Children's Online Privacy Protection Act; implementation,
[Federal Register: April 27, 1999 (Volume 64, Number 80)]
[Proposed Rules]
[Page 22749-22767]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr27ap99-30]
[[Page 22749]]
Part V
Federal Trade Commission
16 CFR Part 312
Children's Online Privacy Protection Rule; Proposed Rule
[[Page 22750]]
FEDERAL TRADE COMMISSION
16 CFR PART 312
Children's Online Privacy Protection Rule
AGENCY: Federal Trade Commission.
ACTION: Notice of proposed rulemaking.
SUMMARY: In this document, the Federal Trade Commission (the ``Commission'' or ``FTC'') issues a Notice of Proposed Rulemaking to implement the Children's Online Privacy Protection Act of 1998 (``the Act''). Section 1303(b) of the Act directs the FTC to promulgate rules, not later than 1 year after the date of the enactment of the Act, to prohibit unfair and deceptive acts and practices in connection with the collection and use of personal information from and about children on the Internet.
DATES: Written comments must be submitted on or before June 11, 1999. The Commission has reserved July 20, 1999 for a workshop on the proposed rule, if the comments submitted indicate that a workshop would be necessary or helpful. If a workshop is held, the Commission will issue a Federal Register Notice listing the topics to be covered.
ADDRESSES: Written comments should be submitted to: Secretary, Federal Trade Commission, Room H-159, 600 Pennsylvania Avenue, NW, Washington, DC 20580. The Commission requests that commenters submit the original plus five copies, if feasible. To enable prompt review and public access, comments also should be submitted, if possible, in electronic form, on either a 5\1/4\ or a 3\1/2\ inch computer disk, with a disk label stating the name of the commenter and the name and version of the word processing program used to create the document. (Programs based on DOS or Windows are preferred. Files from other operating systems should be submitted in ASCII text format.) Alternatively, the Commission will accept comments submitted to the following e-mail address ‹KidsRule@ftc.gov›. Individual members of the public filing comments need not submit multiple copies or comments in electronic form. All submissions should be captioned: ``Children's Online Privacy Protection Rule--Comment, P994504.'' Rebuttal comments should be submitted following the same procedures as those stated above. Comments will be posted on the Commission's website: ‹http://www.ftc.gov›.
To the extent that the notice requirements of the proposed rule constitute ``collections of information'' under the Paperwork Reduction Act, comments on such requirements should also be submitted to the Office of Information and Regulatory Affairs, Office of Management and Budget, Room 10235, New Executive Office Building, Washington, DC 20503, Attention: Desk Officer for FTC.
FOR FURTHER INFORMATION CONTACT: Toby Milgrom Levin, (202) 326-3156, Loren G. Thompson, (202) 326-2049, or Jill Samuels, (202) 326-2066, Division of Advertising Practices, Bureau of Consumer Protection, Federal Trade Commission, 601 Pennsylvania Ave., NW, Washington, DC 20580.
SUPPLEMENTARY INFORMATION:
Section A. Background
-
Children's Online Privacy Protection Act of 1998
On October 21, 1998, Congress enacted and the President signed into law the Children's Online Privacy Protection Act of 1998 (``the Act''),‹SUP›1‹/SUP› to prohibit unfair and deceptive acts and practices in connection with the collection and use of personally identifiable information from and about children on the Internet. The goals of the Act are: (1) To enhance parental involvement in a child's online activities in order to protect the privacy of children in the online environment; (2) to help protect the safety of children in online fora such as chat rooms, home pages, and pen-pal services in which children may make public postings of identifying information; (3) to maintain the security of children's personal information collected online; and (4) to limit the collection of personal information from children without parental consent.‹SUP›2‹/SUP›
\1\ Title XIII, Omnibus Consolidated and Emergency Supplemental Appropriations Act, 1999, Pub. L.105-277, 112 Stat. 2681,
(October 21, 1998) reprinted at 144 Cong. Rec. H11240- 42 (Oct. 19, 1998). Since the Act has not yet been codified, citations used in this notice are to the section numbers designated in Title XIII of the Omnibus Act.
\2\ 144 Cong. Rec. S12741 (Oct. 7, 1998) (Statement of Sen. Bryan). In the three years prior to the Act's passage, the Commission sought to educate industry, the public and itself about the issues raised by the online collection of personal information from children and adult consumers. In June 1996 and June 1997, the Commission held public workshops to learn how the rapidly developing online marketplace was affecting consumers' privacy. In March 1998, the Commission conducted an extensive survey of commercial websites, including 212 children's websites, to learn the extent to which they were disclosing their information practices, and, with regard to the children's websites, the extent to which they were providing for parental notice of and consent to the collection and disclosure of children's personal information. The Commission reported the results of its survey to Congress in June 1998, and recommended that Congress enact legislation to protect children's privacy online. (Federal Trade Commission, Privacy Online: A Report to Congress, June 1998.) The Commission's survey found that few children's websites were disclosing their information practices or providing for parental consent.
Section 1303 of the Act directs the FTC to adopt regulations prohibiting unfair and deceptive acts and practices in connection with the collection and use of personal information from and about children on the Internet. Section 1303(b) sets forth a series of privacy protections to prevent unfair and deceptive online information collection from or about children. The Act specifies that operators of websites directed to children or who knowingly collect personal information from children (1) provide parents notice of their information practices; (2) obtain prior parental consent for the collection, use and/or disclosure of personal information from children (with certain limited exceptions for the collection of online contact information, e.g., an e-mail address); (3) provide a parent, upon request, with the ability to review the personal information collected from his/her child; (4) provide a parent with the opportunity to prevent the further use of personal information that has already been collected, or the future collection of personal information from that child; (5) limit collection of personal information for a child's online participation in a game, prize offer, or other activity to information that is reasonably necessary for the activity; and (6) establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of the personal information collected.‹SUP›3‹/SUP›
\3\ Supra note 1.
The Act authorizes the Commission to bring enforcement actions for violations of the final Rule in the same manner as for other rules defining unfair and deceptive acts or practices under section 5 of the Federal Trade Commission Act.‹SUP›4‹/SUP› In addition, section 1305 of the Act authorizes state attorneys general to enforce compliance with the final Rule by filing actions in federal court after serving prior written notice upon the Commission when feasible.
\4\ Section 1306(d) of the Act provides that the rule shall be treated as a rule issued under Sec. 18 (a)(1)(B) of the FTC Act (15 U.S.C. 57a (a)(1)(B)).
Section B. Overview of the Proposed Rule
The Internet offers children unprecedented opportunities for learning, recreation, and communication in ways scarcely imagined a decade ago. Children are actively engaged in a wide variety of online activities. They communicate
[[Page 22751]]
with one another in online chat rooms and bulletin boards, through online pen-pal services, and by posting personal home pages. They participate in games and contests sponsored by websites, and they use the Internet to access information on all manner of subjects.
Despite its obvious attraction for children, the Internet is also a medium in which children can be placed at risk. As they use the Internet, children, like others, are often asked to provide a wide variety of personal information about themselves. Websites and online services collect this information by such means as registration pages, order forms, contests, surveys, chat rooms, and bulletin boards. In general, they have collected this information, and have in some instances shared it with third parties, without notice to children or their parents. In addition, public posting of children's personal information makes it available to anyone on the Internet, including those who would harm children.
The proposed Rule is designed to assist parents in controlling the flow of their children's personal information on the Internet. It contains a general requirement that operators of websites or online services directed to children (``operators'') not condition children's participation in online activities on the provision of more personal information than is reasonably necessary to participate in the activity. This will prevent operators from using popular games and activities as a means of obtaining children's information.
Operators are also required to post prominent links on their websites to a notice of how they collect and use personal information from children. In most circumstances, the proposed Rule requires operators to notify parents that they wish to collect personal information from their children and to obtain parental consent prior to collecting, using, or disclosing such information. Parents then have the option of prohibiting operators from disclosing their child's personal information to third parties. In addition, operators must allow parents the opportunity to review and make changes to any information provided by their children. Parents at any time may also require the operator to delete their children's information and prohibit the operator from collecting any more information from their children in the future. The proposed Rule also requires that operators establish procedures to protect the confidentiality, security, and integrity of the personal information collected from children.
Because the proposed Rule applies to the use or disclosure of personal information and not just its collection, it protects personal information collected from children prior to the effective date of the final Rule if an operator wishes to use such information in the future. Thus, for example, an operator that maintains a database of children's personal information must provide notice to the parent and obtain parental consent prior to using such information once the Rule is effective.
Finally, under the proposed Rule, industry groups or others may seek Commission approval for self-regulatory guidelines. Operators who participate in such approved programs may be subject to the review and disciplinary procedures provided in these guidelines in lieu of formal Commission investigation and law enforcement.
Section 312.1 describes the scope of the regulations under this Act. Section 312.2 contains the definitions of the terms used in the proposed Rule, such as ``operator'' and ``personal information.'' Section 312.3 sets out the general requirements that operators must follow when seeking to collect, use, and/or disclose personal information from children. Section 312.4 contains the requirements for providing notice on the website and to parents under the various requirements of the proposed Rule. Section 312.5 sets out the procedures by which operators can obtain consent from parents to the collection, use, and/or disclosure of personal information from children. Section 312.6 requires operators to allow parents to review, make changes to, or have deleted the personal information collected from their children. Section 312.7 prohibits operators from conditioning a child's participation in online activities on the provision of more personal information than is reasonably necessary to participate in those activities. Section 312.8 requires operators to establish reasonable procedures to maintain the confidentiality, security, and integrity of the information collected from children. Section 312.9 establishes that violations of the proposed Rule will be treated as a violation of a rule defining an unfair or deceptive act or practice under the FTC Act. Section 312.10 establishes procedures by which industry groups or other persons can request Commission approval for their self-regulatory guidelines. Sections 312.11 and 312.12 address Commission review of the proposed Rule and the proposed Rule's severability.
Each of the provisions is indented, followed by a brief discussion where needed. The full text of the proposed Rule appears in Section J of this Notice.
Section 312.1 Scope of Regulations in This Part
This Rule implements the Children's Online Privacy Protection Act of 1998, to be codified at 15 U.S.C. ____________, et seq., which prohibits unfair and deceptive acts and practices in connection with the collection, use, and/or disclosure of personal information from and about children on the Internet.
Section 312.2 Definitions
Child means an individual under the age of 13.
Collects or collection means the direct or passive gathering of any personal information from a child by any means, including but not limited to:
(a) Any online request for personal information by the operator regardless of how that personal information is transmitted to the operator;
(b) Collection using a chat room, message board, or other public posting of such information on a website or online service; or
(c) Passive tracking or use of any identifying code linked to an individual, such as a cookie.
This term includes all online requests for personal information regardless whether the personal information is ultimately transmitted online or offline. Thus, it would include a situation where the website or online service directs the child to print out a form, respond in writing to the questions, and mail the form back to the website or online service.
Commission means the Federal Trade Commission.
Delete means to remove personal information such that it is not maintained in retrievable form and cannot be retrieved in the normal course of business.
