays for the collection or maintenance of the
information, the pre-existing contractual relationships surrounding the
collection or maintenance of the information, and the role of the
website or online service in collecting and/or maintaining the
information.
Where the website or online service merely acts as the conduit
through which the personal information collected flows to another
person or to another's website or online service, and the website or
online service does not have access to the information, then it is not
an operator under the proposed Rule.5 Where both the website
or online service and another person have access to or control over the
information collected, and are considered operators under the factors
listed above, both parties will have joint responsibility to provide
the protections required by the proposed Rule. In circumstances of
joint responsibility, the parties may make arrangements between them to
facilitate implementation of their responsibilities. For example, it
may be more efficient for the website or online service to provide
parental notice and obtain parental consent, since it has the direct
relationship with its visitors. Nevertheless, each operator is
responsible for ensuring that the obligations of the proposed Rule are
fulfilled.
---------------------------------------------------------------------------
\5\ Similarly, where the website or online service hires a
contractor to provide support for its ``internal operations,'' the
contractor would not be deemed an operator if it merely acts as the
conduit and uses the information only to the extent necessary to
process the information for the operator.
---------------------------------------------------------------------------
An operator may choose to release personal information it has
collected to a ``third party.'' As defined below, a ``third party'' is
``any person who is neither an operator with respect to the collection
of personal information on the website or online service, nor the
person who provides support for the internal operations of the website
or online service.'' In general, a third party does not collect, own,
or control the personal information at the time it is collected. In
determining whether an entity is an ``operator'' or ``third party,''
the entity's corporate relationship to another operator, such as
whether it is an affiliate, is not a determinative factor. Rather, as
described above, its status is determined by how the data is obtained
and used.
Parent includes a legal guardian.
Person means any individual, partnership, corporation, trust,
estate, cooperative, association, or other entity.
Personal information means individually identifiable information
about an individual collected online, including:
(a) A first and last name;
(b) A home or other physical address including street name and name
of a city or town;
(c) An e-mail address;
(d) A telephone number;
(e) A Social Security number;
(f) A persistent identifier, such as a customer number held in a
cookie or a processor serial number, where such identifier is
associated with personal identifying information; a screen name that
reveals an individual's e-mail address; an instant messaging user
identifier; or a combination of a last name with other information such
that the combination permits physical or online contacting; or
(g) Information concerning the child or the parents of that child
that the
[[Page 22753]]
operator collects online from the child and combines with an identifier
described in this paragraph.
Section 1302(8)(F) of the Act authorizes the Commission to expand
the definition of ``personal information'' to include other identifiers
that permit physical or online contacting of a specific individual. The
proposed definition, therefore, adds several identifiers to
Sec. 312.2(f) that were not enumerated in the Act:
(1) A persistent identifier, such as a cookie or a processor serial
number, where it is associated with personal identifying information;
(2) A screen name that reveals an individual's e-mail address;
(3) An instant messaging user identifier; 6 or
---------------------------------------------------------------------------
\6\ An ``instant messaging user identifier,'' permits users,
including children, to conduct what is commonly known as ``ICQ'' or
``Instant Messaging.'' This service is basically a combination of e-
mail and chat and is offered for free by a number of websites and
online services. It permits an individual, upon registration, to
send and receive communication on the Internet in real time. Users
can also search instant messaging directories which may provide
users' real names, e-mail addresses, cities, gender and age
information.
---------------------------------------------------------------------------
(4) A combination of a last name with other information such that
the combination permits physical or online contacting, e.g., the name
of the child's school, zip code, church, or athletic team.
Each of the above items are specified in the proposed Rule because
they permit physical or online contacting of a specific individual.
Third party means any person who is neither an operator with
respect to the collection of personal information on the website or
online service, nor a person who provides support for the internal
operations of the website or online service.
Obtaining verifiable consent means making any reasonable effort
(taking into consideration available technology) to ensure that before
personal information is collected from a child, a parent of the child:
(a) receives notice of the operator's personal information
collection, use, and disclosure practices; and
(b) authorizes any collection, use, and/or disclosure of the
personal information.
This definition is taken directly from the Act. Possible examples
of reasonable efforts are found below in Sec. 312.5(b), describing
parental consent.
Website or online service directed to children means a commercial
website or online service, or portion thereof, that is targeted to
children. Provided, however, that a commercial website or online
service, or a portion thereof, shall not be deemed directed to children
solely because it refers or links to a commercial website or online
service directed to children by using information location tools,
including a directory, index, reference, pointer, or hypertext link. In
determining whether a commercial website or online service, or a
portion thereof, is targeted to children, the Commission will consider
its subject matter, visual or audio content, age of models, language or
other characteristics of the website or online service, as well as
whether advertising promoting or appearing on the website or online
service is directed to children. The Commission will also consider
competent and reliable empirical evidence regarding audience
composition; evidence regarding the intended audience; and whether a
site uses animated characters and/or child-oriented activities and
incentives.
The definition of ``directed to children'' permits the Commission
to consider a number of different factors in determining whether a
website or online service, or a portion thereof, is directed to
children. The Commission may consider whether the website or online
service, or portion thereof, is designated as a children's area; the
site's subject matter, visual or audio content, age of models, language
or other characteristics; and whether the site uses features designed
to be attractive to children, such as games, puppets, or animated
characters and child-oriented activities and incentives.
This approach is consistent with that taken in other media to
define what is directed to children, including television, radio, and
print advertising. It also provides the Commission flexibility as it
seeks to enforce the proposed Rule in the new and developing online
medium.
An operator of a website or online service with a ``portion''
directed to children will have duties under the proposed Rule for that
portion. An operator of a general interest website or online service
that is not directed to children, however, will have duties under the
proposed Rule only if it knows that particular visitors are under the
age of 13.
Section 312.3 Regulation of Unfair and Deceptive Acts and Practices in
Connection with the Collection, Use, and/or Disclosure of Personal
Information From and About Children on the Internet
General requirements. It shall be unlawful for any operator of a
website or online service directed to children, or any operator that
has actual knowledge that it is collecting personal information from a
child, to collect personal information from a child in a manner that
violates the regulations prescribed under this Rule. Generally, under
this Rule, an operator must:
(a) Provide notice on the website or online service of what
information it collects from children, how it uses such information,
and its disclosure practices for such information (Sec. 312.4(b));
(b) Obtain verifiable parental consent for any collection, use,
and/or disclosure of personal information from children (Sec. 312.5);
(c) Provide a reasonable means for a parent to review the personal
information collected from a child and to refuse to permit its further
use or maintenance (Sec. 312.6);
(d) Not condition a child's participation in a game, the offering
of a prize, or another activity on the child disclosing more personal
information than is reasonably necessary to participate in such
activity (Sec. 312.7); and
(e) Establish and maintain reasonable procedures to protect the
confidentiality, security, and integrity of personal information
collected from children (Sec. 312.8).
Section 312.3 of the proposed Rule outlines the general
requirements that an operator must implement in connection with any
collection, use, and/or disclosure of personal information obtained
from children. Failure to abide by these requirements constitutes an
unfair and/or deceptive act or practice within the meaning of the FTC
Act. Each of these general requirements is defined in more detail in
specific paragraphs of the proposed Rule.
Section 312.4 Notice.
The proposed Rule requires operators to both post on the website or
online service and send to parents notices of the operator's
information collection practices and the intended actions with respect
to the use and/or disclosure of information collected from
children.7 Section 312.4 specifies the information that must
be included in such notices, and states how such notices must be posted
on the website or online service or provided to parents.
---------------------------------------------------------------------------
\7\ See, e.g., sections 312.3(a) (requiring notice on the
website), and 312.5 (setting out the requirements for notice to
parents and for obtaining verifiable parental consent).
---------------------------------------------------------------------------
Section 312.4(a) sets out the general principles of effective
notice; section 312.4(b) sets out the requirements for the notice on
the website or online service; and section 312.4(c) sets out the
requirements for notices that are sent
[[Page 22754]]
directly to parents under various other provisions of the proposed
Rule.
(a) General Principles of Notice
All notices under Secs. 312.3(a) and 312.5 must be clearly and
understandably written, be complete, and must contain no unrelated,
confusing, or contradictory materials.
The operator's notice will form the basis for a parent's decision
whether to give the operator consent to collect, use and/or disclose
personal information from his or her child. In order to provide truly
informed consent, a parent must have a clear idea of what the operator
wishes to do. Therefore, it is essential that such notices be prominent
and easy to find (in the case of a notice posted on the website or
online service), and be clearly and understandably written. It is also
essential that such notices contain all relevant information, and
contain no unrelated, confusing, or contradictory materials.
(b) Notice on the Website or Online Service
An operator must post a link to a notice of its information
practices with regard to children on the home page of its website or
online service and at each place on the website or online service where
personal information is collected from children.
(1) Placement of the notice.
(i) The link to the notice must be clearly labeled as a notice of
the website or online service's information practices with regard to
children;
(ii) The link to the notice must be placed in a prominent place on
the home page of the website or online service such that a typical
visitor to the home page can see the link without having to scroll
down; and
(iii) There must be a prominent link to the notice at each place on
the website or online service where children directly provide, or are
asked to provide, personal information such that a typical visitor to
those places can see the link without having to scroll down.
Under section 312.3(a) of the proposed Rule, operators are required
to provide notice on the website or online service of their practices
with regard to the collection, use, and disclosure of information
sought online from children.8 Under section 312.4(b)(1),
operators must post links to the notice on the website or online
service's home page and at each place on the website or online service
where personal information is collected from children. The link on the
home page must be placed such that a typical visitor does not need to
scroll down from the initial viewing screen. A small link at the foot
of the page, for example, is not sufficient, because the risk is great
that many people will not notice it and will therefore not have the
opportunity to learn about the operator's policies. In addition, if the
policy is included as part of a larger document, it is important that
the required link take visitors directly to the part of the document
that discusses the operator's information practices with regard to
children.9 Similarly, it is important to provide a link to
the policy at each place on the website or online service where
information is collected from children because (a) not all visitors to
a website or online service enter it through the home page, and (b) a
link at the point of information collection guarantees that the notice
will be seen by a parent who is visiting the website or online service
to learn about the operator's specific information practices. Being
able to review an operator's policies in context can help parents
understand why such information is being collected.
---------------------------------------------------------------------------
\8\ Often, such information practice policies are referred to as
``privacy policies.'' The Commission encourages operators to use
informative names for their information practice policies. A link to
an information practice policy that is labeled ``About Us'' or
``What We Do,'' for example, will probably not convey to visitors
that the link will take them to a statement of the operator's
information practices.
\9\ Operators who use more than one set of practices on a
website (e.g., separate practices for children and adults) must be
especially careful to label the different practices clearly, and to
make sure that the notices are written clearly in order to avoid any
possible confusion.
---------------------------------------------------------------------------
(2) Content of the notice.
Generally speaking, parents need to know (a) who is collecting
information through a website or online service; (b) what kind of
information is collected through the website or online service; (c) how
information is collected through the website or online service; (d) how
such information will be used, including whether it will be disclosed
to third parties and for what general purposes; (e) what control
parents can exercise over their children's information, the procedures
for doing so, and the consequences of their refusal to provide
information; and (f) what general measures the operator takes to ensure
the confidentiality, integrity, and quality of the information
collected. Section 312.4(b)(2) sets out in detail the information
operators must include in their notices in order to satisfy the
requirements of this section of the proposed Rule.
To be complete, the notice of the website or online service's
information practices must state the following:
(i) The name, address, phone number, and e-mail address of all
operators collecting personal information from children through the
website or online service;
Section 312.4(b)(2)(i) of the proposed Rule requires all operators
that are collecting personal information through the website or online
service to state their name, address, phone number, and e-mail address.
This information will enable parents to both identify and contact the
operator should they want further information about the website or
online service, or to request an opportunity to review information
collected from their child pursuant to section 312.6 below.
(ii) The types of personal information collected from children and
whether the personal information is collected directly or passively;
Section 312.4(b)(2)(ii) of the proposed Rule requires operators to
list the types of personal information collected online, e.g., name,
address, hobbies, and investment information, and whether such
information is collected directly or passively from children. While
operators are not required to list each and every piece of information
collected, the categories operators select should be descriptive enough
that parents can make an informed decision about whether to consent to
the operator's collection and/or use of the information. It is not
necessary to list each item of information collected. A notice,
however, that simply states ``We collect personal information from your
kids'' does not provide enough information for parents.
(iii) How such personal information is or may be used by the
operator, including but not limited to fulfillment of a requested
transaction, recordkeeping, marketing back to the child, or making it
publicly available through a chat room or by other means;
Section 312.4(b)(2)(iii) of the proposed Rule requires operators to
list how the personal information will be used once it has been
collected, including such uses as order fulfillment, recordkeeping,
marketing back to the child, disclosure to third parties or making it
publicly available through a chat room or by other means. As in section
312.4(b)(2)(ii) of the proposed Rule, the challenge for the operator
will be to provide enough information for parents to make informed
decisions without listing every specific or possible use of the
information. For example, the statement that ``we use this information
to provide information on toys to your child'' is probably just as
informative as the statement ``we use this information to provide your
child with information
[[Page 22755]]
on beanie babies, dolls, action figures, puzzles, and stuffed
animals.''
In addition, where the operator permits a child to engage in
interactive activities that enable a child to publicly reveal his or
her personal information, e.g., a chat room, message board, e-mail
service, instant message, or personal home page, the operator must
clearly state that in its notice to the parent.
(iv) Whether personal information is disclosed to third parties,
and if so, the types of business in which such third parties are
engaged, and the general purposes for which such information is used;
whether those third parties have agreed to maintain the
confidentiality, security, and integrity of the personal information
they obtain from the operator; and that the parent has the option to
consent to the collection and use of their child's personal information
without consenting to the disclosure of that information to third
parties;
Section 312.4(b)(2)(iv) of the proposed Rule relates to the
operator's practices with respect to third parties. It requires
operators that disclose children's personal information to third
parties to provide a brief statement of the types of business in which
the third parties are engaged, e.g., list brokering, advertising,
magazine publishing, or retailing, and to state the general purposes
for which it is disclosed to third parties. See section 312.2 regarding
the definition of ``third party.'' It is important for parents to know
not just that their child's information is being disclosed to third
parties, but for what purposes. Simply telling parents that their
child's personal information is (or may be) ``disclosed to third
parties'' does not give parents enough information upon which to base
their consent or refusal to consent to the operator's information
practices.
Section 312.4(b)(2)(iv) also requires operators to state whether
the third parties to whom they disclose personal information have
agreed to maintain the confidentiality of that information. An
operator's good information practices can be rendered useless if
someone to whom the operator discloses personal information does not
also protect the information. If their children's personal information
will not be protected once it leaves the control of the operator, the
operator must make that clear to parents.
Finally, section 312.4(b)(2)(iv) requires operators to tell parents
that they have the option to consent to the collection and use of their
child's personal information without consenting to the disclosure of
that information to third parties.
(v) That the operator is prohibited from conditioning a child's
participation in an activity on the child's disclosing more personal
information than is reasonably necessary to participate in such
activity; and
Section 312.4(b)(2)(v) provides notice to the parent that the
operator is prohibited from requiring a child to disclose more personal
information than is reasonably necessary to participate in an activity
such as game or contest. This statement merely paraphrases the
prohibition enumerated in section 312.7 of the proposed Rule. Providing
this information in the notice enables the parent to evaluate the
appropriateness of a request for personal information on a website or
online service.
(vi) That the parent can review, make changes to, or have deleted
the child's personal information and state the procedures for doing so.
Under section 312.4(b)(2)(vi) of the proposed Rule, the operator
must state in the notice that parents have the right to review
information provided by their child and make changes to and/or have the
information deleted. In addition, the operator must describe how
parents can do so.10
---------------------------------------------------------------------------
\10\ See section 312.6 (Right of parent to review personal
information provided by child.) for a more detailed discussion.
---------------------------------------------------------------------------
(c) Notice to a Parent
Under Sec. 312.5, an operator must make reasonable efforts, taking
into account available technology, to ensure that a parent of a child
receives notice of an operator's practices with regard to the
collection, use, and/or disclosure of the child's personal information,
including any collection, use, and/or disclosure to which the parent
has not previously consented.
This section of the proposed Rule requires operators to make
reasonable efforts, taking into account available technology, to
provide direct notice to a parent whose child wants to provide personal
information or from whose child the operator wishes to collect personal
information. This notice will form the basis for the parent's decision
regarding the operator's request to collect information from or about
the child. To that end, the notice must (a) give the parent
comprehensive information about the operator's information practices
and policies, including informing parents of changes requiring a new
consent; (b) lay out the parent's options with regard to consent; (c)
describe the procedures by which the parent can provide verifiable
consent (see section 312.5 of the proposed Rule); and (d) describe the
parent's right to review and make changes to information provided by
the child and lay out the procedures for doing so (see section 312.6 of
the proposed Rule). Section 312.4(c)(1) details the information that
must be included in the notice to the parent.
Reasonable efforts to provide parents with notice under this
section can include, but are not limited to, sending the notice by
postal mail, sending the notice to the parent's e-mail address, or
having the child print out a form to give to the parent.
An operator must also send the parent an updated notice and request
for consent for any collection, use, or disclosure of his or her
child's personal information not covered by a previous consent. A new
notice and request for consent will be required, for example, if the
operator wishes to use the information in a manner that was not
included in the original notice, such as disclosing it to parties not
covered by the original consent, including parties created by a merger
or other corporate combination involving existing operators or third
parties.
(1) Content of the notice to the parent.
(i) All notices must state the following:
(A) That the operator wishes to collect personal information from
the child;
(B) The information set forth in paragraph 312.4(b) of this
section.
(ii) In the case of a notice to obtain verifiable parental consent
under Sec. 312.5(a), the notice must also state that the parent's
consent is required for the collection, use, and/or disclosure of such
information, and the means by which the parent can provide verifiable
consent to the collection of information.
The operator must tell the parent that the operator wishes to
collect personal information from the child. Section 312.4(c)(1)(i)
requires that all notices, whether pursuant to section 312.5(a) or
312.5(c)(3), contain the information set forth in section 312.4(b).
Section 312.4(c)(1)(ii) applies to notice pursuant to section 312.5(a),
which requires prior verifiable parental consent. In such cases, the
operator must inform the parent that his or her consent is required for
the collection, use, and/or disclosure of the child's personal
information, and that no collection, use, or disclosure will take place
absent the parent's affirmative consent. The operator must also tell
the parent how to provide verifiable consent or refuse to consent to
the operator's desired collection, use, and/or disclosure of the
child's information. See section 312.5 of the proposed Rule for further
detail on providing parental consent.
[[Page 22756]]
(iii) In the case of a notice under the exception in
Sec. 312.5(c)(3), the notice must also state the following:
(A) That the operator has collected the child's e-mail address or
other online contact information to respond to the child's request for
information and that the requested information will require more than
one contact with the child;
(B) That the parent may refuse to permit further contact with the
child and require the deletion of the e-mail address or other online
contact information; and
(C) That if the parent fails to respond to the notice, the operator
may use the information for the purpose(s) stated in the notice.
Under section 312.4(c)(1)(iii) of the proposed Rule, if the child
has made a direct request of the operator that would require the
operator to make repeated contact with the child (see section
312.5(c)(3) of the proposed Rule), the operator must tell the parent of
the child's request, notify the parent that his or her child has
provided the operator with an e-mail address so the operator can
fulfill that request, and state that the parent may refuse to permit
further contact with the child and require the operator to delete the
child's online contact information. Because this type of contact with
the child does not require a parent's affirmative consent, the operator
must clearly notify the parent that, in this instance, if the parent
fails to respond to the notice, the operator may use the information
for the purpose(s) stated in the notice.