Disclosure means, with respect to personal information:
(a) The release of personal information collected from a child in identifiable form by an operator for any purpose, except where an operator provides such information to a person who provides support for the internal operations of the website or online service and who does not disclose or use that information for any other purpose, where
(1) Release of personal information means the sharing, selling, renting, or any other means of providing personal information to any third party, and
(2) Support for the internal operations of the website or online service means those activities necessary to maintain the technical functioning of the website or online service, or to fulfill a request
[[Page 22752]]
of a child as permitted by Secs. 312.5(c) (2) and (3); and
(b) Making personal information collected from a child by an operator publicly available in identifiable form, by any means, including by a public posting through the Internet, or through a personal home page posted on a website or online service; a pen-pal service; an electronic mail service; a message board; a chat room; or any other means that would enable a child to reveal personal information to others online.
Contractors who provide technical support or fulfillment services for a website or online service are considered to be providing support for the website or online service's internal operations. Technical support includes providing the server for the website, online service, chat, or e-mail services. Fulfillment services include supplying children with the items they request from the operator. This provision permits an operator to contract for technical and fulfillment operations that may involve the handling of personal information without triggering a disclosure in the notice.
The proposed Rule, however, requires operators, among other things, to maintain the confidentiality, security, and integrity of the personal information it collects from children. (See Sec. 312.7.) Thus the operator is responsible for ensuring that any person with whom it contracts for these technical services does not disclose the personal information and complies with the information safeguards of the proposed Rule. As described in the discussion of Sec. 312.7 below, such safeguards may include, for example, maintaining the data off the server, requiring a password to access the data, and limiting employee access to the data.
Federal agency means an agency, as that term is defined in section 551(1) of title 5, United States Code.
Internet means collectively the myriad of computer and telecommunications facilities, including equipment and operating software, which comprise the interconnected world-wide network of networks that employ the Transmission Control Protocol/Internet Protocol, or any predecessor or successor protocols to such protocol, to communicate information of all kinds by wire, radio, or other methods of transmission.
By including the phrase ``other methods of transmission,'' this definition ensures that the proposed Rule adequately addresses future technological developments such as wireless transmission and access to what is now referred to as the ``Internet.''
Online contact information means an e-mail address or any other substantially similar identifier that permits direct contact with a person online.
Operator means any person who operates a website located on the Internet or an online service and who collects or maintains personal information from or about the users of or visitors to such website or online service, or on whose behalf such information is collected or maintained, where such website or online service is operated for commercial purposes, including any person offering products or services for sale through that website or online service, involving commerce
(a) Among the several States or with 1 or more foreign nations;
(b) in any territory of the United States or in the District of Columbia, or between any such territory and
(1) Another such territory, or
(2) Any State or foreign nation; or
(c) Between the District of Columbia and any State, territory, or foreign nation. This definition does not include any nonprofit entity that would otherwise be exempt from coverage under section 5 of the Federal Trade Commission Act (15 U.S.C. 45).
The term ``operator'' includes both a person who collects or maintains personal information directly from a visitor through a website or online service and a person who collects or maintains such information through another's website or online service. The statute places the regulatory obligations on the operator. In determining who is the operator for purposes of the proposed Rule, the Commission will consider such factors as who owns the information, who controls the information, who pays for the collection or maintenance of the information, the pre-existing contractual relationships surrounding the collection or maintenance of the information, and the role of the website or online service in collecting and/or maintaining the information.
Where the website or online service merely acts as the conduit through which the personal information collected flows to another person or to another's website or online service, and the website or online service does not have access to the information, then it is not an operator under the proposed Rule.‹SUP›5‹/SUP› Where both the website or online service and another person have access to or control over the information collected, and are considered operators under the factors listed above, both parties will have joint responsibility to provide the protections required by the proposed Rule. In circumstances of joint responsibility, the parties may make arrangements between them to facilitate implementation of their responsibilities. For example, it may be more efficient for the website or online service to provide parental notice and obtain parental consent, since it has the direct relationship with its visitors. Nevertheless, each operator is responsible for ensuring that the obligations of the proposed Rule are fulfilled.
\5\ Similarly, where the website or online service hires a contractor to provide support for its ``internal operations,'' the contractor would not be deemed an operator if it merely acts as the conduit and uses the information only to the extent necessary to process the information for the operator.
An operator may choose to release personal information it has collected to a ``third party.'' As defined below, a ``third party'' is ``any person who is neither an operator with respect to the collection of personal information on the website or online service, nor the person who provides support for the internal operations of the website or online service.'' In general, a third party does not collect, own, or control the personal information at the time it is collected. In determining whether an entity is an ``operator'' or ``third party,'' the entity's corporate relationship to another operator, such as whether it is an affiliate, is not a determinative factor. Rather, as described above, its status is determined by how the data is obtained and used.
Parent includes a legal guardian.
Person means any individual, partnership, corporation, trust, estate, cooperative, association, or other entity.
Personal information means individually identifiable information about an individual collected online, including:
(a) A first and last name;
(b) A home or other physical address including street name and name of a city or town;
(c) An e-mail address;
(d) A telephone number;
(e) A Social Security number;
(f) A persistent identifier, such as a customer number held in a cookie or a processor serial number, where such identifier is associated with personal identifying information; a screen name that reveals an individual's e-mail address; an instant messaging user identifier; or a combination of a last name with other information such that the combination permits physical or online contacting; or
(g) Information concerning the child or the parents of that child that the
[[Page 22753]]
operator collects online from the child and combines with an identifier described in this paragraph.
Section 1302(8)(F) of the Act authorizes the Commission to expand the definition of ``personal information'' to include other identifiers that permit physical or online contacting of a specific individual. The proposed definition, therefore, adds several identifiers to Sec. 312.2(f) that were not enumerated in the Act:
(1) A persistent identifier, such as a cookie or a processor serial number, where it is associated with personal identifying information;
(2) A screen name that reveals an individual's e-mail address;
(3) An instant messaging user identifier; ‹SUP›6‹/SUP› or
\6\ An ``instant messaging user identifier,'' permits users, including children, to conduct what is commonly known as ``ICQ'' or ``Instant Messaging.'' This service is basically a combination of e- mail and chat and is offered for free by a number of websites and online services. It permits an individual, upon registration, to send and receive communication on the Internet in real time. Users can also search instant messaging directories which may provide users' real names, e-mail addresses, cities, gender and age information.
(4) A combination of a last name with other information such that the combination permits physical or online contacting, e.g., the name of the child's school, zip code, church, or athletic team.
Each of the above items are specified in the proposed Rule because they permit physical or online contacting of a specific individual.
Third party means any person who is neither an operator with respect to the collection of personal information on the website or online service, nor a person who provides support for the internal operations of the website or online service.
Obtaining verifiable consent means making any reasonable effort (taking into consideration available technology) to ensure that before personal information is collected from a child, a parent of the child:
(a) receives notice of the operator's personal information collection, use, and disclosure practices; and
(b) authorizes any collection, use, and/or disclosure of the personal information.
This definition is taken directly from the Act. Possible examples of reasonable efforts are found below in Sec. 312.5(b), describing parental consent.
Website or online service directed to children means a commercial website or online service, or portion thereof, that is targeted to children. Provided, however, that a commercial website or online service, or a portion thereof, shall not be deemed directed to children solely because it refers or links to a commercial website or online service directed to children by using information location tools, including a directory, index, reference, pointer, or hypertext link. In determining whether a commercial website or online service, or a portion thereof, is targeted to children, the Commission will consider its subject matter, visual or audio content, age of models, language or other characteristics of the website or online service, as well as whether advertising promoting or appearing on the website or online service is directed to children. The Commission will also consider competent and reliable empirical evidence regarding audience composition; evidence regarding the intended audience; and whether a site uses animated characters and/or child-oriented activities and incentives.
The definition of ``directed to children'' permits the Commission to consider a number of different factors in determining whether a website or online service, or a portion thereof, is directed to children. The Commission may consider whether the website or online service, or portion thereof, is designated as a children's area; the site's subject matter, visual or audio content, age of models, language or other characteristics; and whether the site uses features designed to be attractive to children, such as games, puppets, or animated characters and child-oriented activities and incentives.
This approach is consistent with that taken in other media to define what is directed to children, including television, radio, and print advertising. It also provides the Commission flexibility as it seeks to enforce the proposed Rule in the new and developing online medium.
An operator of a website or online service with a ``portion'' directed to children will have duties under the proposed Rule for that portion. An operator of a general interest website or online service that is not directed to children, however, will have duties under the proposed Rule only if it knows that particular visitors are under the age of 13.
Section 312.3 Regulation of Unfair and Deceptive Acts and Practices in Connection with the Collection, Use, and/or Disclosure of Personal Information From and About Children on the Internet
General requirements. It shall be unlawful for any operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child, to collect personal information from a child in a manner that violates the regulations prescribed under this Rule. Generally, under this Rule, an operator must:
(a) Provide notice on the website or online service of what information it collects from children, how it uses such information, and its disclosure practices for such information (Sec. 312.4(b));
(b) Obtain verifiable parental consent for any collection, use, and/or disclosure of personal information from children (Sec. 312.5);
(c) Provide a reasonable means for a parent to review the personal information collected from a child and to refuse to permit its further use or maintenance (Sec. 312.6);
(d) Not condition a child's participation in a game, the offering of a prize, or another activity on the child disclosing more personal information than is reasonably necessary to participate in such activity (Sec. 312.7); and
(e) Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children (Sec. 312.8).
Section 312.3 of the proposed Rule outlines the general requirements that an operator must implement in connection with any collection, use, and/or disclosure of personal information obtained from children. Failure to abide by these requirements constitutes an unfair and/or deceptive act or practice within the meaning of the FTC Act. Each of these general requirements is defined in more detail in specific paragraphs of the proposed Rule.
Section 312.4 Notice.
The proposed Rule requires operators to both post on the website or online service and send to parents notices of the operator's information collection practices and the intended actions with respect to the use and/or disclosure of information collected from children.‹SUP›7‹/SUP› Section 312.4 specifies the information that must be included in such notices, and states how such notices must be posted on the website or online service or provided to parents.
\7\ See, e.g., sections 312.3(a) (requiring notice on the website), and 312.5 (setting out the requirements for notice to parents and for obtaining verifiable parental consent).
Section 312.4(a) sets out the general principles of effective notice; section 312.4(b) sets out the requirements for the notice on the website or online service; and section 312.4(c) sets out the requirements for notices that are sent
[[Page 22754]]
directly to parents under various other provisions of the proposed Rule. (a) General Principles of Notice
All notices under Secs. 312.3(a) and 312.5 must be clearly and understandably written, be complete, and must contain no unrelated, confusing, or contradictory materials.
The operator's notice will form the basis for a parent's decision whether to give the operator consent to collect, use and/or disclose personal information from his or her child. In order to provide truly informed consent, a parent must have a clear idea of what the operator wishes to do. Therefore, it is essential that such notices be prominent and easy to find (in the case of a notice posted on the website or online service), and be clearly and understandably written. It is also essential that such notices contain all relevant information, and contain no unrelated, confusing, or contradictory materials. (b) Notice on the Website or Online Service
An operator must post a link to a notice of its information practices with regard to children on the home page of its website or online service and at each place on the website or online service where personal information is collected from children.
(1) Placement of the notice.
(i) The link to the notice must be clearly labeled as a notice of the website or online service's information practices with regard to children;
(ii) The link to the notice must be placed in a prominent place on the home page of the website or online service such that a typical visitor to the home page can see the link without having to scroll down; and
(iii) There must be a prominent link to the notice at each place on the website or online service where children directly provide, or are asked to provide, personal information such that a typical visitor to those places can see the link without having to scroll down.
Under section 312.3(a) of the proposed Rule, operators are required to provide notice on the website or online service of their practices with regard to the collection, use, and disclosure of information sought online from children.‹SUP›8‹/SUP› Under section 312.4(b)(1), operators must post links to the notice on the website or online service's home page and at each place on the website or online service where personal information is collected from children. The link on the home page must be placed such that a typical visitor does not need to scroll down from the initial viewing screen. A small link at the foot of the page, for example, is not sufficient, because the risk is great that many people will not notice it and will therefore not have the opportunity to learn about the operator's policies. In addition, if the policy is included as part of a larger document, it is important that the required link take visitors directly to the part of the document that discusses the operator's information practices with regard to children.‹SUP›9‹/SUP› Similarly, it is important to provide a link to the policy at each place on the website or online service where information is collected from children because (a) not all visitors to a website or online service enter it through the home page, and (b) a link at the point of information collection guarantees that the notice will be seen by a parent who is visiting the website or online service to learn about the operator's specific information practices. Being able to review an operator's policies in context can help parents understand why such information is being collected.
\8\ Often, such information practice policies are referred to as ``privacy policies.'' The Commission encourages operators to use informative names for their information practice policies. A link to an information practice policy that is labeled ``About Us'' or ``What We Do,'' for example, will probably not convey to visitors that the link will take them to a statement of the operator's information practices.
\9\ Operators who use more than one set of practices on a website (e.g., separate practices for children and adults) must be especially careful to label the different practices clearly, and to make sure that the notices are written clearly in order to avoid any possible confusion.
(2) Content of the notice.
Generally speaking, parents need to know (a) who is collecting information through a website or online service; (b) what kind of information is collected through the website or online service; (c) how information is collected through the website or online service; (d) how such information will be used, including whether it will be disclosed to third parties and for what general purposes; (e) what control parents can exercise over their children's information, the procedures for doing so, and the consequences of their refusal to provide information; and (f) what general measures the operator takes to ensure the confidentiality, integrity, and quality of the information collected. Section 312.4(b)(2) sets out in detail the information operators must include in their notices in order to satisfy the requirements of this section of the proposed Rule.
To be complete, the notice of the website or online service's information practices must state the following:
(i) The name, address, phone number, and e-mail address of all operators collecting personal information from children through the website or online service;
Section 312.4(b)(2)(i) of the proposed Rule requires all operators that are collecting personal information through the website or online service to state their name, address, phone number, and e-mail address. This information will enable parents to both identify and contact the operator should they want further information about the website or online service, or to request an opportunity to review information collected from their child pursuant to section 312.6 below.
(ii) The types of personal information collected from children and whether the personal information is collected directly or passively;
Section 312.4(b)(2)(ii) of the proposed Rule requires operators to list the types of personal information collected online, e.g., name, address, hobbies, and investment information, and whether such information is collected directly or passively from children. While operators are not required to list each and every piece of information collected, the categories operators select should be descriptive enough that parents can make an informed decision about whether to consent to the operator's collection and/or use of the information. It is not necessary to list each item of information collected. A notice, however, that simply states ``We collect personal information from your kids'' does not provide enough information for parents.
(iii) How such personal information is or may be used by the operator, including but not limited to fulfillment of a requested transaction, recordkeeping, marketing back to the child, or making it publicly available through a chat room or by other means;
Section 312.4(b)(2)(iii) of the proposed Rule requires operators to list how the personal information will be used once it has been collected, including such uses as order fulfillment, recordkeeping, marketing back to the child, disclosure to third parties or making it publicly available through a chat room or by other means. As in section 312.4(b)(2)(ii) of the proposed Rule, the challenge for the operator will be to provide enough information for parents to make informed decisions without listing every specific or possible use of the information. For example, the statement that ``we use this information to provide information on toys to your child'' is probably just as informative as the statement ``we use this information to provide your child with information
[[Page 22755]]
on beanie babies, dolls, action figures, puzzles, and stuffed animals.''
In addition, where the operator permits a child to engage in interactive activities that enable a child to publicly reveal his or her personal information, e.g., a chat room, message board, e-mail service, instant message, or personal home page, the operator must clearly state that in its notice to the parent.
(iv) Whether personal information is disclosed to third parties, and if so, the types of business in which such third parties are engaged, and the general purposes for which such information is used; whether those third parties have agreed to maintain the confidentiality, security, and integrity of the personal information they obtain from the operator; and that the parent has the option to consent to the collection and use of their child's personal information without consenting to the disclosure of that information to third parties;
Section 312.4(b)(2)(iv) of the proposed Rule relates to the operator's practices with respect to third parties. It requires operators that disclose children's personal information to third parties to provide a brief statement of the types of business in which the third parties are engaged, e.g., list brokering, advertising, magazine publishing, or retailing, and to state the general purposes for which it is disclosed to third parties. See section 312.2 regarding the definition of ``third party.'' It is important for parents to know not just that their child's information is being disclosed to third parties, but for what purposes. Simply telling parents that their child's personal information is (or may be) ``disclosed to third parties'' does not give parents enough information upon which to base their consent or refusal to consent to the operator's information practices.
Section 312.4(b)(2)(iv) also requires operators to state whether the third parties to whom they disclose personal information have agreed to maintain the confidentiality of that information. An operator's good information practices can be rendered useless if someone to whom the operator discloses personal information does not also protect the information. If their children's personal information will not be protected once it leaves the control of the operator, the operator must make that clear to parents.
Finally, section 312.4(b)(2)(iv) requires operators to tell parents that they have the option to consent to the collection and use of their child's personal information without consenting to the disclosure of that information to third parties.
(v) That the operator is prohibited from conditioning a child's participation in an activity on the child's disclosing more personal information than is reasonably necessary to participate in such activity; and
Section 312.4(b)(2)(v) provides notice to the parent that the operator is prohibited from requiring a child to disclose more personal information than is reasonably necessary to participate in an activity such as game or contest. This statement merely paraphrases the prohibition enumerated in section 312.7 of the proposed Rule. Providing this information in the notice enables the parent to evaluate the appropriateness of a request for personal information on a website or online service.
(vi) That the parent can review, make changes to, or have deleted the child's personal information and state the procedures for doing so.
Under section 312.4(b)(2)(vi) of the proposed Rule, the operator must state in the notice that parents have the right to review information provided by their child and make changes to and/or have the information deleted. In addition, the operator must describe how parents can do so.‹SUP›10‹/SUP›
\10\ See section 312.6 (Right of parent to review personal information provided by child.) for a more detailed discussion.
(c) Notice to a Parent
Under Sec. 312.5, an operator must make reasonable efforts, taking into account available technology, to ensure that a parent of a child receives notice of an operator's practices with regard to the collection, use, and/or disclosure of the child's personal information, including any collection, use, and/or disclosure to which the parent has not previously consented.
This section of the proposed Rule requires operators to make reasonable efforts, taking into account available technology, to provide direct notice to a parent whose child wants to provide personal information or from whose child the operator wishes to collect personal information. This notice will form the basis for the parent's decision regarding the operator's request to collect information from or about the child. To that end, the notice must (a) give the parent comprehensive information about the operator's information practices and policies, including informing parents of changes requiring a new consent; (b) lay out the parent's options with regard to consent; (c) describe the procedures by which the parent can provide verifiable consent (see section 312.5 of the proposed Rule); and (d) describe the parent's right to review and make changes to information provided by the child and lay out the procedures for doing so (see section 312.6 of the proposed Rule). Section 312.4(c)(1) details the information that must be included in the notice to the parent.
Reasonable efforts to provide parents with notice under this section can include, but are not limited to, sending the notice by postal mail, sending the notice to the parent's e-mail address, or having the child print out a form to give to the parent.
An operator must also send the parent an updated notice and request for consent for any collection, use, or disclosure of his or her child's personal information not covered by a previous consent. A new notice and request for consent will be required, for example, if the operator wishes to use the information in a manner that was not included in the original notice, such as disclosing it to parties not covered by the original consent, including parties created by a merger or other corporate combination involving existing operators or third parties.
(1) Content of the notice to the parent.
(i) All notices must state the following:
(A) That the operator wishes to collect personal information from the child;
(B) The information set forth in paragraph 312.4(b) of this section.
(ii) In the case of a notice to obtain verifiable parental consent under Sec. 312.5(a), the notice must also state that the parent's consent is required for the collection, use, and/or disclosure of such information, and the means by which the parent can provide verifiable consent to the collection of information.
The operator must tell the parent that the operator wishes to collect personal information from the child. Section 312.4(c)(1)(i) requires that all notices, whether pursuant to section 312.5(a) or 312.5(c)(3), contain the information set forth in section 312.4(b). Section 312.4(c)(1)(ii) applies to notice pursuant to section 312.5(a), which requires prior verifiable parental consent. In such cases, the operator must inform the parent that his or her consent is required for the collection, use, and/or disclosure of the child's personal information, and that no collection, use, or disclosure will take place absent the parent's affirmative consent. The operator must also tell the parent how to provide verifiable consent or refuse to consent to the operator's desired collection, use, and/or disclosure of the child's information. See section 312.5 of the proposed Rule for further detail on providing parental consent.
[[Page 22756]]
(iii) In the case of a notice under the exception in Sec. 312.5(c)(3), the notice must also state the following:
(A) That the operator has collected the child's e-mail address or other online contact information to respond to the child's request for information and that the requested information will require more than one contact with the child;
(B) That the parent may refuse to permit further contact with the child and require the deletion of the e-mail address or other online contact information; and
(C) That if the parent fails to respond to the notice, the operator may use the information for the purpose(s) stated in the notice.
Under section 312.4(c)(1)(iii) of the proposed Rule, if the child has made a direct request of the operator that would require the operator to make repeated contact with the child (see section 312.5(c)(3) of the proposed Rule), the operator must tell the parent of the child's request, notify the parent that his or her child has provided the operator with an e-mail address so the operator can fulfill that request, and state that the parent may refuse to permit further contact with the child and require the operator to delete the child's online contact information. Because this type of contact with the child does not require a parent's affirmative consent, the operator must clearly notify the parent that, in this instance, if the parent fails to respond to the notice, the operator may use the information for the purpose(s) stated in the notice.
(iv) In the case of a notice under the exception in Sec. 312.5(c)(4), the notice must also state the following:
(A) That the operator has collected the child's name and an e-mail address or other online contact information to protect the safety of the child participating on the website or online service;
(B) That the parent may refuse to permit the use of the information and require the deletion of the information; and
(C) That if the parent fails to respond to the notice, the operator may use the information for the purpose stated in the notice.