(iv) In the case of a notice under the exception in
Sec. 312.5(c)(4), the notice must also state the following:
(A) That the operator has collected the child's name and an e-mail
address or other online contact information to protect the safety of
the child participating on the website or online service;
(B) That the parent may refuse to permit the use of the information
and require the deletion of the information; and
(C) That if the parent fails to respond to the notice, the operator
may use the information for the purpose stated in the notice.
Section 312.4(c)(1)(iv) requires an operator to give a parent
notice and an opportunity to refuse to permit the continued use of the
information where the operator has collected the child's name and
online contact information for purposes of providing for the safety of
the child. (See discussion of the safety concerns in the discussion of
Sec. 312.5(c)(4).)
Section 312.5 Parental Consent
(a) General Requirements
(1) An operator is required to obtain verifiable parental consent
before any collection, use, and/or disclosure of personal information
collected from children, including any collection, use and/or
disclosure to which the parent has not previously consented.
(2) An operator must give the parent the option to consent to the
collection and use of the child's personal information without
consenting to disclosure of his or her personal information to third
parties.
As described in Sec. 312.3(b), the general rule is that an operator
is required to obtain verifiable parental consent ``before'' any
collection, use, and/or disclosure of personal information from
children under the age of 13. As noted above, this means that an
operator must obtain verifiable parental consent prior to using or
disclosing any information already in its possession as of the
effective date of the proposed Rule. Moreover, where an operator
changes its collection, use and/or disclosure practices from that
provided in the notice, it must obtain verifiable parental consent to
the new practice(s) before using the personal information. See
discussion of Section 312.4(c), above. Section (a)(2) gives parents the
right to consent to an operator's collection and use of their
children's information without consenting to the disclosure of that
information to third parties. This provision ensures that operators
will not be able to condition a child's participation in any online
activity on obtaining parental consent to disclosure to third parties.
(b) Mechanisms for Verifiable Parental Consent
An operator must make reasonable efforts to obtain verifiable
parental consent, taking into consideration available technology. Any
method to obtain verifiable parental consent must be reasonably
calculated, in light of available technology, to ensure that the person
providing consent is the child's parent.
Operators may develop any number of ways to implement this
requirement. At this time, the Commission is not prepared to commit to
any particular method or methods, but rather, invites comments on the
feasibility, costs, and benefits of various methods of obtaining
parental consent. Among other possibilities, an operator could provide
a consent form to be signed by the parent and returned to the operator
by postal mail or facsimile, require a parent to use a credit card in
connection with a transaction, or have a parent call a toll-free
telephone number. Another possibility could be an e-mail accompanied by
a valid digital signature. The Commission is also considering whether
there are other e-mail-based mechanisms that would satisfy the Act's
requirements--i.e., whether they could provide sufficient assurance
that the person providing the consent is the child's parent. See
questions ________ and ________, below.
One way to comply with this requirement would be for portal sites,
online services that offer their own proprietary areas, or others to
provide a parental consent service for their content partners. In
addition, it may be acceptable for a business to provide notice and
consent services for individual operators. Such services must, however,
provide adequate notice to parents about the information practices of
the participating partners to ensure that a parent's consent to the
sharing of their child's personal information is informed and
meaningful.
(c) Exceptions to prior parental consent.
Verifiable parental consent is required prior to any collection,
use and/or disclosure of personal information from a child except as
set forth in this paragraph. The exceptions to prior parental consent
are as follows:
(1) Where the operator collects the name or online contact
information of a parent or child to be used for the sole purpose of
obtaining parental consent or providing notice under Sec. 312.4. If the
operator has not obtained parental consent after a reasonable time from
the date of the information collection, the operator must delete such
information from its records;
This exception permits an operator to collect the parent or child's
name or e-mail address to provide notice and obtain parental consent.
While section 1303(b)(2)(B) of the Act permits collection of a parent
or child's online contact information, the Commission encourages
operators to collect only the parent's e-mail address and the child's
first name for purposes of this exception. (Collection of the child's
first name should be adequate to inform the parent which child's
information is being sought.) In many instances the child's e-mail
address may be the same as the parent's. Nevertheless, since this
exception is solely to enable the operator to provide parental notice
and obtain parental consent, collection of the child's information
would seem to be unnecessary.
(2) Where the operator collects online contact information from a
child for the
[[Page 22757]]
sole purpose of responding directly on a one-time basis to a specific
request from the child, and where such information is not used to
recontact the child and is deleted by the operator from its records;
This exception is intended to permit operators to respond to
specific requests from a child, such as to provide homework assistance
or to answer questions posed by the child. A request must be specific
in scope and should be initiated by the child. Under this exception,
the operator responds to the child's request for information by sending
an e-mail containing the answer or response, but does not retain the
child's e-mail address for any further use. Operators should consider,
however, whether frequently requested information cannot just as easily
be posted on the website or online service, thus obviating the need for
the collection of any online contact information in the first instance.
(3) Where the operator collects online contact information from a
child to be used to respond directly more than once to a specific
request from the child, and where such information is not used to
recontact the child beyond the scope of that request. In such case, the
operator must make reasonable efforts, taking into consideration
available technology, to ensure that a parent receives notice and has
the opportunity to request that the operator make no further use of the
information, as described in Sec. 312.4(c), immediately after the
initial response and before making any additional response to the
child. Mechanisms to provide such notice include, but are not limited
to, sending the notice by postal mail or sending the notice to the
parent's e-mail address, but do not include asking a child to print a
notice form or sending an e-mail to the child;
This paragraph permits an operator to respond to a child's request
for an online newsletter, for example, or to conduct a contest
requiring later notification of the winner. Section 1303(b)(2)(C) of
the Act does not specify whose online contact information may be
collected, the parent or the child's; however, because the operator
must already collect the parent's online contact information for
purposes of providing the parent notice under this section, the
Commission recommends that the operator collect the parent's e-mail
address and offer the parent the option of substituting the child's e-
mail address. Because under this paragraph a parent's silence after
receiving notice constitutes consent to the operator's intended use, it
is critical that the operator choose a method that ensures the parent
receives the notice. Therefore, the proposed Rule includes examples of
acceptable and unacceptable methods of providing notice under this
paragraph.
(4) Where the operator collects a child's name and online contact
information to the extent reasonably necessary to protect the safety of
a child participant on the website or online service, where such
information is
(i) Used only for the purpose of protecting the child's safety;
(ii) Not used to recontact the child or for any other purpose;
(iii) Not disclosed on the website or online service;
and the operator uses reasonable efforts to provide a parent notice as
described in Sec. 312.4(c); and
This exception is intended to permit an operator to collect limited
personal information that is reasonably necessary to protect the safety
of a child participating in such interactive activities as a chat room,
message board, or e-mail service. For certain safety purposes, however,
the Commission notes that the collection of the parent's rather than
the child's online contact information may be sufficient. Indeed,
parents are in the best position, for example, to intervene if a child
is threatening another child while engaged in a chat room. The
Commission, therefore, seeks additional guidance on this issue. See
question 13 below.
(5) Where the operator collects a child's name and online contact
information to the extent reasonably necessary
(i) To protect the security or integrity of its website or online
service;
(ii) To take precautions against liability;
(iii) To respond to judicial process; or
(iv) To the extent permitted under other provisions of law, to
provide information to law enforcement agencies or for an investigation
on a matter related to public safety;
and such information is used only for such purpose and is not used to
recontact the child for any other purpose.
This provision authorizes an operator to collect a child's name and
online contact information without notice to the parent or parental
consent for certain limited purposes. It is not intended to authorize
collection of personal information on the basis of purely hypothetical
concerns. It is contemplated that the information may be useful in
identifying website hackers. Although not required by the Act, the
Commission recommends that when an operator relies on this exception,
the operator provide parents notice of the collection and use of such
information as described in section 312.4(c) of the proposed Rule.
Certain exceptions specifically require that the personal
information be deleted following the fulfillment of the purpose for
which it was collected. (See Secs. 1303(b)(2)(A) and (b)(2)(B) of the
Act and paragraphs (c)(1) and (c)(2) of this section of the proposed
Rule.) For those exceptions that do not require deletion, the
Commission recommends that operators delete the information
voluntarily. This will reduce the risk of unauthorized access, use, or
disclosure of personal information that was collected without prior
parental consent.
Section 312.6. Right of Parent to Review Personal Information Provided
by Child.
(a) Upon request of a parent whose child has provided personal
information to a website or online service, and upon proper
identification of that parent, the operator of that website or online
service is required to provide to that parent the following:
(1) A description of the specific types or categories of personal
information collected from the child by the operator, such as name,
address, telephone number, e-mail address, hobbies, and extracurricular
activities;
(2) The opportunity at any time to refuse to permit the operator's
further use or collection of personal information from that child, and
to direct the operator to delete the child's personal information; and
(3) Notwithstanding any other provision of law, a means of
reviewing and making changes to any personal information collected from
the child. The means employed by the operator to carry out this
provision must:
(i) Ensure that the requestor is a parent of that child, taking
into account available technology; and
(ii) Not be unduly burdensome to the parent.
(b) Neither an operator nor the operator's agent shall be held
liable under any Federal or State law for any disclosure made in good
faith and following reasonable procedures in responding to a request
for disclosure of personal information under this section.
This provision of the Rule describes how operators can comply with
the Act's requirement that they allow parents to review, make changes
to, or have deleted any information provided by their child. The Act
allows a two-tiered approach to parental review. First, upon request of
a properly-identified parent, the operator must tell the parent what
types of information
[[Page 22758]]
have been collected by the child, for example, ``Your child has given
us his name, address, e-mail address, and a list of his favorite
computer games.'' Section 312.6(a)(1). Subsequently, if the parent
wishes to review the specific information provided by his child, the
operator must provide a means for doing so that ensures that the person
requesting the information is the parent, but not unduly burdensome to
the parent, under section 312.6(a)(3).11 In addition, the
parent may, at any time, direct the operator to delete any or all of
the child's information in the operator's files, refuse to permit the
operator to continue to use that information, or prohibit the operator
from collecting any further information in the future. Section
312.6(a)(2).12
---------------------------------------------------------------------------
\11\ Operators are free to skip the first step (description of
the types of information provided by the child) and simply allow
parents to review the specific information provided by the child
under section 312.6(a)(3).