Section 312.4(c)(1)(iv) requires an operator to give a parent notice and an opportunity to refuse to permit the continued use of the information where the operator has collected the child's name and online contact information for purposes of providing for the safety of the child. (See discussion of the safety concerns in the discussion of Sec. 312.5(c)(4).)
Section 312.5 Parental Consent
(a) General Requirements
(1) An operator is required to obtain verifiable parental consent before any collection, use, and/or disclosure of personal information collected from children, including any collection, use and/or disclosure to which the parent has not previously consented.
(2) An operator must give the parent the option to consent to the collection and use of the child's personal information without consenting to disclosure of his or her personal information to third parties.
As described in Sec. 312.3(b), the general rule is that an operator is required to obtain verifiable parental consent ``before'' any collection, use, and/or disclosure of personal information from children under the age of 13. As noted above, this means that an operator must obtain verifiable parental consent prior to using or disclosing any information already in its possession as of the effective date of the proposed Rule. Moreover, where an operator changes its collection, use and/or disclosure practices from that provided in the notice, it must obtain verifiable parental consent to the new practice(s) before using the personal information. See discussion of Section 312.4(c), above. Section (a)(2) gives parents the right to consent to an operator's collection and use of their children's information without consenting to the disclosure of that information to third parties. This provision ensures that operators will not be able to condition a child's participation in any online activity on obtaining parental consent to disclosure to third parties. (b) Mechanisms for Verifiable Parental Consent
An operator must make reasonable efforts to obtain verifiable parental consent, taking into consideration available technology. Any method to obtain verifiable parental consent must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent.
Operators may develop any number of ways to implement this requirement. At this time, the Commission is not prepared to commit to any particular method or methods, but rather, invites comments on the feasibility, costs, and benefits of various methods of obtaining parental consent. Among other possibilities, an operator could provide a consent form to be signed by the parent and returned to the operator by postal mail or facsimile, require a parent to use a credit card in connection with a transaction, or have a parent call a toll-free telephone number. Another possibility could be an e-mail accompanied by a valid digital signature. The Commission is also considering whether there are other e-mail-based mechanisms that would satisfy the Act's requirements--i.e., whether they could provide sufficient assurance that the person providing the consent is the child's parent. See questions ________ and ________, below.
One way to comply with this requirement would be for portal sites, online services that offer their own proprietary areas, or others to provide a parental consent service for their content partners. In addition, it may be acceptable for a business to provide notice and consent services for individual operators. Such services must, however, provide adequate notice to parents about the information practices of the participating partners to ensure that a parent's consent to the sharing of their child's personal information is informed and meaningful.
(c) Exceptions to prior parental consent.
Verifiable parental consent is required prior to any collection, use and/or disclosure of personal information from a child except as set forth in this paragraph. The exceptions to prior parental consent are as follows:
(1) Where the operator collects the name or online contact information of a parent or child to be used for the sole purpose of obtaining parental consent or providing notice under Sec. 312.4. If the operator has not obtained parental consent after a reasonable time from the date of the information collection, the operator must delete such information from its records;
This exception permits an operator to collect the parent or child's name or e-mail address to provide notice and obtain parental consent. While section 1303(b)(2)(B) of the Act permits collection of a parent or child's online contact information, the Commission encourages operators to collect only the parent's e-mail address and the child's first name for purposes of this exception. (Collection of the child's first name should be adequate to inform the parent which child's information is being sought.) In many instances the child's e-mail address may be the same as the parent's. Nevertheless, since this exception is solely to enable the operator to provide parental notice and obtain parental consent, collection of the child's information would seem to be unnecessary.
(2) Where the operator collects online contact information from a child for the
[[Page 22757]]
sole purpose of responding directly on a one-time basis to a specific request from the child, and where such information is not used to recontact the child and is deleted by the operator from its records;
This exception is intended to permit operators to respond to specific requests from a child, such as to provide homework assistance or to answer questions posed by the child. A request must be specific in scope and should be initiated by the child. Under this exception, the operator responds to the child's request for information by sending an e-mail containing the answer or response, but does not retain the child's e-mail address for any further use. Operators should consider, however, whether frequently requested information cannot just as easily be posted on the website or online service, thus obviating the need for the collection of any online contact information in the first instance.
(3) Where the operator collects online contact information from a child to be used to respond directly more than once to a specific request from the child, and where such information is not used to recontact the child beyond the scope of that request. In such case, the operator must make reasonable efforts, taking into consideration available technology, to ensure that a parent receives notice and has the opportunity to request that the operator make no further use of the information, as described in Sec. 312.4(c), immediately after the initial response and before making any additional response to the child. Mechanisms to provide such notice include, but are not limited to, sending the notice by postal mail or sending the notice to the parent's e-mail address, but do not include asking a child to print a notice form or sending an e-mail to the child;
This paragraph permits an operator to respond to a child's request for an online newsletter, for example, or to conduct a contest requiring later notification of the winner. Section 1303(b)(2)(C) of the Act does not specify whose online contact information may be collected, the parent or the child's; however, because the operator must already collect the parent's online contact information for purposes of providing the parent notice under this section, the Commission recommends that the operator collect the parent's e-mail address and offer the parent the option of substituting the child's e- mail address. Because under this paragraph a parent's silence after receiving notice constitutes consent to the operator's intended use, it is critical that the operator choose a method that ensures the parent receives the notice. Therefore, the proposed Rule includes examples of acceptable and unacceptable methods of providing notice under this paragraph.
(4) Where the operator collects a child's name and online contact information to the extent reasonably necessary to protect the safety of a child participant on the website or online service, where such information is
(i) Used only for the purpose of protecting the child's safety;
(ii) Not used to recontact the child or for any other purpose;
(iii) Not disclosed on the website or online service;
and the operator uses reasonable efforts to provide a parent notice as described in Sec. 312.4(c); and
This exception is intended to permit an operator to collect limited personal information that is reasonably necessary to protect the safety of a child participating in such interactive activities as a chat room, message board, or e-mail service. For certain safety purposes, however, the Commission notes that the collection of the parent's rather than the child's online contact information may be sufficient. Indeed, parents are in the best position, for example, to intervene if a child is threatening another child while engaged in a chat room. The Commission, therefore, seeks additional guidance on this issue. See question 13 below.
(5) Where the operator collects a child's name and online contact information to the extent reasonably necessary
(i) To protect the security or integrity of its website or online service;
(ii) To take precautions against liability;
(iii) To respond to judicial process; or
(iv) To the extent permitted under other provisions of law, to provide information to law enforcement agencies or for an investigation on a matter related to public safety;
and such information is used only for such purpose and is not used to recontact the child for any other purpose.
This provision authorizes an operator to collect a child's name and online contact information without notice to the parent or parental consent for certain limited purposes. It is not intended to authorize collection of personal information on the basis of purely hypothetical concerns. It is contemplated that the information may be useful in identifying website hackers. Although not required by the Act, the Commission recommends that when an operator relies on this exception, the operator provide parents notice of the collection and use of such information as described in section 312.4(c) of the proposed Rule.
Certain exceptions specifically require that the personal information be deleted following the fulfillment of the purpose for which it was collected. (See Secs. 1303(b)(2)(A) and (b)(2)(B) of the Act and paragraphs (c)(1) and (c)(2) of this section of the proposed Rule.) For those exceptions that do not require deletion, the Commission recommends that operators delete the information voluntarily. This will reduce the risk of unauthorized access, use, or disclosure of personal information that was collected without prior parental consent.
Section 312.6. Right of Parent to Review Personal Information Provided by Child.
(a) Upon request of a parent whose child has provided personal information to a website or online service, and upon proper identification of that parent, the operator of that website or online service is required to provide to that parent the following:
(1) A description of the specific types or categories of personal information collected from the child by the operator, such as name, address, telephone number, e-mail address, hobbies, and extracurricular activities;
(2) The opportunity at any time to refuse to permit the operator's further use or collection of personal information from that child, and to direct the operator to delete the child's personal information; and
(3) Notwithstanding any other provision of law, a means of reviewing and making changes to any personal information collected from the child. The means employed by the operator to carry out this provision must:
(i) Ensure that the requestor is a parent of that child, taking into account available technology; and
(ii) Not be unduly burdensome to the parent.
(b) Neither an operator nor the operator's agent shall be held liable under any Federal or State law for any disclosure made in good faith and following reasonable procedures in responding to a request for disclosure of personal information under this section.
This provision of the Rule describes how operators can comply with the Act's requirement that they allow parents to review, make changes to, or have deleted any information provided by their child. The Act allows a two-tiered approach to parental review. First, upon request of a properly-identified parent, the operator must tell the parent what types of information
[[Page 22758]]
have been collected by the child, for example, ``Your child has given us his name, address, e-mail address, and a list of his favorite computer games.'' Section 312.6(a)(1). Subsequently, if the parent wishes to review the specific information provided by his child, the operator must provide a means for doing so that ensures that the person requesting the information is the parent, but not unduly burdensome to the parent, under section 312.6(a)(3).‹SUP›11‹/SUP› In addition, the parent may, at any time, direct the operator to delete any or all of the child's information in the operator's files, refuse to permit the operator to continue to use that information, or prohibit the operator from collecting any further information in the future. Section 312.6(a)(2).‹SUP›12‹/SUP›
\11\ Operators are free to skip the first step (description of the types of information provided by the child) and simply allow parents to review the specific information provided by the child under section 312.6(a)(3).
\12\ Section 312.6 is not intended to require operators to keep databases of personal information collected from children even after the consented-to uses have been discontinued--for example, because the parent may someday request it. If a parent asks to review his or her child's information after the operator has deleted it, the operator can reply that it has no information on that child.
Because compliance with section 312.6(a)(3) of this Rule requires operators to release personal information collected from children, it is critical that operators use a system for checking identification that reasonably ensures that the person requesting the information is, in fact, a parent of that child.‹SUP›13‹/SUP› The identification method chosen by the operator should not be so burdensome that parents effectively cannot exercise their rights under this provision, i.e., requiring parents to come to its office headquarters to show proof of parentage.
\13\ As a practical matter, it may be acceptable for an operator to use a less stringent identification requirement when giving out the types of information collected from the child under section 312.6(a)(1).
A number of methods can be used to check identity that provide a degree of certainty without unduly burdening either the operator or the parent. For example, the operator may require a copy of the parent's driver's license showing that the parent and child live at the same address. In addition, an operator could devise a password system in conjunction with its procedure for obtaining verifiable parental consent that could serve as an aid in identification. By contrast, simply providing a toll-free telephone number for parents to call and request information would not be sufficient to ensure that a caller is actually the child's parent.‹SUP›14‹/SUP› Operators who disclose the information to parents in good faith and follow reasonable procedures in responding to a request for disclosure will be exempt from liability under any Federal or State laws.
\14\ There may be ways to utilize toll-free telephone numbers that would be sufficient to ensure that the requestor is a parent of the child. For example, a reasonable procedure might involve giving the parent the toll-free telephone number and a password unique to that parent after the operator receives the parent's verifiable consent.
(c) Subject to the limitations set forth in Sec. 312.7, an operator may terminate any service provided to a child whose parent has refused, under paragraph (a)(2) of this section, to permit the operator's further use or collection of personal information from his or her child or has directed the operator to delete the child's personal information.
Section 312.7 prohibits operators from conditioning a child's participation in a game, the offering of a prize, or another activity on the child disclosing more personal information than is reasonably necessary to participate in the activity. See infra. The corollary to that prohibition is that operators may terminate a child's access to or participation in those activities or services when a parent who has consented to the information collection subsequently requires the operator to delete the information that was necessary for the child to participate. For example, an operator requires children to provide an e-mail address to participate in a chat room so that the operator can contact the child if the child is misbehaving in the chat room. After giving consent, a parent changes her mind and requires the operator to delete her child's information. The operator may refuse to allow the child to participate in the chat room in the future. If, however, there are other activities or services on the operator's website that do not require that information, then the operator must allow the child to have access to those activities or services.
Section 312.7. Prohibition Against Conditioning a Child's Participation on Collection of Personal Information.
An operator is prohibited from conditioning a child's participation in a game, the offering of a prize, or another activity on the child's disclosing more personal information than is reasonably necessary to participate in such activity.
The purpose of this section is to encourage a child's access to activities, but to prevent operators from tying collection of personal information to such popular and persuasive incentives as prizes or games. The proposed rule authorizes operators to condition participation on the collection of only such personal information as is reasonably necessary to conduct an activity--for example, collection of an e-mail address for purposes of awarding a prize to a contest winner. The operator, however, must always obtain verifiable parental consent to the collection of any personal information from the child, even if it is reasonably necessary to participate in an activity, unless one of the exceptions to prior parental consent defined in section 312.5(c) of the proposed Rule applies.
Section 312.7 of the proposed Rule precludes, for example, an operator from requiring a child to provide personal information for the purpose of registering merely to access the website or online service if such personal information is not reasonably necessary to engage in its activities.
Section 312.8 Confidentiality, Security, and Integrity of Personal Information Collected From Children
The operator must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.
Operators must have adequate procedures for protecting personal information, including policies and standards to protect children's personal information from loss, misuse, unauthorized access, or disclosure. Such protections may include the following: designating an individual in the organization to be responsible for maintaining and monitoring the security of the information; requiring passwords to access the personal information; creating firewalls; utilizing encryption; implementing access control procedures in addition to passwords; implementing devices and procedures to protect the physical security of the data processing equipment; storing the personal information collected online on a secure server that is not accessible from the Internet; installing security cameras and intrusion-detection software to monitor who is accessing the personal information; and installing authentication software to determine whether a user is authorized to enter through a firewall. In addition, effective security implementation requires a clear statement of employee responsibilities and sanctions, as well as employee training to ensure that privacy and security policies are implemented effectively.
The Commission encourages operators to establish reasonable procedures for the destruction of personal information once it is no
[[Page 22759]]
longer necessary for the fulfillment of the purpose for which it was collected. Timely elimination of data is the ultimate protection against misuse or unauthorized disclosure.
Section 312.9 Enforcement
Subject to sections 1304 and 1306 of the Children's Online Privacy Protection Act of 1998, a violation of a regulation prescribed under section 1303 of this Act shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
Section 312.10 Safe Harbors
(a) In General
An operator will be deemed to be in compliance with the requirements of this Rule if that operator complies with self- regulatory guidelines, issued by representatives of the marketing or online industries, or by other persons, that, after notice and comment, are approved by the Commission.
As an incentive for industry self-regulation, and to ensure that the protections afforded children under this proposed Rule are implemented in a manner that takes into account industry-specific concerns and technological developments, this section of the proposed Rule provides that an operator's compliance with Commission-approved self-regulatory guidelines serves as a safe harbor in any enforcement action for violations of this Rule. To receive safe harbor treatment, an operator can comply with any Commission-approved guidelines that meet all the criteria set forth in section 312.10(b). The operator need not independently apply for approval, if in fact the operator is fully complying with guidelines already approved by the Commission, which are applicable to the operator's business. (See the discussion of section 312.10(b), below.)
In an enforcement action, the Commission has the burden of proving non-compliance with the proposed Rule's requirements. The standards enunciated in the proposed Rule thus remain the benchmark against which industry's conduct will ultimately be judged. Compliance with approved guidelines, however, will serve as a safe harbor in any enforcement action under the proposed rule. That is, if an operator can show full compliance with approved guidelines, the operator will be deemed in compliance with the proposed Rule. The Commission retains discretion to pursue enforcement under the Rule if approval of the guidelines was obtained based upon incomplete or inaccurate factual representations or if there was a substantial change in circumstances. (b) Criteria for Approval of Self-Regulatory Guidelines
To be approved by the Commission, guidelines must include the following:
(1) A requirement that operators subject to the guidelines (``subject operators'') implement the protections afforded children under this Rule;
(2) An effective, mandatory mechanism for the independent assessment of subject operators' compliance with the guidelines. This requirement may be satisfied by:
(i) Periodic reviews of subject operators' information practices conducted on a random basis either by the industry group promulgating the guidelines or by an independent entity;
(ii) Periodic reviews of all subject operators' information practices, conducted either by the industry group promulgating the guidelines or by an independent entity; or
(iii) Seeding of subject operators' databases, if accompanied by either (i) or (ii); and
(3) Effective incentives for subject operators' compliance with the guidelines. This requirement may be satisfied by:
(i) Mandatory, public reporting of disciplinary action taken against subject operators by the industry group promulgating the guidelines;
(ii) Consumer redress;
(iii) Voluntary payments to the United States Treasury in connection with an industry-directed program for violators of the guidelines; or
(iv) Referral to the Commission of operators who engage in a pattern or practice of violating the guidelines.
The assessment mechanism required under paragraph (b)(2) of this section can be provided by an independent enforcement program, such as a seal program. In considering whether to initiate an investigation or to bring an enforcement action for violations of this Rule, and in considering appropriate remedies for such violations, the Commission will take into account whether an operator has been subject to self- regulatory guidelines approved under this section and whether the operator has taken remedial action pursuant to such guidelines, including but not limited to actions set forth in paragraphs (b)(3)(i) through (iii) of this section.
Section 312.10(b) of the proposed Rule sets out the criteria that self-regulatory guidelines must meet in order to be approved by the Commission. Under section 312.10(b)(1), guidelines must require implementation of the requirements of this Rule. Sections 312.10(b)(2)- (3), which require that guidelines include independent assessment mechanisms and incentives for compliance, are intended to permit maximum flexibility, consistent with the protections afforded children under the proposed Rule. For this reason, each sets out a mandatory performance standard and suggested means of meeting that standard. Promulgators of guidelines are thus free to use their particular expertise to craft guidelines that meet the performance standards while taking into account industry-specific concerns and technological developments.
Where guidelines are drafted to be industry-specific, they must define the nature of the businesses to which they apply. An operator can rely on a particular set of guidelines only if it meets the guidelines' definition of applicable businesses.
In making its determination as to whether to approve submitted guidelines, the Commission will review all elements of those guidelines, including assessment mechanisms, in light of the particular characteristics of the industry or sector that the guidelines are intended to govern.‹SUP›15‹/SUP›
\15\ The Commission will also consider any possible anti- competitive misuse of self-regulatory guidelines.
Section 312.10(b) clarifies that industry groups, or others, who create self-regulatory guidelines may contract with an independent entity, such as a seal program, to implement the assessment mechanism requirement. Under the performance standard enunciated in section 312.10(b)(2), assessment mechanisms must not be based solely on self- assessment by subject operators. (c) Request for Commission Approval of Self-Regulatory Guidelines
(1) To obtain Commission approval of self-regulatory guidelines, industry groups or other persons must file a request for approval. A request shall be accompanied by the following:
(i) A copy of the full text of the guidelines for which approval is sought and any accompanying commentary;
(ii) A comparison of each provision of Sec. 312.3 through Sec. 312.9 with the corresponding provisions of the guidelines; and
(iii) A statement explaining:
(A) How the guidelines, including the applicable assessment mechanism, meet the requirements of this Rule; and
(B) How the assessment mechanism and compliance incentives required
[[Page 22760]]
under paragraphs (b)(2) and (3) of this section provide effective enforcement of the requirements of this Rule.
(2) The Commission shall act upon a request under this section within 180 days of the filing of such request and shall set forth its conclusions in writing.
Section 312.10(c) of the proposed Rule requires that persons requesting Commission approval of self-regulatory guidelines submit, in addition to the guidelines and any attendant commentary, documentation supporting the proposition that the guidelines meet the requirements of this Rule. The 180-day period for the Commission to review and approve or reject any request will not begin until all of the documents required under section 312.10(c) have been submitted. If a request is denied and resubmitted, the 180-day period will run from the date of the resubmission.
An original and six paper copies of the request and supporting materials should be submitted to the Secretary, Federal Trade Commission, Room 159, 600 Pennsylvania Avenue, NW, Washington, D.C. 20580. To enable prompt review and accessibility to the public, the request and supporting materials should also be submitted, if possible, in electronic form, on either one 51/4 or one 31/2 inch computer disk with a label stating the name of the person filing the request and the name and version of the word processing program used. (Programs based on DOS or Windows are preferred. Files from other operating systems should be submitted in ASCII text format.)
Following initial review of a request under this section, the Commission will publish a notice of the filing of the request both in the Federal Register and on its website at ‹www.ftc.gov›, and will make a copy of the request available for examination by interested persons during business hours at the Federal Trade Commission, Public Reference Room, Room 130, 600 Pennsylvania Avenue, NW, Washington, D.C. 200580. A period of time will be allowed for interested parties to submit written comments to the Commission regarding the request.
If the Commission determines that the guidelines submitted meet the requirements of the proposed Rule, the Commission will approve the guidelines and publish a notice of the approval both in the Federal Register and on its website at ‹www.ftc.gov›. The Commission will furnish a copy of the notice to the person who filedthe request. The approval will become effective 45 days from its publication in the Federal Register and on the Commission's website.
If the Commission determines that it cannot approve the guidelines, the Commission will notify the persons who filedthe request of the facts upon which its findings are based and will afford those persons a reasonable opportunity to resubmit their request. If, after reviewing the resubmitted request, the Commission finds that it still cannot make a favorable determination, the Commission will publish a notice of its determination both in the Federal Register and on its website at ‹www.ftc.gov›, and will furnish a copy of the notice to the persons who filedthe request.
Under section 1304(c) of the Children's Online Privacy Protection Act, final action by the Commission on a request for approval of self- regulatory guidelines, or the Commission's failure to act within 180 days of the filing of such request, may be appealed to a district court of the United States of appropriate jurisdiction as provided for in section 706 of title 5, United States Code.‹SUP›16‹/SUP›
\16\ Section 1304(c), Omnibus Consolidated and Emergency Supplemental Appropriations Act, 1999, Pub. L. 105-277, 112 Stat. 2681, ________, ________ U.S.C. ________, ________ (October 21, 1998).
(d) Records
Industry groups or other persons who seek safe harbor treatment by compliance with guidelines that have been approved under this Rule shall maintain and upon request make available to the Commission for inspection and copying
(1) Consumer complaints alleging violations of the guidelines by subject operators, for a period not less than three years following receipt of such complaints;
(2) Records of disciplinary actions taken against subject operators; and
(3) Results of the independent assessments of subject operators' compliance required under paragraph (b)(2) of this section. (e) Revocation of Approval
The Commission reserves the right to revoke any approval granted under this section if at any time it determines that the approved self- regulatory guidelines and their implementation do not, in fact, meet the requirements of this Rule.