\12\ Section 312.6 is not intended to require operators to keep
databases of personal information collected from children even after
the consented-to uses have been discontinued--for example, because
the parent may someday request it. If a parent asks to review his or
her child's information after the operator has deleted it, the
operator can reply that it has no information on that child.
---------------------------------------------------------------------------
Because compliance with section 312.6(a)(3) of this Rule requires
operators to release personal information collected from children, it
is critical that operators use a system for checking identification
that reasonably ensures that the person requesting the information is,
in fact, a parent of that child.13 The identification method
chosen by the operator should not be so burdensome that parents
effectively cannot exercise their rights under this provision, i.e.,
requiring parents to come to its office headquarters to show proof of
parentage.
---------------------------------------------------------------------------
\13\ As a practical matter, it may be acceptable for an operator
to use a less stringent identification requirement when giving out
the types of information collected from the child under section
312.6(a)(1).
---------------------------------------------------------------------------
A number of methods can be used to check identity that provide a
degree of certainty without unduly burdening either the operator or the
parent. For example, the operator may require a copy of the parent's
driver's license showing that the parent and child live at the same
address. In addition, an operator could devise a password system in
conjunction with its procedure for obtaining verifiable parental
consent that could serve as an aid in identification. By contrast,
simply providing a toll-free telephone number for parents to call and
request information would not be sufficient to ensure that a caller is
actually the child's parent.14 Operators who disclose the
information to parents in good faith and follow reasonable procedures
in responding to a request for disclosure will be exempt from liability
under any Federal or State laws.
---------------------------------------------------------------------------
\14\ There may be ways to utilize toll-free telephone numbers
that would be sufficient to ensure that the requestor is a parent of
the child. For example, a reasonable procedure might involve giving
the parent the toll-free telephone number and a password unique to
that parent after the operator receives the parent's verifiable
consent.
---------------------------------------------------------------------------
(c) Subject to the limitations set forth in Sec. 312.7, an operator
may terminate any service provided to a child whose parent has refused,
under paragraph (a)(2) of this section, to permit the operator's
further use or collection of personal information from his or her child
or has directed the operator to delete the child's personal
information.
Section 312.7 prohibits operators from conditioning a child's
participation in a game, the offering of a prize, or another activity
on the child disclosing more personal information than is reasonably
necessary to participate in the activity. See infra. The corollary to
that prohibition is that operators may terminate a child's access to or
participation in those activities or services when a parent who has
consented to the information collection subsequently requires the
operator to delete the information that was necessary for the child to
participate. For example, an operator requires children to provide an
e-mail address to participate in a chat room so that the operator can
contact the child if the child is misbehaving in the chat room. After
giving consent, a parent changes her mind and requires the operator to
delete her child's information. The operator may refuse to allow the
child to participate in the chat room in the future. If, however, there
are other activities or services on the operator's website that do not
require that information, then the operator must allow the child to
have access to those activities or services.
Section 312.7. Prohibition Against Conditioning a Child's
Participation on Collection of Personal Information.
An operator is prohibited from conditioning a child's participation
in a game, the offering of a prize, or another activity on the child's
disclosing more personal information than is reasonably necessary to
participate in such activity.
The purpose of this section is to encourage a child's access to
activities, but to prevent operators from tying collection of personal
information to such popular and persuasive incentives as prizes or
games. The proposed rule authorizes operators to condition
participation on the collection of only such personal information as is
reasonably necessary to conduct an activity--for example, collection of
an e-mail address for purposes of awarding a prize to a contest winner.
The operator, however, must always obtain verifiable parental consent
to the collection of any personal information from the child, even if
it is reasonably necessary to participate in an activity, unless one of
the exceptions to prior parental consent defined in section 312.5(c) of
the proposed Rule applies.
Section 312.7 of the proposed Rule precludes, for example, an
operator from requiring a child to provide personal information for the
purpose of registering merely to access the website or online service
if such personal information is not reasonably necessary to engage in
its activities.
Section 312.8 Confidentiality, Security, and Integrity of Personal
Information Collected From Children
The operator must establish and maintain reasonable procedures to
protect the confidentiality, security, and integrity of personal
information collected from children.
Operators must have adequate procedures for protecting personal
information, including policies and standards to protect children's
personal information from loss, misuse, unauthorized access, or
disclosure. Such protections may include the following: designating an
individual in the organization to be responsible for maintaining and
monitoring the security of the information; requiring passwords to
access the personal information; creating firewalls; utilizing
encryption; implementing access control procedures in addition to
passwords; implementing devices and procedures to protect the physical
security of the data processing equipment; storing the personal
information collected online on a secure server that is not accessible
from the Internet; installing security cameras and intrusion-detection
software to monitor who is accessing the personal information; and
installing authentication software to determine whether a user is
authorized to enter through a firewall. In addition, effective security
implementation requires a clear statement of employee responsibilities
and sanctions, as well as employee training to ensure that privacy and
security policies are implemented effectively.
The Commission encourages operators to establish reasonable
procedures for the destruction of personal information once it is no
[[Page 22759]]
longer necessary for the fulfillment of the purpose for which it was
collected. Timely elimination of data is the ultimate protection
against misuse or unauthorized disclosure.
Section 312.9 Enforcement
Subject to sections 1304 and 1306 of the Children's Online Privacy
Protection Act of 1998, a violation of a regulation prescribed under
section 1303 of this Act shall be treated as a violation of a rule
defining an unfair or deceptive act or practice prescribed under
section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C.
57a(a)(1)(B)).
Section 312.10 Safe Harbors
(a) In General
An operator will be deemed to be in compliance with the
requirements of this Rule if that operator complies with self-
regulatory guidelines, issued by representatives of the marketing or
online industries, or by other persons, that, after notice and comment,
are approved by the Commission.
As an incentive for industry self-regulation, and to ensure that
the protections afforded children under this proposed Rule are
implemented in a manner that takes into account industry-specific
concerns and technological developments, this section of the proposed
Rule provides that an operator's compliance with Commission-approved
self-regulatory guidelines serves as a safe harbor in any enforcement
action for violations of this Rule. To receive safe harbor treatment,
an operator can comply with any Commission-approved guidelines that
meet all the criteria set forth in section 312.10(b). The operator need
not independently apply for approval, if in fact the operator is fully
complying with guidelines already approved by the Commission, which are
applicable to the operator's business. (See the discussion of section
312.10(b), below.)
In an enforcement action, the Commission has the burden of proving
non-compliance with the proposed Rule's requirements. The standards
enunciated in the proposed Rule thus remain the benchmark against which
industry's conduct will ultimately be judged. Compliance with approved
guidelines, however, will serve as a safe harbor in any enforcement
action under the proposed rule. That is, if an operator can show full
compliance with approved guidelines, the operator will be deemed in
compliance with the proposed Rule. The Commission retains discretion to
pursue enforcement under the Rule if approval of the guidelines was
obtained based upon incomplete or inaccurate factual representations or
if there was a substantial change in circumstances.
(b) Criteria for Approval of Self-Regulatory Guidelines
To be approved by the Commission, guidelines must include the
following:
(1) A requirement that operators subject to the guidelines
(``subject operators'') implement the protections afforded children
under this Rule;
(2) An effective, mandatory mechanism for the independent
assessment of subject operators' compliance with the guidelines. This
requirement may be satisfied by:
(i) Periodic reviews of subject operators' information practices
conducted on a random basis either by the industry group promulgating
the guidelines or by an independent entity;
(ii) Periodic reviews of all subject operators' information
practices, conducted either by the industry group promulgating the
guidelines or by an independent entity; or
(iii) Seeding of subject operators' databases, if accompanied by
either (i) or (ii); and
(3) Effective incentives for subject operators' compliance with the
guidelines. This requirement may be satisfied by:
(i) Mandatory, public reporting of disciplinary action taken
against subject operators by the industry group promulgating the
guidelines;
(ii) Consumer redress;
(iii) Voluntary payments to the United States Treasury in
connection with an industry-directed program for violators of the
guidelines; or
(iv) Referral to the Commission of operators who engage in a
pattern or practice of violating the guidelines.
The assessment mechanism required under paragraph (b)(2) of this
section can be provided by an independent enforcement program, such as
a seal program. In considering whether to initiate an investigation or
to bring an enforcement action for violations of this Rule, and in
considering appropriate remedies for such violations, the Commission
will take into account whether an operator has been subject to self-
regulatory guidelines approved under this section and whether the
operator has taken remedial action pursuant to such guidelines,
including but not limited to actions set forth in paragraphs (b)(3)(i)
through (iii) of this section.
Section 312.10(b) of the proposed Rule sets out the criteria that
self-regulatory guidelines must meet in order to be approved by the
Commission. Under section 312.10(b)(1), guidelines must require
implementation of the requirements of this Rule. Sections 312.10(b)(2)-
(3), which require that guidelines include independent assessment
mechanisms and incentives for compliance, are intended to permit
maximum flexibility, consistent with the protections afforded children
under the proposed Rule. For this reason, each sets out a mandatory
performance standard and suggested means of meeting that standard.
Promulgators of guidelines are thus free to use their particular
expertise to craft guidelines that meet the performance standards while
taking into account industry-specific concerns and technological
developments.
Where guidelines are drafted to be industry-specific, they must
define the nature of the businesses to which they apply. An operator
can rely on a particular set of guidelines only if it meets the
guidelines' definition of applicable businesses.
In making its determination as to whether to approve submitted
guidelines, the Commission will review all elements of those
guidelines, including assessment mechanisms, in light of the particular
characteristics of the industry or sector that the guidelines are
intended to govern.15
---------------------------------------------------------------------------
\15\ The Commission will also consider any possible anti-
competitive misuse of self-regulatory guidelines.
---------------------------------------------------------------------------
Section 312.10(b) clarifies that industry groups, or others, who
create self-regulatory guidelines may contract with an independent
entity, such as a seal program, to implement the assessment mechanism
requirement. Under the performance standard enunciated in section
312.10(b)(2), assessment mechanisms must not be based solely on self-
assessment by subject operators.
(c) Request for Commission Approval of Self-Regulatory Guidelines
(1) To obtain Commission approval of self-regulatory guidelines,
industry groups or other persons must file a request for approval. A
request shall be accompanied by the following:
(i) A copy of the full text of the guidelines for which approval is
sought and any accompanying commentary;
(ii) A comparison of each provision of Sec. 312.3 through
Sec. 312.9 with the corresponding provisions of the guidelines; and
(iii) A statement explaining:
(A) How the guidelines, including the applicable assessment
mechanism, meet the requirements of this Rule; and
(B) How the assessment mechanism and compliance incentives required
[[Page 22760]]
under paragraphs (b)(2) and (3) of this section provide effective
enforcement of the requirements of this Rule.
(2) The Commission shall act upon a request under this section
within 180 days of the filing of such request and shall set forth its
conclusions in writing.
Section 312.10(c) of the proposed Rule requires that persons
requesting Commission approval of self-regulatory guidelines submit, in
addition to the guidelines and any attendant commentary, documentation
supporting the proposition that the guidelines meet the requirements of
this Rule. The 180-day period for the Commission to review and approve
or reject any request will not begin until all of the documents
required under section 312.10(c) have been submitted. If a request is
denied and resubmitted, the 180-day period will run from the date of
the resubmission.
An original and six paper copies of the request and supporting
materials should be submitted to the Secretary, Federal Trade
Commission, Room 159, 600 Pennsylvania Avenue, NW, Washington, D.C.
20580. To enable prompt review and accessibility to the public, the
request and supporting materials should also be submitted, if possible,
in electronic form, on either one 51/4 or one 31/2 inch computer disk
with a label stating the name of the person filing the request and the
name and version of the word processing program used. (Programs based
on DOS or Windows are preferred. Files from other operating systems
should be submitted in ASCII text format.)
Following initial review of a request under this section, the
Commission will publish a notice of the filing of the request both in
the Federal Register and on its website at <www.ftc.gov>, and will make
a copy of the request available for examination by interested persons
during business hours at the Federal Trade Commission, Public Reference
Room, Room 130, 600 Pennsylvania Avenue, NW, Washington, D.C. 200580. A
period of time will be allowed for interested parties to submit written
comments to the Commission regarding the request.
If the Commission determines that the guidelines submitted meet the
requirements of the proposed Rule, the Commission will approve the
guidelines and publish a notice of the approval both in the Federal
Register and on its website at <www.ftc.gov>. The Commission will
furnish a copy of the notice to the person who filed the request. The
approval will become effective 45 days from its publication in the
Federal Register and on the Commission's website.
If the Commission determines that it cannot approve the guidelines,
the Commission will notify the persons who filed the request of the
facts upon which its findings are based and will afford those persons a
reasonable opportunity to resubmit their request. If, after reviewing
the resubmitted request, the Commission finds that it still cannot make
a favorable determination, the Commission will publish a notice of its
determination both in the Federal Register and on its website at
<www.ftc.gov>, and will furnish a copy of the notice to the persons who
filed the request.
Under section 1304(c) of the Children's Online Privacy Protection
Act, final action by the Commission on a request for approval of self-
regulatory guidelines, or the Commission's failure to act within 180
days of the filing of such request, may be appealed to a district court
of the United States of appropriate jurisdiction as provided for in
section 706 of title 5, United States Code.16
---------------------------------------------------------------------------
\16\ Section 1304(c), Omnibus Consolidated and Emergency
Supplemental Appropriations Act, 1999, Pub. L. 105-277, 112 Stat.
2681, ________, ________ U.S.C. ________, ________ (October 21,
1998).
---------------------------------------------------------------------------
(d) Records
Industry groups or other persons who seek safe harbor treatment by
compliance with guidelines that have been approved under this Rule
shall maintain and upon request make available to the Commission for
inspection and copying
(1) Consumer complaints alleging violations of the guidelines by
subject operators, for a period not less than three years following
receipt of such complaints;
(2) Records of disciplinary actions taken against subject
operators; and
(3) Results of the independent assessments of subject operators'
compliance required under paragraph (b)(2) of this section.
(e) Revocation of Approval
The Commission reserves the right to revoke any approval granted
under this section if at any time it determines that the approved self-
regulatory guidelines and their implementation do not, in fact, meet
the requirements of this Rule.
Before revoking any approval of self-regulatory guidelines, the
Commission will notify the persons filing the request for approval, or
their designees, of the facts or conduct that, in the Commission's
opinion, warrant such revocation, and will afford those persons such
opportunity as the Commission deems appropriate in the circumstances to
demonstrate that the guidelines and their implementation comply with
the proposed Rule.
If, after considering all of the facts, the Commission determines
that the guidelines or their implementation do not comply with the
proposed Rule, the Commission will publish a notice of its intention to
revoke approval of the guidelines both in the Federal Register and on
its website at <www.ftc.gov>. A period of time will be allowed for
interested persons to submit written comments to the Commission
regarding the intention to revoke approval.
If the Commission revokes its approval of the guidelines, it will
publish notice of the revocation both in the Federal Register and on
its website at <www.ftc.gov>, and a copy of such notice will be
furnished to the persons who filed the request, or their designees. The
revocation will become effective 45 days from its publication in the
Federal Register and on the Commission's website.
Section 312.11 Rulemaking Review
No later than five years after the effective date of this Rule, the
Commission shall initiate a rulemaking review proceeding to evaluate
the implementation of this rule, including the effect of the
implementation of this Rule on practices relating to the collection and
disclosure of information relating to children, children's ability to
obtain access to information of their choice online, and on the
availability of websites directed to children; and report to Congress
on the results of this review.
Section 312.12 Severability
The provisions of this Rule are separate and severable from one
another. If any provision is stayed or determined to be invalid, it is
the Commission's intention that the remaining provisions shall continue
in effect.
Section C. Invitation to Comment
Before adopting this rule as final, the Commission will give
consideration to any written comments submitted to the Secretary of the
Commission on or before June 11, 1999. Comments submitted will be
available for public inspection in accordance with the Freedom of
Information Act (5 U.S.C. 552) and Commission regulations, on normal
business days between the hours of 8:30 a.m. and 5 p.m. at the Public
Reference Section, Room 130, Federal Trade Commission, 600 Pennsylvania
Avenue NW., Washington, DC 20580. Comments will also be posted on the
Commission website, <www.ftc.gov>.
[[Page 22761]]
Section D. Communications by Outside Parties to Commissioners or
Their Advisors
Written communications and summaries or transcripts of oral
communications respecting the merits of this proceeding from any
outside party to any Commissioner or Commissioner's advisor will be
placed on the public record. See 16 CFR 1.26(b)(5) (1998).
Section F. Regulatory Flexibility Act
The provision of the Regulatory Flexibility Act requiring an
initial regulatory flexibility analysis (5 U.S.C. 603) does not apply
because it is believed that the Rule will not have a significant
economic impact on a substantial number of small entities (5 U.S.C.
605). This notice also serves as certification to the Small Business
Administration of that determination.
The Rule's requirements are expressly mandated by the Children's
Online Privacy Protection Act of 1998.17 Thus, the economic
impact of the Rule itself is not anticipated to be significant, since
any additional costs of complying with the Rule, beyond those imposed
by the statute or otherwise likely to be incurred in the ordinary
course of business, are expected to be comparatively minimal. Where the
Act permits, the regulations have been drafted so as to permit maximum
flexibility in the way that affected firms achieve the goals of the
Act. In any event, the costs borne by all firms, including small
businesses, appear unavoidable under the terms of the Act.
---------------------------------------------------------------------------
\17\ Supra note 1.
---------------------------------------------------------------------------
Nonetheless, to ensure that no significant economic impact on a
substantial number of small entities is overlooked, the Commission
hereby requests public comment on the effect of the proposed Rule on
the costs, profitability, and competitiveness of, and employment in,
small entities. After considering such comments, if any, the Commission
will determine whether preparation of a final regulatory flexibility
analysis (pursuant to 5 U.S.C. 604) is required.
Section G. Paperwork Reduction Act
Pursuant to the Paperwork Reduction Act (PRA) (as amended 44 U.S.C.
3507(d)), the Commission has submitted the proposed Children's Online
Privacy Protection Rule to the Office of Management and Budget for its
review. The Children's Online Privacy Protection Act mandates specific
disclosure requirements relating to the collection of personal
information from children. Specifically, the Act requires that
operators subject to this Act provide notice to parents.18
Based upon survey data,19 informal discussions with industry
members, and public information, the Commission has estimated for
purposes of the PRA the burden-hour on operators subject to this rule,
both individually and as an industry, to provide notice to parents. To
the extent that the proposed rule's notice requirements are expressly
mandated by the Act, the Commission has adopted a performance standard
suggested by the Act to provide flexibility in implementing the
requirements.
---------------------------------------------------------------------------
\18\ The sections of the proposed Rule that refer to notice are
Secs. 312.3(a), 312.4, 312.5(c), and 312.6(a). These sections
implement Secs. 1302(9), 1303 (b)(1)(A)(i), (b)(2)(B),
(b)(2)(C)((i), and (b)(2)(D)(iii) of the Act.
\19\ Federal Trade Commission, Privacy Online: A Report to
Congress, June 1998.
---------------------------------------------------------------------------
Because the online marketplace is a very new industry, costs for
providing privacy protection have not been gathered to date.
Nevertheless, we have attempted to estimate costs associated with
providing notice for purposes of the PRA. In particular, the Commission
seeks comments on how to minimize the burden of the notice requirement
through the use of appropriate automated, electronic, mechanical, or
other technological mechanisms.