Before revoking any approval of self-regulatory guidelines, the Commission will notify the persons filing the request for approval, or their designees, of the facts or conduct that, in the Commission's opinion, warrant such revocation, and will afford those persons such opportunity as the Commission deems appropriate in the circumstances to demonstrate that the guidelines and their implementation comply with the proposed Rule.
If, after considering all of the facts, the Commission determines that the guidelines or their implementation do not comply with the proposed Rule, the Commission will publish a notice of its intention to revoke approval of the guidelines both in the Federal Register and on its website at ‹www.ftc.gov›. A period of time will be allowed for interested persons to submit written comments to the Commission regarding the intention to revoke approval.
If the Commission revokes its approval of the guidelines, it will publish notice of the revocation both in the Federal Register and on its website at ‹www.ftc.gov›, and a copy of such notice will be furnished to the persons who filedthe request, or their designees. The revocation will become effective 45 days from its publication in the Federal Register and on the Commission's website.
Section 312.11 Rulemaking Review
No later than five years after the effective date of this Rule, the Commission shall initiate a rulemaking review proceeding to evaluate the implementation of this rule, including the effect of the implementation of this Rule on practices relating to the collection and disclosure of information relating to children, children's ability to obtain access to information of their choice online, and on the availability of websites directed to children; and report to Congress on the results of this review.
Section 312.12 Severability
The provisions of this Rule are separate and severable from one another. If any provision is stayed or determined to be invalid, it is the Commission's intention that the remaining provisions shall continue in effect.
Section C. Invitation to Comment
Before adopting this rule as final, the Commission will give consideration to any written comments submitted to the Secretary of the Commission on or before June 11, 1999. Comments submitted will be available for public inspection in accordance with the Freedom of Information Act (5 U.S.C. 552) and Commission regulations, on normal business days between the hours of 8:30 a.m. and 5 p.m. at the Public Reference Section, Room 130, Federal Trade Commission, 600 Pennsylvania Avenue NW., Washington, DC 20580. Comments will also be posted on the Commission website, ‹www.ftc.gov›.
[[Page 22761]]
Section D. Communications by Outside Parties to Commissioners or Their Advisors
Written communications and summaries or transcripts of oral communications respecting the merits of this proceeding from any outside party to any Commissioner or Commissioner's advisor will be placed on the public record. See 16 CFR 1.26(b)(5) (1998).
Section F. Regulatory Flexibility Act
The provision of the Regulatory Flexibility Act requiring an initial regulatory flexibility analysis (5 U.S.C. 603) does not apply because it is believed that the Rule will not have a significant economic impact on a substantial number of small entities (5 U.S.C. 605). This notice also serves as certification to the Small Business Administration of that determination.
The Rule's requirements are expressly mandated by the Children's Online Privacy Protection Act of 1998.‹SUP›17‹/SUP› Thus, the economic impact of the Rule itself is not anticipated to be significant, since any additional costs of complying with the Rule, beyond those imposed by the statute or otherwise likely to be incurred in the ordinary course of business, are expected to be comparatively minimal. Where the Act permits, the regulations have been drafted so as to permit maximum flexibility in the way that affected firms achieve the goals of the Act. In any event, the costs borne by all firms, including small businesses, appear unavoidable under the terms of the Act.
\17\ Supra note 1.
Nonetheless, to ensure that no significant economic impact on a substantial number of small entities is overlooked, the Commission hereby requests public comment on the effect of the proposed Rule on the costs, profitability, and competitiveness of, and employment in, small entities. After considering such comments, if any, the Commission will determine whether preparation of a final regulatory flexibility analysis (pursuant to 5 U.S.C. 604) is required.
Section G. Paperwork Reduction Act
Pursuant to the Paperwork Reduction Act (PRA) (as amended 44 U.S.C. 3507(d)), the Commission has submitted the proposed Children's Online Privacy Protection Rule to the Office of Management and Budget for its review. The Children's Online Privacy Protection Act mandates specific disclosure requirements relating to the collection of personal information from children. Specifically, the Act requires that operators subject to this Act provide notice to parents.‹SUP›18‹/SUP› Based upon survey data,‹SUP›19‹/SUP› informal discussions with industry members, and public information, the Commission has estimated for purposes of the PRA the burden-hour on operators subject to this rule, both individually and as an industry, to provide notice to parents. To the extent that the proposed rule's notice requirements are expressly mandated by the Act, the Commission has adopted a performance standard suggested by the Act to provide flexibility in implementing the requirements.
\18\ The sections of the proposed Rule that refer to notice are Secs. 312.3(a), 312.4, 312.5(c), and 312.6(a). These sections implement Secs. 1302(9), 1303 (b)(1)(A)(i), (b)(2)(B), (b)(2)(C)((i), and (b)(2)(D)(iii) of the Act.
\19\ Federal Trade Commission, Privacy Online: A Report to Congress, June 1998.
Because the online marketplace is a very new industry, costs for providing privacy protection have not been gathered to date. Nevertheless, we have attempted to estimate costs associated with providing notice for purposes of the PRA. In particular, the Commission seeks comments on how to minimize the burden of the notice requirement through the use of appropriate automated, electronic, mechanical, or other technological mechanisms.
The estimate of the burden imposed by the notice requirement is divided into first year start-up costs and subsequent year costs. For purposes of providing notice, the estimated cost for 300 websites directed to children, at 60 hours per site (the estimated time needed to develop the privacy policy, post it on the website and design a mechanism to provide the notice, e.g., an e-mail program), represents a total burden of 18,000 hours for the first year. Subsequent years would be much less, since the start-up costs, such as crafting a privacy policy and posting it online, are generally one-time costs. We estimate the burden-hour in subsequent years would be about 1800 hours to cover the cost of new children's sites coming into the marketplace and providing notice to parents.
Section H. Effective Date
The Children's Online Privacy Protection Act directs the Commission to ``promulgate'' regulations within one year of its enactment. An effective date for these rules will be announced by the Commission when it publishes these regulations in final form.
Section I. Questions on the Proposed Rule
The Commission is seeking comment on various aspects of the proposed Rule, and is particularly interested in receiving comment on the questions that follow. These questions are designed to assist the public and should not be construed as a limitation on the issues on which public comment may be submitted. Responses to these questions should cite the numbers and subsection of the questions being answered. For all comments submitted, please submit any relevant data, statistics, or any other evidence, upon which those comments are based.
General Question
-
Please provide comment on any or all of the provisions in the proposed Rule. For each provision commented on please describe (a) the impact of the provision(s) (including any benefits and costs), if any, and (b) what alternatives, if any, the Commission should consider, as well as the costs and benefits of those alternatives.
Definitions
-
Section 312.2 defines ``Internet.'' Is this definition sufficiently flexible to account for changes in technology? If not, how should it be revised?
-
Section 312.2 defines ``operator.''
(a) Is this definition sufficiently clear to provide notice as to who is covered by the Rule?
(b) What is the impact of defining the term in this way?
-
Section 312.2 defines ``personal information,'' in part, to include a persistent identifier, such as a customer number held in a cookie, or a processor serial number, where such identifier is associated with personal identifying information; an instant messaging user identifier; a screen name that reveals an individual's e-mail address; or a combination of a last name with other information such that the combination permits physical or online contacting. Are there additional identifiers that the Commission should consider adding to this list?
Notice
-
Section 312.4(b) lists an operator's obligations with respect to the online placement of the notice of its information practices.
(a) Are there other effective ways of placing notices that should be included in the proposed rule?
(b) How can operators make their links to privacy policies informative for parents and children?
-
Section 312.4(b)(2)(i) requires the notice on the website or online service
[[Page 22762]]
to state the name, address, phone number, and e-mail address of all operators collecting personal information through the website. Where there are multiple operators collecting personal information through the website, are there other efficient means of providing information about the operators that the Commission should consider?
-
Section 312.4(b)(2)(iv) requires an operator to state whether the third parties to whom it discloses personal information have agreed to maintain the confidentiality, security, and integrity of that information. How much detail should an operator be required to disclose about third parties' information practices?
-
Section 312.4(b)(2)(vi) requires an operator's notice to state that the parent has the right to review personal information provided by his or her child and to make changes to and/or have that information deleted, and to describe how the parent can do so. Is this information needed in the notice on the website or online service, or should it be included only in the notice provided directly to the parent under section 312.4(c)?
-
Section 312.4(c) lists several methods an operator may employ to provide direct notice to a parent whose child wants to provide personal information or from whose child the operator wishes to collect personal information. Are there other, equally effective methods of providing notice to parents that the Commission should consider?
-
Section 312.4(c)(1) details the information that must be included in the notice to the parent.
(a) What, if any, of this information is unnecessary?
(b) What, if any, other information should be included in the notice to the parent?
-
Section 312.5 requires the operator to send a new notice and request for consent to parents in certain circumstances. The proposal covers instances where the operator wishes to use the information in a manner that was not included in the original notice, such as disclosing it to parties not covered by the original consent, including parties created by a merger or other corporate combination involving existing operators or third parties.
(a) Does this formulation sufficiently protect children's privacy given the high merger activity in this industry?
(b) Is this formulation more burdensome than necessary to protect those interests?
(c) Is there an alternative formulation that would sufficiently protect children's privacy without unnecessarily burdening operators?
Parental Consent
-
Section 312.5(a)(2) requires operators to give the parent the opportunity to consent to the collection and use of the child's personal information without consenting to the disclosure of that information to third parties. Should the rule also require that the parent be given the option to refuse to consent to different internal uses of the child's personal information by the operator?
-
The commentary on section 312.5(b) identifies a number of methods an operator might use to obtain verifiable parental consent.
(a) Are the methods listed in the commentary easy to implement?
(b) What are the costs and benefits of using the methods listed?
(c) Are there studies or other sources of data showing the feasibility, costs, and/or benefits of the methods listed?
(d) Are there existing methods, or methods in development, to adequately verify consent using an e-mail-based mechanism?
(e) What are the costs and benefits of obtaining consent using an e-mail-based mechanism?
(f) To what extent is digital signature technology in use now? Are there obstacles to the general commercial availability or use of digital signature technology?
(g) What, if any, other methods of obtaining consent should the Commission consider? Please describe how those methods work, their effectiveness, feasibility, costs and/or benefits, and, if still in development, when they will be available.
-
With respect to methods of obtaining verifiable parental consent, should the Commission allow greater flexibility in mechanisms used to obtain verifiable parental consent in cases where the operator does not disclose children's personal information to third parties or enables a child to make such information publicly available through, for example, a chat room or bulletin board?
-
Are there any studies or other sources of data regarding the ease or frequency with which children can fabricate parental consent using any of the methods discussed in the proposed Rule?
-
Would additional research regarding children's behavior in the online environment be useful in assessing the appropriateness of various parental consent mechanisms?