The estimate of the burden imposed by the notice requirement is
divided into first year start-up costs and subsequent year costs. For
purposes of providing notice, the estimated cost for 300 websites
directed to children, at 60 hours per site (the estimated time needed
to develop the privacy policy, post it on the website and design a
mechanism to provide the notice, e.g., an e-mail program), represents a
total burden of 18,000 hours for the first year. Subsequent years would
be much less, since the start-up costs, such as crafting a privacy
policy and posting it online, are generally one-time costs. We estimate
the burden-hour in subsequent years would be about 1800 hours to cover
the cost of new children's sites coming into the marketplace and
providing notice to parents.
Section H. Effective Date
The Children's Online Privacy Protection Act directs the Commission
to ``promulgate'' regulations within one year of its enactment. An
effective date for these rules will be announced by the Commission when
it publishes these regulations in final form.
Section I. Questions on the Proposed Rule
The Commission is seeking comment on various aspects of the
proposed Rule, and is particularly interested in receiving comment on
the questions that follow. These questions are designed to assist the
public and should not be construed as a limitation on the issues on
which public comment may be submitted. Responses to these questions
should cite the numbers and subsection of the questions being answered.
For all comments submitted, please submit any relevant data,
statistics, or any other evidence, upon which those comments are based.
General Question
1. Please provide comment on any or all of the provisions in the
proposed Rule. For each provision commented on please describe (a) the
impact of the provision(s) (including any benefits and costs), if any,
and (b) what alternatives, if any, the Commission should consider, as
well as the costs and benefits of those alternatives.
Definitions
2. Section 312.2 defines ``Internet.'' Is this definition
sufficiently flexible to account for changes in technology? If not, how
should it be revised?
3. Section 312.2 defines ``operator.''
(a) Is this definition sufficiently clear to provide notice as to
who is covered by the Rule?
(b) What is the impact of defining the term in this way?
4. Section 312.2 defines ``personal information,'' in part, to
include a persistent identifier, such as a customer number held in a
cookie, or a processor serial number, where such identifier is
associated with personal identifying information; an instant messaging
user identifier; a screen name that reveals an individual's e-mail
address; or a combination of a last name with other information such
that the combination permits physical or online contacting. Are there
additional identifiers that the Commission should consider adding to
this list?
Notice
5. Section 312.4(b) lists an operator's obligations with respect to
the online placement of the notice of its information practices.
(a) Are there other effective ways of placing notices that should
be included in the proposed rule?
(b) How can operators make their links to privacy policies
informative for parents and children?
6. Section 312.4(b)(2)(i) requires the notice on the website or
online service
[[Page 22762]]
to state the name, address, phone number, and e-mail address of all
operators collecting personal information through the website. Where
there are multiple operators collecting personal information through
the website, are there other efficient means of providing information
about the operators that the Commission should consider?
7. Section 312.4(b)(2)(iv) requires an operator to state whether
the third parties to whom it discloses personal information have agreed
to maintain the confidentiality, security, and integrity of that
information. How much detail should an operator be required to disclose
about third parties' information practices?
8. Section 312.4(b)(2)(vi) requires an operator's notice to state
that the parent has the right to review personal information provided
by his or her child and to make changes to and/or have that information
deleted, and to describe how the parent can do so. Is this information
needed in the notice on the website or online service, or should it be
included only in the notice provided directly to the parent under
section 312.4(c)?
9. Section 312.4(c) lists several methods an operator may employ to
provide direct notice to a parent whose child wants to provide personal
information or from whose child the operator wishes to collect personal
information. Are there other, equally effective methods of providing
notice to parents that the Commission should consider?
10. Section 312.4(c)(1) details the information that must be
included in the notice to the parent.
(a) What, if any, of this information is unnecessary?
(b) What, if any, other information should be included in the
notice to the parent?
11. Section 312.5 requires the operator to send a new notice and
request for consent to parents in certain circumstances. The proposal
covers instances where the operator wishes to use the information in a
manner that was not included in the original notice, such as disclosing
it to parties not covered by the original consent, including parties
created by a merger or other corporate combination involving existing
operators or third parties.
(a) Does this formulation sufficiently protect children's privacy
given the high merger activity in this industry?
(b) Is this formulation more burdensome than necessary to protect
those interests?
(c) Is there an alternative formulation that would sufficiently
protect children's privacy without unnecessarily burdening operators?
Parental Consent
12. Section 312.5(a)(2) requires operators to give the parent the
opportunity to consent to the collection and use of the child's
personal information without consenting to the disclosure of that
information to third parties. Should the rule also require that the
parent be given the option to refuse to consent to different internal
uses of the child's personal information by the operator?
13. The commentary on section 312.5(b) identifies a number of
methods an operator might use to obtain verifiable parental consent.
(a) Are the methods listed in the commentary easy to implement?
(b) What are the costs and benefits of using the methods listed?
(c) Are there studies or other sources of data showing the
feasibility, costs, and/or benefits of the methods listed?
(d) Are there existing methods, or methods in development, to
adequately verify consent using an e-mail-based mechanism?
(e) What are the costs and benefits of obtaining consent using an
e-mail-based mechanism?
(f) To what extent is digital signature technology in use now? Are
there obstacles to the general commercial availability or use of
digital signature technology?
(g) What, if any, other methods of obtaining consent should the
Commission consider? Please describe how those methods work, their
effectiveness, feasibility, costs and/or benefits, and, if still in
development, when they will be available.
14. With respect to methods of obtaining verifiable parental
consent, should the Commission allow greater flexibility in mechanisms
used to obtain verifiable parental consent in cases where the operator
does not disclose children's personal information to third parties or
enables a child to make such information publicly available through,
for example, a chat room or bulletin board?
15. Are there any studies or other sources of data regarding the
ease or frequency with which children can fabricate parental consent
using any of the methods discussed in the proposed Rule?
16. Would additional research regarding children's behavior in the
online environment be useful in assessing the appropriateness of
various parental consent mechanisms?
17. Section 312.5(c)(1) allows an exception to prior parental
consent where an operator collects the name or online contact
information of a parent or child to be used for the sole purpose of
obtaining parental consent or providing notice under this rule. Under
this exception, if an operator has not obtained parental consent after
a ``reasonable time'' from the date of the information collection, the
operator must delete the information from its records.
(a) What is a ``reasonable time'' for purposes of this requirement?
On what is this estimate of a ``reasonable time'' based?
(b) Alternatively, should an operator be required to maintain a
``do-not-contact'' list so as to avoid sending multiple requests for
consent to a parent who has previously refused to consent? What are the
costs and benefits of such a ``do-not-contact'' list?
18. Section 1303(b)(2)(B) of the Children's Online Privacy
Protection Act and Section 312.5(c)(1) of the proposed Rule allow an
operator to collect the name or online contact information of a parent
or child solely for the purpose of obtaining parental consent or
providing notice. Are there circumstances that would necessitate
collection of the child's online contact information rather than the
parent's?
19. Section 312.5(c)(4) allows an exception to prior parental
consent where an operator collects information from a child in order to
protect the safety of a child participant on its site. What specific
circumstances should trigger this exception?
20. Section 312.5(c)(5) allows an exception to prior parental
consent where an operator collects information from a child for certain
limited purposes. To what extent is a child's name or e-mail address
necessary:
(a) To protect the security of the website;
(b) To aid in the judicial process; or
(c) To aid in law enforcement?
21. Section 1303(b)(2)(C)(ii) of the Children's Online Privacy
Protection Act authorizes the Commission to allow other exceptions to
prior parental consent in this rule ``in such circumstances as the
Commission may determine are appropriate, taking into consideration the
benefits to the child of access to information and services, and risks
to the security and privacy of the child.'' What other circumstances
might merit such an exception? What are the risks and benefits of
creating such an exception?
Right of Parent to Review Personal Information Provided by Child
22. Section 312.6 gives a parent whose child has provided personal
[[Page 22763]]
information to a website the right, upon proper identification of that
parent, to review the personal information provided by the child. The
commentary on this section lists several methods an operator may employ
to obtain proper identification of a parent.
(a) Are there any other methods of identification that the
Commission should consider?
(b) In particular, are there other methods that could constitute
proper identification in non-traditional family situations (e.g., where
the child and parent do not live at the same address or where someone
other than a parent is the legal guardian)?
(c) Are there any technological advances under development that may
ease the process of obtaining proper identification of a parent?
Prohibition Against Conditioning a Child's Participation on Collection
of Personal Information
23. Section 312.7 prohibits operators from conditioning a child's
participation in a game, the offering of a prize, or another activity
on the child's disclosing more personal information than is reasonably
necessary to participate in such activity. What kinds of information do
sites collect as a condition of allowing a child to participate in a
game, contest, chat room, or other online activity?
Confidentiality, Security and Integrity of Personal Information
Collected From Children
24. Section 312.8 requires operators to establish and maintain
reasonable procedures to protect the confidentiality, security, and
integrity of personal information collected from children.
(a) What practices are commonly used to maintain the safety and
confidentiality of data collected online?
(b) What practices provide the strongest protection?
(c) How much does it cost to implement such practices?
Safe Harbor
25. Section 312.10(b)(2) requires that, in order to be approved by
the Commission, self-regulatory guidelines include an effective,
mandatory mechanism for the independent assessment of subject
operators' compliance with the guidelines. Section 312.10(b)(2) lists
several examples of such mechanisms. What other mechanisms exist that
would provide similarly effective and independent compliance
assessment?
26. Section 312.10(b)(3) requires that, in order to be approved by
the Commission, self-regulatory guidelines include effective incentives
for compliance with the guidelines. Section 312.10(b)(3) lists several
examples of such incentives. What other incentives exist that would be
similarly effective?
27. Section 1304(b)(1) of the Children's Online Privacy Protection
Act requires the Commission to provide incentives for self-regulation
by operators to implement the protections afforded children under the
Act. The safe harbor provisions of section 312.10 of the proposed rule
are one such incentive. What other incentives should the Commission
consider?