-
Section 312.5(c)(1) allows an exception to prior parental consent where an operator collects the name or online contact information of a parent or child to be used for the sole purpose of obtaining parental consent or providing notice under this rule. Under this exception, if an operator has not obtained parental consent after a ``reasonable time'' from the date of the information collection, the operator must delete the information from its records.
(a) What is a ``reasonable time'' for purposes of this requirement? On what is this estimate of a ``reasonable time'' based?
(b) Alternatively, should an operator be required to maintain a ``do-not-contact'' list so as to avoid sending multiple requests for consent to a parent who has previously refused to consent? What are the costs and benefits of such a ``do-not-contact'' list?
-
Section 1303(b)(2)(B) of the Children's Online Privacy Protection Act and Section 312.5(c)(1) of the proposed Rule allow an operator to collect the name or online contact information of a parent or child solely for the purpose of obtaining parental consent or providing notice. Are there circumstances that would necessitate collection of the child's online contact information rather than the parent's?
-
Section 312.5(c)(4) allows an exception to prior parental consent where an operator collects information from a child in order to protect the safety of a child participant on its site. What specific circumstances should trigger this exception?
-
Section 312.5(c)(5) allows an exception to prior parental consent where an operator collects information from a child for certain limited purposes. To what extent is a child's name or e-mail address necessary:
(a) To protect the security of the website;
(b) To aid in the judicial process; or
(c) To aid in law enforcement?
-
Section 1303(b)(2)(C)(ii) of the Children's Online Privacy Protection Act authorizes the Commission to allow other exceptions to prior parental consent in this rule ``in such circumstances as the Commission may determine are appropriate, taking into consideration the benefits to the child of access to information and services, and risks to the security and privacy of the child.'' What other circumstances might merit such an exception? What are the risks and benefits of creating such an exception?
Right of Parent to Review Personal Information Provided by Child
-
Section 312.6 gives a parent whose child has provided personal
[[Page 22763]]
information to a website the right, upon proper identification of that parent, to review the personal information provided by the child. The commentary on this section lists several methods an operator may employ to obtain proper identification of a parent.
(a) Are there any other methods of identification that the Commission should consider?
(b) In particular, are there other methods that could constitute proper identification in non-traditional family situations (e.g., where the child and parent do not live at the same address or where someone other than a parent is the legal guardian)?
(c) Are there any technological advances under development that may ease the process of obtaining proper identification of a parent?
Prohibition Against Conditioning a Child's Participation on Collection of Personal Information
-
Section 312.7 prohibits operators from conditioning a child's participation in a game, the offering of a prize, or another activity on the child's disclosing more personal information than is reasonably necessary to participate in such activity. What kinds of information do sites collect as a condition of allowing a child to participate in a game, contest, chat room, or other online activity?
Confidentiality, Security and Integrity of Personal Information Collected From Children
-
Section 312.8 requires operators to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.
(a) What practices are commonly used to maintain the safety and confidentiality of data collected online?
(b) What practices provide the strongest protection?
(c) How much does it cost to implement such practices?
Safe Harbor
-
Section 312.10(b)(2) requires that, in order to be approved by the Commission, self-regulatory guidelines include an effective, mandatory mechanism for the independent assessment of subject operators' compliance with the guidelines. Section 312.10(b)(2) lists several examples of such mechanisms. What other mechanisms exist that would provide similarly effective and independent compliance assessment?
-
Section 312.10(b)(3) requires that, in order to be approved by the Commission, self-regulatory guidelines include effective incentives for compliance with the guidelines. Section 312.10(b)(3) lists several examples of such incentives. What other incentives exist that would be similarly effective?
-
Section 1304(b)(1) of the Children's Online Privacy Protection Act requires the Commission to provide incentives for self-regulation by operators to implement the protections afforded children under the Act. The safe harbor provisions of section 312.10 of the proposed rule are one such incentive. What other incentives should the Commission consider?
Paperwork Reduction Act
-
The Commission solicits comments on the notice requirements of the proposed Rule to the extent that they constitute ``collections of information'' within the meaning of the Paperwork Reduction Act. The Commission requests comments that will enable it to:
(a) Evaluate whether the proposed collections of information are necessary for the proper performance of the functions of the agency, including whether the information will have practical utility;
(b) Evaluate the accuracy of the agency's estimate of the burden of the proposed collections of information, including the validity of the methodology and assumptions used;
(c) Enhance the quality, utility, and clarity of the information to be collected; and
(d) Minimize the burden of the collections of information on those who must comply, including through the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology.
Section J. Proposed Rule
List of Subjects in 16 CFR Part 312
Children, Communications, Consumer protection, Electronic mail, E- mail, Internet, Online service, Privacy, Record retention, Safety, Science and technology, Trade practices, Website, Youth.
Accordingly, the Federal Trade Commission proposes to amend 16 CFR chapter I by adding a new Part 312 to read as follows:
PART 312--CHILDREN'S ONLINE PRIVACY PROTECTION RULE
Sec. 312.1 Scope of regulations in this part. 312.2 Definitions. 312.3 Regulation of unfair and deceptive acts and practices in connection with the collection, use, and/or disclosure of personal information from and about children on the Internet. 312.4 Notice. 312.5 Parental consent. 312.6 Right of parent to review personal information provided by a child. 312.7 Prohibition against conditioning a child's participation on collection of personal information. 312.8 Confidentiality, security, and integrity of personal information collected from children. 312.9 Enforcement. 312.10 Safe harbors. 311.11 Rulemaking review. 312.12 Severability.
Authority: Secs. 1301-1308, Pub. L. 105-277, 112 Stat. 2681.
Sec. 312.1 Scope of regulations in this part.
This part implements the Children's Online Privacy Protection Act of 1998, [to be codified at 15 U.S.C. ________, et seq.,] which prohibits unfair and deceptive acts and practices in connection with the collection, use, and/or disclosure of personal information from and about children on the Internet.
Sec. 312.2 Definitions.
Child means an individual under the age of 13.
Collects or collection means the direct or passive gathering of any personal information from a child by any means, including but not limited to:
(a) Any online request for personal information by the operator regardless of how that personal information is transmitted to the operator;
(b) Collection using a chat room, message board, or other public posting of such information on a website or online service; or
(c) Passive tracking or use of any identifying code linked to an individual, such as a cookie.
Commission means the Federal Trade Commission.
Delete means to remove personal information such that it is not maintained in retrievable form and cannot be retrieved in the normal course of business.
Disclosure means, with respect to personal information:
(a) The release of personal information collected from a child in identifiable form by an operator for any purpose, except where an operator provides such information to a person who provides support for the internal operations of the website or online service and who does not disclose or use that information for any other purpose, where:
(1) Release of personal information means the sharing, selling, renting, or
[[Page 22764]]
any other means of providing personal information to any third party, and
(2) Support for the internal operations of the website or online service means those activities necessary to maintain the technical functioning of the website or online service, or to fulfill a request of a child as permitted by Sec. 312.5(c)(2) and (3); and
(b) Making personal information collected from a child by an operator publicly available in identifiable form, by any means, including by a public posting through the Internet, or through a personal home page posted on a website or online service; a pen pal service; an electronic mail service; a message board; a chat room; or any other means that would enable a child to reveal personal information to others online.
Federal agency means an agency, as that term is defined in Section 551(1) of title 5, United States Code.
Internet means collectively the myriad of computer and telecommunications facilities, including equipment and operating software, which comprise the interconnected world-wide network of networks that employ the Transmission Control Protocol/Internet Protocol, or any predecessor or successor protocols to such protocol, to communicate information of all kinds by wire, radio, or other methods of transmission.
Online contact information means an e-mail address or any other substantially similar identifier that permits direct contact with a person online.
Operator means any person who operates a website located on the Internet or an online service and who collects or maintains personal information from or about the users of or visitors to such website or online service, or on whose behalf such information is collected or maintained, where such website or online service is operated for commercial purposes, including any person offering products or services for sale through that website or online service, involving commerce:
(a) Among the several States or with 1 or more foreign nations;
(b) In any territory of the United States or in the District of Columbia, or between any such territory, and
(1) Another such territory, or
(2) Any State or foreign nation; or
(c) Between the District of Columbia and any State, territory, or foreign nation. This definition does not include any nonprofit entity that would otherwise be exempt from coverage under section 5 of the Federal Trade Commission Act (15 U.S.C. 45).
Parent includes a legal guardian.
Person means any individual, partnership, corporation, trust, estate, cooperative, association, or other entity.
Personal information means individually identifiable information about an individual collected online, including:
(a) A first and last name;
(b) A home or other physical address including street name and name of a city or town;
(c) An e-mail address;
(d) A telephone number;
(e) A Social Security number;
(f) A persistent identifier, such as a customer number held in a cookie or a processor serial number, where such identifier is associated with personal identifying information; a screen name that reveals an individual's e-mail address; an instant messaging user identifier; or a combination of a last name with other information such that the combination permits physical or online contacting; or
(g) Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described in this definition.
Third party means any person who is neither an operator with respect to the collection of personal information on the website or online service, nor a person who provides support for the internal operations of the website or online service.
Obtaining verifiable consent means making any reasonable effort (taking into consideration available technology) to ensure that before personal information is collected from a child, a parent of the child:
(a) Receives notice of the operator's personal information collection, use, and disclosure practices; and
(b) Authorizes any collection, use, and/or disclosure of the personal information.
Website or online service directed to children means a commercial website or online service, or portion thereof, that is targeted to children. Provided, however, that a commercial website or online service, or a portion thereof, shall not be deemed directed to children solely because it refers or links to a commercial website or online service directed to children by using information location tools, including a directory, index, reference, pointer, or hypertext link. In determining whether a commercial website or online service, or a portion thereof, is targeted to children, the Commission will consider its subject matter, visual or audio content, age of models, language or other characteristics of the website or online service, as well as whether advertising promoting or appearing on the website or online service is directed to children. The Commission will also consider competent and reliable empirical evidence regarding audience composition; evidence regarding the intended audience; and whether a site uses animated characters and/or child-oriented activities and incentives.
Sec. 312.3 Regulation of unfair and deceptive acts and practices in connection with the collection, use, and/or disclosure of personal information from and about children on the Internet.
General requirements. It shall be unlawful for any operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child, to collect personal information from a child in a manner that violates the regulations prescribed under this part. Generally, under this part, an operator must:
(a) Provide notice on the website or online service of what information it collects from children, how it uses such information, and its disclosure practices for such information (Sec. 312.4(b));
(b) Obtain verifiable parental consent for any collection, use, and/or disclosure of personal information from children (Sec. 312.5);
(c) Provide a reasonable means for a parent to review the personal information collected from a child and to refuse to permit its further use or maintenance (Sec. 312.6);
(d) Not condition a child's participation in a game, the offering of a prize, or another activity on the child disclosing more personal information than is reasonably necessary to participate in such activity (Sec. 312.7); and
(e) Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children (Sec. 312.8).
Sec. 312.4 Notice.
(a) General principles of notice. All notices under Secs. 312.3(a) and 312.5 must be clearly and understandably written, be complete, and must contain no unrelated, confusing, or contradictory materials.
(b) Notice on the website or online service. An operator must post a link to a notice of its information practices with regard to children on the home page of its website or online service and at each place on the website or online service where personal information is collected from children.