Paperwork Reduction Act
28. The Commission solicits comments on the notice requirements of
the proposed Rule to the extent that they constitute ``collections of
information'' within the meaning of the Paperwork Reduction Act. The
Commission requests comments that will enable it to:
(a) Evaluate whether the proposed collections of information are
necessary for the proper performance of the functions of the agency,
including whether the information will have practical utility;
(b) Evaluate the accuracy of the agency's estimate of the burden of
the proposed collections of information, including the validity of the
methodology and assumptions used;
(c) Enhance the quality, utility, and clarity of the information to
be collected; and
(d) Minimize the burden of the collections of information on those
who must comply, including through the use of appropriate automated,
electronic, mechanical, or other technological collection techniques or
other forms of information technology.
Section J. Proposed Rule
List of Subjects in 16 CFR Part 312
Children, Communications, Consumer protection, Electronic mail, E-
mail, Internet, Online service, Privacy, Record retention, Safety,
Science and technology, Trade practices, Website, Youth.
Accordingly, the Federal Trade Commission proposes to amend 16 CFR
chapter I by adding a new Part 312 to read as follows:
PART 312--CHILDREN'S ONLINE PRIVACY PROTECTION RULE
Sec.
312.1 Scope of regulations in this part.
312.2 Definitions.
312.3 Regulation of unfair and deceptive acts and practices in
connection with the collection, use, and/or disclosure of personal
information from and about children on the Internet.
312.4 Notice.
312.5 Parental consent.
312.6 Right of parent to review personal information provided by a
child.
312.7 Prohibition against conditioning a child's participation on
collection of personal information.
312.8 Confidentiality, security, and integrity of personal
information collected from children.
312.9 Enforcement.
312.10 Safe harbors.
311.11 Rulemaking review.
312.12 Severability.
Authority: Secs. 1301-1308, Pub. L. 105-277, 112 Stat. 2681.
Sec. 312.1 Scope of regulations in this part.
This part implements the Children's Online Privacy Protection Act
of 1998, [to be codified at 15 U.S.C. ________, et seq.,] which
prohibits unfair and deceptive acts and practices in connection with
the collection, use, and/or disclosure of personal information from and
about children on the Internet.
Sec. 312.2 Definitions.
Child means an individual under the age of 13.
Collects or collection means the direct or passive gathering of any
personal information from a child by any means, including but not
limited to:
(a) Any online request for personal information by the operator
regardless of how that personal information is transmitted to the
operator;
(b) Collection using a chat room, message board, or other public
posting of such information on a website or online service; or
(c) Passive tracking or use of any identifying code linked to an
individual, such as a cookie.
Commission means the Federal Trade Commission.
Delete means to remove personal information such that it is not
maintained in retrievable form and cannot be retrieved in the normal
course of business.
Disclosure means, with respect to personal information:
(a) The release of personal information collected from a child in
identifiable form by an operator for any purpose, except where an
operator provides such information to a person who provides support for
the internal operations of the website or online service and who does
not disclose or use that information for any other purpose, where:
(1) Release of personal information means the sharing, selling,
renting, or
[[Page 22764]]
any other means of providing personal information to any third party,
and
(2) Support for the internal operations of the website or online
service means those activities necessary to maintain the technical
functioning of the website or online service, or to fulfill a request
of a child as permitted by Sec. 312.5(c)(2) and (3); and
(b) Making personal information collected from a child by an
operator publicly available in identifiable form, by any means,
including by a public posting through the Internet, or through a
personal home page posted on a website or online service; a pen pal
service; an electronic mail service; a message board; a chat room; or
any other means that would enable a child to reveal personal
information to others online.
Federal agency means an agency, as that term is defined in Section
551(1) of title 5, United States Code.
Internet means collectively the myriad of computer and
telecommunications facilities, including equipment and operating
software, which comprise the interconnected world-wide network of
networks that employ the Transmission Control Protocol/Internet
Protocol, or any predecessor or successor protocols to such protocol,
to communicate information of all kinds by wire, radio, or other
methods of transmission.
Online contact information means an e-mail address or any other
substantially similar identifier that permits direct contact with a
person online.
Operator means any person who operates a website located on the
Internet or an online service and who collects or maintains personal
information from or about the users of or visitors to such website or
online service, or on whose behalf such information is collected or
maintained, where such website or online service is operated for
commercial purposes, including any person offering products or services
for sale through that website or online service, involving commerce:
(a) Among the several States or with 1 or more foreign nations;
(b) In any territory of the United States or in the District of
Columbia, or between any such territory, and
(1) Another such territory, or
(2) Any State or foreign nation; or
(c) Between the District of Columbia and any State, territory, or
foreign nation. This definition does not include any nonprofit entity
that would otherwise be exempt from coverage under section 5 of the
Federal Trade Commission Act (15 U.S.C. 45).
Parent includes a legal guardian.
Person means any individual, partnership, corporation, trust,
estate, cooperative, association, or other entity.
Personal information means individually identifiable information
about an individual collected online, including:
(a) A first and last name;
(b) A home or other physical address including street name and name
of a city or town;
(c) An e-mail address;
(d) A telephone number;
(e) A Social Security number;
(f) A persistent identifier, such as a customer number held in a
cookie or a processor serial number, where such identifier is
associated with personal identifying information; a screen name that
reveals an individual's e-mail address; an instant messaging user
identifier; or a combination of a last name with other information such
that the combination permits physical or online contacting; or
(g) Information concerning the child or the parents of that child
that the operator collects online from the child and combines with an
identifier described in this definition.
Third party means any person who is neither an operator with
respect to the collection of personal information on the website or
online service, nor a person who provides support for the internal
operations of the website or online service.
Obtaining verifiable consent means making any reasonable effort
(taking into consideration available technology) to ensure that before
personal information is collected from a child, a parent of the child:
(a) Receives notice of the operator's personal information
collection, use, and disclosure practices; and
(b) Authorizes any collection, use, and/or disclosure of the
personal information.
Website or online service directed to children means a commercial
website or online service, or portion thereof, that is targeted to
children. Provided, however, that a commercial website or online
service, or a portion thereof, shall not be deemed directed to children
solely because it refers or links to a commercial website or online
service directed to children by using information location tools,
including a directory, index, reference, pointer, or hypertext link. In
determining whether a commercial website or online service, or a
portion thereof, is targeted to children, the Commission will consider
its subject matter, visual or audio content, age of models, language or
other characteristics of the website or online service, as well as
whether advertising promoting or appearing on the website or online
service is directed to children. The Commission will also consider
competent and reliable empirical evidence regarding audience
composition; evidence regarding the intended audience; and whether a
site uses animated characters and/or child-oriented activities and
incentives.
Sec. 312.3 Regulation of unfair and deceptive acts and practices in
connection with the collection, use, and/or disclosure of personal
information from and about children on the Internet.
General requirements. It shall be unlawful for any operator of a
website or online service directed to children, or any operator that
has actual knowledge that it is collecting personal information from a
child, to collect personal information from a child in a manner that
violates the regulations prescribed under this part. Generally, under
this part, an operator must:
(a) Provide notice on the website or online service of what
information it collects from children, how it uses such information,
and its disclosure practices for such information (Sec. 312.4(b));
(b) Obtain verifiable parental consent for any collection, use,
and/or disclosure of personal information from children (Sec. 312.5);
(c) Provide a reasonable means for a parent to review the personal
information collected from a child and to refuse to permit its further
use or maintenance (Sec. 312.6);
(d) Not condition a child's participation in a game, the offering
of a prize, or another activity on the child disclosing more personal
information than is reasonably necessary to participate in such
activity (Sec. 312.7); and
(e) Establish and maintain reasonable procedures to protect the
confidentiality, security, and integrity of personal information
collected from children (Sec. 312.8).
Sec. 312.4 Notice.
(a) General principles of notice. All notices under Secs. 312.3(a)
and 312.5 must be clearly and understandably written, be complete, and
must contain no unrelated, confusing, or contradictory materials.
(b) Notice on the website or online service. An operator must post
a link to a notice of its information practices with regard to children
on the home page of its website or online service and at each place on
the website or online service where personal information is collected
from children.
(1) Placement of the notice.
(i) The link to the notice must be clearly labeled as a notice of
the website
[[Page 22765]]
or online service's information practices with regard to children;
(ii) The link to the notice must be placed in a prominent place on
the home page of the website or online service such that a typical
visitor to the home page can see the link without having to scroll
down; and
(iii) There must be a prominent link to the notice at each place on
the website or online service where children directly provide, or are
asked to provide, personal information such that a typical visitor to
those places can see the link without having to scroll down.
(2) Content of the notice. To be complete, the notice of the
website or online service's information practices must state the
following:
(i) The name, address, phone number, and e-mail address of all
operators collecting personal information from children through the
website or online service;
(ii) The types of personal information collected from children and
whether the personal information is collected directly or passively;
(iii) How such personal information is or may be used by the
operator, including but not limited to fulfillment of a requested
transaction, recordkeeping, marketing back to the child, or making it
publicly available through a chat room or by other means;
(iv) Whether personal information is disclosed to third parties,
and if so, the types of business in which such third parties are
engaged, and the general purposes for which such information is used;
whether those third parties have agreed to maintain the
confidentiality, security, and integrity of the personal information
they obtain from the operator; and that the parent has the option to
consent to the collection and use of their child's personal information
without consenting to the disclosure of that information to third
parties;
(v) That the operator is prohibited from conditioning a child's
participation in an activity on the child's disclosing more personal
information than is reasonably necessary to participate in such
activity; and
(vi) That the parent can review, make changes to, or have deleted
the child's personal information and state the procedures for doing so.
(c) Notice to a parent. Under Sec. 312.5, an operator must make
reasonable efforts, taking into account available technology, to ensure
that a parent of a child receives notice of an operator's practices
with regard to the collection, use, and/or disclosure of the child's
personal information, including any collection, use, and/or disclosure
to which the parent has not previously consented.
(1) Content of the notice to the parent.
(i) All notices must state the following:
(A) That the operator wishes to collect personal information from
the child;
(B) The information set forth in paragraph (b) of this section.
(ii) In the case of a notice to obtain verifiable parental consent
under Sec. 312.5(a), the notice must also state that the parent's
consent is required for the collection, use, and/or disclosure of such
information, and state the means by which the parent can provide
verifiable consent to the collection of information.
(iii) In the case of a notice under the exception in
Sec. 312.5(c)(3), the notice must also state the following:
(A) That the operator has collected the child's e-mail address or
other online contact information to respond to the child's request for
information and that the requested information will require more than
one contact with the child;
(B) That the parent may refuse to permit further contact with the
child and require the deletion of the e-mail address or other online
contact information; and
(C) That if the parent fails to respond to the notice, the operator
may use the information for the purpose(s) stated in the notice.
(iv) In the case of a notice under the exception in
Sec. 312.5(c)(4), the notice must also state the following:
(A) That the operator has collected the child's name and e-mail
address or other online contact information to protect the safety of
the child participating on the website or online service;
(B) That the parent may refuse to permit the use of the information
and require the deletion of the information; and
(C) That if the parent fails to respond to the notice, the operator
may use the information for the purpose stated in the notice.
Sec. 312.5 Parental consent.
(a) General requirements. (1) An operator is required to obtain
verifiable parental consent before any collection, use, and/or
disclosure of personal information from children, including any
collection, use, and/or disclosure to which the parent has not
previously consented.
(2) An operator must give the parent the option to consent to the
collection and use of the child's personal information without
consenting to disclosure of his or her personal information to third
parties.
(b) Mechanisms for verifiable parental consent. An operator must
make reasonable efforts to obtain verifiable parental consent, taking
into consideration available technology. Any method to obtain
verifiable parental consent must be reasonably calculated, in light of
available technology, to ensure that the person providing consent is
the child's parent.
(c) Exceptions to prior parental consent. Verifiable parental
consent is required prior to any collection, use and/or disclosure of
personal information from a child except as set forth in this
paragraph. The exceptions to prior parental consent are as follows:
(1) Where the operator collects the name or online contact
information of a parent or child to be used for the sole purpose of
obtaining parental consent or providing notice under Sec. 312.4. If the
operator has not obtained parental consent after a reasonable time from
the date of the information collection, the operator must delete such
information from its records;
(2) Where the operator collects online contact information from a
child for the sole purpose of responding directly on a one-time basis
to a specific request from the child, and where such information is not
used to recontact the child and is deleted by the operator from its
records;
(3) Where the operator collects online contact information from a
child to be used to respond directly more than once to a specific
request from the child, and where such information is not used for any
other purpose. In such cases, the operator must make reasonable
efforts, taking into consideration available technology, to ensure that
a parent receives notice and has the opportunity to request that the
operator make no further use of the information, as described in
Sec. 312.4(c), immediately after the initial response and before making
any additional response to the child. Mechanisms to provide such notice
include, but are not limited to, sending the notice by postal mail or
sending the notice to the parent's e-mail address, but do not include
asking a child to print a notice form or sending an e-mail to the
child;
(4) Where the operator collects a child's name and online contact
information to the extent reasonably necessary to protect the safety of
a child participant on the website or online service, and the operator
uses reasonable efforts to provide a parent notice as described in
Sec. 312.4(c), where such information is:
(i) Used for the sole purpose of protecting the child's safety;
[[Page 22766]]
(ii) Not used to recontact the child or for any other purpose;
(iii) Not disclosed on the website or online service;
(5) Where the operator collects a child's name and online contact
information and such information is not used for any other purpose, to
the extent reasonably necessary:
(i) To protect the security or integrity of its website or online
service;
(ii) To take precautions against liability;
(iii) To respond to judicial process; or
(iv) To the extent permitted under other provisions of law, to
provide information to law enforcement agencies or for an investigation
on a matter related to public safety.
Sec. 312.6. Right of parent to review personal information provided by
a child.
(a) Upon request of a parent whose child has provided personal
information to a website or online service, and upon proper
identification of that parent, the operator of that website or online
service is required to provide to that parent the following:
(1) A description of the specific types or categories of personal
information collected from the child by the operator, such as name,
address, telephone number, e-mail address, hobbies, and extracurricular
activities;
(2) The opportunity at any time to refuse to permit the operator's
further use or collection of personal information from that child, and
to direct the operator to delete the child's personal information; and
(3) Notwithstanding any other provision of law, a means of
reviewing and making changes to any personal information collected from
the child. The means employed by the operator to carry out this
provision must:
(i) Ensure that the requestor is a parent of that child, taking
into account available technology; and
(ii) Not be unduly burdensome to the parent.
(b) Neither an operator nor the operator's agent shall be held
liable under any Federal or State law for any disclosure made in good
faith and following reasonable procedures in responding to a request
for disclosure of personal information under this section.
(c) Subject to the limitations set forth in Sec. 312.7, an operator
may terminate any service provided to a child whose parent has refused,
under paragraph (a)(2) of this section, to permit the operator's
further use or collection of personal information from his or her child
or has directed the operator to delete the child's personal
information.
Sec. 312.7 Prohibition against conditioning a child's participation on
collection of personal information.
An operator is prohibited from conditioning a child's participation
in a game, the offering of a prize, or another activity on the child's
disclosing more personal information than is reasonably necessary to
participate in such activity.
Sec. 312.8 Confidentiality, security, and integrity of personal
information collected from children.
The operator must establish and maintain reasonable procedures to
protect the confidentiality, security, and integrity of personal
information collected from children.
Sec. 312.9 Enforcement.
Subject to sections 1304 and 1306 of the Children's Online Privacy
Protection Act of 1998, a violation of a regulation prescribed under
section 1303 of this Act shall be treated as a violation of a rule
defining an unfair or deceptive act or practice prescribed under
section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C.
57a(a)(1)(B)).
Sec. 312.10. Safe harbors.
(a) In general. An operator will be deemed to be in compliance with
the requirements of this part if that operator complies with self-
regulatory guidelines, issued by representatives of the marketing or
online industries, or by other persons, that, after notice and comment,
are approved by the Commission.
(b) Criteria for approval of self-regulatory guidelines. To be
approved by the Commission, guidelines must include the following:
(1) A requirement that operators subject to the guidelines
(``subject operators'') implement the protections afforded children
under this part;
(2) An effective, mandatory mechanism for the independent
assessment of subject operators' compliance with the guidelines. This
requirement may be satisfied by:
(i) Periodic reviews of subject operators' information practices
conducted on a random basis either by the industry group promulgating
the guidelines or by an independent entity;
(ii) Periodic reviews of all subject operators' information
practices, conducted either by the industry group promulgating the
guidelines or by an independent entity; or
(iii) Seeding of subject operators' databases, if accompanied by
either paragraphs (b)(2)(i) or (b)(2)(ii) of this section; and
(3) Effective incentives for subject operators' compliance with the
guidelines. This requirement may be satisfied by:
(i) Mandatory, public reporting of disciplinary action taken
against subject operators by the industry group promulgating the
guidelines;
(ii) Consumer redress;
(iii) Voluntary payments to the United States Treasury in
connection with an industry-directed program for violators of the
guidelines; or
(iv) Referral to the Commission of operators who engage in a
pattern or practice of violating the guidelines.
(c) Implementation and effect. The assessment mechanism required
under paragraph (b)(2) of this section can be provided by an
independent enforcement program, such as a seal program. In considering
whether to initiate an investigation or to bring an enforcement action
for violations of this part, and in considering appropriate remedies
for such violations, the Commission will take into account whether an
operator has been subject to self-regulatory guidelines approved under
this section and whether the operator has taken remedial action
pursuant to such guidelines, including but not limited to actions set
forth in paragraphs (b)(3)(i) through (iii) of this section.
(d) Request for Commission approval of self-regulatory guidelines.
(1) To obtain Commission approval of self-regulatory guidelines,
industry groups or other persons must file a request for such approval.
A request shall be accompanied by the following:
(i) A copy of the full text of the guidelines for which approval is
sought and any accompanying commentary;
(ii) A comparison of each provision of Secs. 312.3 through 312.9
with the corresponding provisions of the guidelines; and
(iii) A statement explaining:
(A) How the guidelines, including the applicable assessment
mechanism, meet the requirements of this part; and
(B) How the assessment mechanism and compliance incentives required
under paragraphs (b)(2) and (3) of this section provide effective
enforcement of the requirements of this part.
(2) The Commission shall act upon a request under this section
within 180 days of the filing of such request and shall set forth its
conclusions in writing.
(e) Records. Industry groups or other persons who seek safe harbor
treatment by compliance with guidelines that have been approved under
this part shall maintain and upon request make available to the
Commission for inspection and copying:
(1) Consumer complaints alleging violations of the guidelines by
subject
[[Page 22767]]
operators, for a period not less than three years following receipt of
such complaints;
(2) Records of disciplinary actions taken against subject
operators; and
(3) Results of the independent assessments of subject operators'
compliance required under paragraph (b)(2) of this section.
(f) Revocation of approval. The Commission reserves the right to
revoke any approval granted under this section if at any time it
determines that the approved self-regulatory guidelines and their
implementation do not, in fact, meet the requirements of this part.
Sec. 312.11 Rulemaking review.
No later than five years after [the effective date of the final
rule], this Rule, the Commission shall initiate a rulemaking review
proceeding to evaluate the implementation of this part, including the
effect of the implementation of this part on practices relating to the
collection and disclosure of information relating to children,
children's ability to obtain access to information of their choice
online, and on the availability of websites directed to children; and
report to Congress on the results of this review.
Sec. 312.12 Severability.
The provisions of this part are separate and severable from one
another. If any provision is stayed or determined to be invalid, it is
the Commission's intention that the remaining provisions shall continue
in effect.
By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 99-10250 Filed 4-26-99; 8:45 am]
BILLING CODE 6750-01-P