(1) Placement of the notice.
(i) The link to the notice must be clearly labeled as a notice of the website
[[Page 22765]]
or online service's information practices with regard to children;
(ii) The link to the notice must be placed in a prominent place on the home page of the website or online service such that a typical visitor to the home page can see the link without having to scroll down; and
(iii) There must be a prominent link to the notice at each place on the website or online service where children directly provide, or are asked to provide, personal information such that a typical visitor to those places can see the link without having to scroll down.
(2) Content of the notice. To be complete, the notice of the website or online service's information practices must state the following:
(i) The name, address, phone number, and e-mail address of all operators collecting personal information from children through the website or online service;
(ii) The types of personal information collected from children and whether the personal information is collected directly or passively;
(iii) How such personal information is or may be used by the operator, including but not limited to fulfillment of a requested transaction, recordkeeping, marketing back to the child, or making it publicly available through a chat room or by other means;
(iv) Whether personal information is disclosed to third parties, and if so, the types of business in which such third parties are engaged, and the general purposes for which such information is used; whether those third parties have agreed to maintain the confidentiality, security, and integrity of the personal information they obtain from the operator; and that the parent has the option to consent to the collection and use of their child's personal information without consenting to the disclosure of that information to third parties;
(v) That the operator is prohibited from conditioning a child's participation in an activity on the child's disclosing more personal information than is reasonably necessary to participate in such activity; and
(vi) That the parent can review, make changes to, or have deleted the child's personal information and state the procedures for doing so.
(c) Notice to a parent. Under Sec. 312.5, an operator must make reasonable efforts, taking into account available technology, to ensure that a parent of a child receives notice of an operator's practices with regard to the collection, use, and/or disclosure of the child's personal information, including any collection, use, and/or disclosure to which the parent has not previously consented.
(1) Content of the notice to the parent.
(i) All notices must state the following:
(A) That the operator wishes to collect personal information from the child;
(B) The information set forth in paragraph (b) of this section.
(ii) In the case of a notice to obtain verifiable parental consent under Sec. 312.5(a), the notice must also state that the parent's consent is required for the collection, use, and/or disclosure of such information, and state the means by which the parent can provide verifiable consent to the collection of information.
(iii) In the case of a notice under the exception in Sec. 312.5(c)(3), the notice must also state the following:
(A) That the operator has collected the child's e-mail address or other online contact information to respond to the child's request for information and that the requested information will require more than one contact with the child;
(B) That the parent may refuse to permit further contact with the child and require the deletion of the e-mail address or other online contact information; and
(C) That if the parent fails to respond to the notice, the operator may use the information for the purpose(s) stated in the notice.
(iv) In the case of a notice under the exception in Sec. 312.5(c)(4), the notice must also state the following:
(A) That the operator has collected the child's name and e-mail address or other online contact information to protect the safety of the child participating on the website or online service;
(B) That the parent may refuse to permit the use of the information and require the deletion of the information; and
(C) That if the parent fails to respond to the notice, the operator may use the information for the purpose stated in the notice.
Sec. 312.5 Parental consent.
(a) General requirements. (1) An operator is required to obtain verifiable parental consent before any collection, use, and/or disclosure of personal information from children, including any collection, use, and/or disclosure to which the parent has not previously consented.
(2) An operator must give the parent the option to consent to the collection and use of the child's personal information without consenting to disclosure of his or her personal information to third parties.
(b) Mechanisms for verifiable parental consent. An operator must make reasonable efforts to obtain verifiable parental consent, taking into consideration available technology. Any method to obtain verifiable parental consent must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent.
(c) Exceptions to prior parental consent. Verifiable parental consent is required prior to any collection, use and/or disclosure of personal information from a child except as set forth in this paragraph. The exceptions to prior parental consent are as follows:
(1) Where the operator collects the name or online contact information of a parent or child to be used for the sole purpose of obtaining parental consent or providing notice under Sec. 312.4. If the operator has not obtained parental consent after a reasonable time from the date of the information collection, the operator must delete such information from its records;
(2) Where the operator collects online contact information from a child for the sole purpose of responding directly on a one-time basis to a specific request from the child, and where such information is not used to recontact the child and is deleted by the operator from its records;
(3) Where the operator collects online contact information from a child to be used to respond directly more than once to a specific request from the child, and where such information is not used for any other purpose. In such cases, the operator must make reasonable efforts, taking into consideration available technology, to ensure that a parent receives notice and has the opportunity to request that the operator make no further use of the information, as described in Sec. 312.4(c), immediately after the initial response and before making any additional response to the child. Mechanisms to provide such notice include, but are not limited to, sending the notice by postal mail or sending the notice to the parent's e-mail address, but do not include asking a child to print a notice form or sending an e-mail to the child;
(4) Where the operator collects a child's name and online contact information to the extent reasonably necessary to protect the safety of a child participant on the website or online service, and the operator uses reasonable efforts to provide a parent notice as described in Sec. 312.4(c), where such information is:
(i) Used for the sole purpose of protecting the child's safety;
[[Page 22766]]
(ii) Not used to recontact the child or for any other purpose;
(iii) Not disclosed on the website or online service;
(5) Where the operator collects a child's name and online contact information and such information is not used for any other purpose, to the extent reasonably necessary:
(i) To protect the security or integrity of its website or online service;
(ii) To take precautions against liability;
(iii) To respond to judicial process; or
(iv) To the extent permitted under other provisions of law, to provide information to law enforcement agencies or for an investigation on a matter related to public safety.
Sec. 312.6. Right of parent to review personal information provided by a child.
(a) Upon request of a parent whose child has provided personal information to a website or online service, and upon proper identification of that parent, the operator of that website or online service is required to provide to that parent the following:
(1) A description of the specific types or categories of personal information collected from the child by the operator, such as name, address, telephone number, e-mail address, hobbies, and extracurricular activities;
(2) The opportunity at any time to refuse to permit the operator's further use or collection of personal information from that child, and to direct the operator to delete the child's personal information; and
(3) Notwithstanding any other provision of law, a means of reviewing and making changes to any personal information collected from the child. The means employed by the operator to carry out this provision must:
(i) Ensure that the requestor is a parent of that child, taking into account available technology; and
(ii) Not be unduly burdensome to the parent.
(b) Neither an operator nor the operator's agent shall be held liable under any Federal or State law for any disclosure made in good faith and following reasonable procedures in responding to a request for disclosure of personal information under this section.
(c) Subject to the limitations set forth in Sec. 312.7, an operator may terminate any service provided to a child whose parent has refused, under paragraph (a)(2) of this section, to permit the operator's further use or collection of personal information from his or her child or has directed the operator to delete the child's personal information.
Sec. 312.7 Prohibition against conditioning a child's participation on collection of personal information.
An operator is prohibited from conditioning a child's participation in a game, the offering of a prize, or another activity on the child's disclosing more personal information than is reasonably necessary to participate in such activity.
Sec. 312.8 Confidentiality, security, and integrity of personal information collected from children.
The operator must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.
Sec. 312.9 Enforcement.
Subject to sections 1304 and 1306 of the Children's Online Privacy Protection Act of 1998, a violation of a regulation prescribed under section 1303 of this Act shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
Sec. 312.10. Safe harbors.
(a) In general. An operator will be deemed to be in compliance with the requirements of this part if that operator complies with self- regulatory guidelines, issued by representatives of the marketing or online industries, or by other persons, that, after notice and comment, are approved by the Commission.
(b) Criteria for approval of self-regulatory guidelines. To be approved by the Commission, guidelines must include the following:
(1) A requirement that operators subject to the guidelines (``subject operators'') implement the protections afforded children under this part;
(2) An effective, mandatory mechanism for the independent assessment of subject operators' compliance with the guidelines. This requirement may be satisfied by:
(i) Periodic reviews of subject operators' information practices conducted on a random basis either by the industry group promulgating the guidelines or by an independent entity;
(ii) Periodic reviews of all subject operators' information practices, conducted either by the industry group promulgating the guidelines or by an independent entity; or
(iii) Seeding of subject operators' databases, if accompanied by either paragraphs (b)(2)(i) or (b)(2)(ii) of this section; and
(3) Effective incentives for subject operators' compliance with the guidelines. This requirement may be satisfied by:
(i) Mandatory, public reporting of disciplinary action taken against subject operators by the industry group promulgating the guidelines;
(ii) Consumer redress;
(iii) Voluntary payments to the United States Treasury in connection with an industry-directed program for violators of the guidelines; or
(iv) Referral to the Commission of operators who engage in a pattern or practice of violating the guidelines.
(c) Implementation and effect. The assessment mechanism required under paragraph (b)(2) of this section can be provided by an independent enforcement program, such as a seal program. In considering whether to initiate an investigation or to bring an enforcement action for violations of this part, and in considering appropriate remedies for such violations, the Commission will take into account whether an operator has been subject to self-regulatory guidelines approved under this section and whether the operator has taken remedial action pursuant to such guidelines, including but not limited to actions set forth in paragraphs (b)(3)(i) through (iii) of this section.
(d) Request for Commission approval of self-regulatory guidelines. (1) To obtain Commission approval of self-regulatory guidelines, industry groups or other persons must file a request for such approval. A request shall be accompanied by the following:
(i) A copy of the full text of the guidelines for which approval is sought and any accompanying commentary;
(ii) A comparison of each provision of Secs. 312.3 through 312.9 with the corresponding provisions of the guidelines; and
(iii) A statement explaining:
(A) How the guidelines, including the applicable assessment mechanism, meet the requirements of this part; and
(B) How the assessment mechanism and compliance incentives required under paragraphs (b)(2) and (3) of this section provide effective enforcement of the requirements of this part.
(2) The Commission shall act upon a request under this section within 180 days of the filing of such request and shall set forth its conclusions in writing.
(e) Records. Industry groups or other persons who seek safe harbor treatment by compliance with guidelines that have been approved under this part shall maintain and upon request make available to the Commission for inspection and copying:
(1) Consumer complaints alleging violations of the guidelines by subject
[[Page 22767]]
operators, for a period not less than three years following receipt of such complaints;
(2) Records of disciplinary actions taken against subject operators; and
(3) Results of the independent assessments of subject operators' compliance required under paragraph (b)(2) of this section.
(f) Revocation of approval. The Commission reserves the right to revoke any approval granted under this section if at any time it determines that the approved self-regulatory guidelines and their implementation do not, in fact, meet the requirements of this part.
Sec. 312.11 Rulemaking review.
No later than five years after [the effective date of the final rule], this Rule, the Commission shall initiate a rulemaking review proceeding to evaluate the implementation of this part, including the effect of the implementation of this part on practices relating to the collection and disclosure of information relating to children, children's ability to obtain access to information of their choice online, and on the availability of websites directed to children; and report to Congress on the results of this review.
Sec. 312.12 Severability.
The provisions of this part are separate and severable from one another. If any provision is stayed or determined to be invalid, it is the Commission's intention that the remaining provisions shall continue in effect.
By direction of the Commission. Donald S. Clark, Secretary.
[FR Doc. 99-10250Filed4-26-99; 8:45 am]
BILLING CODE 6750-01-P
