Appendix G. Children’s Online Privacy Protection Rule

(Title 16 C.F.R. 312)

Sec. 312.1 Scope of regulations in this part.

This part implements the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6501 et seq.), which prohibits unfair or deceptive acts or practices in connection with the collection, use, and/or disclosure of personal information from and about children on the Internet. The effective date of this part is April 21, 2000.

Sec. 312.2 Definitions.

Child means an individual under the age of 13.

Collects or collection means the gathering of any personal information from a child by any means, including but not limited to:

(a)     Requesting that children submit personal information online;

(b)     Enabling children to make personal information publicly available through a chat room, message board, or other means, except where the operator deletes all individually identifiable information from postings by children before they are made public, and also deletes such information from the operator’s records; or

(c)     The passive tracking or use of any identifying code linked to an individual, such as a cookie.

Commission means the Federal Trade Commission.

Delete means to remove personal information such that it is not maintained in retrievable form and cannot be retrieved in the normal course of business.

Disclosure means, with respect to personal information:

(a)     The release of personal information collected from a child

in identifiable form by an operator for any purpose, except where an operator provides such information to a person who provides support for the internal operations of the website or online service and who does not disclose or use that information for any other purpose. For purposes of this definition:

(1)     Release of personal information means the sharing, selling, renting, or any other means of providing personal information to any third party, and

(2)     Support for the internal operations of the website or online service means those activities necessary to maintain the technical functioning of the website or online service, or to fulfill a request of a child as permitted by Sec. 312.5(c)(2) and (3); or

(b)     Making personal information collected from a child by an operator publicly available in identifiable form, by any means, including by a public posting through the Internet, or through a personal home page posted on a website or online service; a pen pal service; an electronic mail service; a message board; or a chat room.

Internet means collectively the myriad of computer and telecommunications facilities, including equipment and operating software, which comprise the interconnected world-wide network of networks that employ the Transmission Control Protocol/Internet Protocol, or any predecessor or successor protocols to such protocol, to communicate information of all kinds by wire, radio, or other methods of transmission.

Online contact information means an e-mail address or any other substantially similar identifier that permits direct contact with a person online.

Operator means any person who operates a website located on the Internet or an online service and who collects or maintains personal information from or about the users of or visitors to such website or online service, or on whose behalf such information is collected or maintained, where such website or online service is operated for commercial purposes, including any person offering products or services for sale through that website or online service, involving commerce:

(a)     Among the several States or with 1 or more foreign nations;

(b)     In any territory of the United States or in the District of Columbia, or between any such territory and

(1)   Another such territory, or

(2)     Any State or foreign nation; or

(c)     Between the District of Columbia and any State, territory, or foreign nation. This definition does not include any nonprofit entity that would otherwise be exempt from coverage under Section 5 of the Federal Trade Commission Act (15 U.S.C. 45).

Parent includes a legal guardian.

Person means any individual, partnership, corporation, trust, estate, cooperative, association, or other entity.

Personal information means individually identifiable information about an individual collected online, including:

(a)     A first and last name;

(b)     A home or other physical address including street name and name of a city or town;

(c)     An e-mail address or other online contact information, including but not limited to an instant messaging user identifier, or a screen name that reveals an individual’s e-mail address;

(d)     A telephone number;

(e)     A Social Security number;

(f)     A persistent identifier, such as a customer number held in a cookie or a processor serial number, where such identifier is associated with individually identifiable information; or a combination of a last name or photograph of the individual with other information such that the combination permits physical or online contacting; or

(g)     Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described in this definition.

Third party means any person who is not:

(a)     An operator with respect to the collection or maintenance of personal information on the website or online service; or

(b)     A person who provides support for the internal operations of the website or online service and who does not use or disclose information protected under this part for any other purpose.

Obtaining verifiable consent means making any reasonable effort (taking into consideration available technology) to ensure that before personal information is collected from a child, a parent of the child:

(a)     Receives notice of the operator’s personal information collection, use, and disclosure practices; and

(b)     Authorizes any collection, use, and/or disclosure of the personal information.

Website or online service directed to children means a commercial website or online service, or portion thereof, that is targeted to children. Provided, however, that a commercial website or online service, or a portion thereof, shall not be deemed directed to children solely because it refers or links to a commercial website or online service directed to children by using information location tools, including a directory, index, reference, pointer, or hypertext link. In determining whether a commercial website or online service, or a portion thereof, is targeted to children, the Commission will consider its subject matter, visual or audio content, age of models, language or other characteristics of the website or online service, as well as whether advertising promoting or appearing on the website or online service is directed to children. The Commission will also consider competent and reliable empirical evidence regarding audience composition; evidence regarding the intended audience; and whether a site uses animated characters and/or child-oriented activities and incentives.

Sec. 312.4 Notice.

(a)     General principles of notice. All notices under Secs. 312.3(a) and 312.5 must be clearly and understandably written, be complete, and must contain no unrelated, confusing, or contradictory materials.

(b)     Notice on the website or online service. Under Sec. 312.3(a), an operator of a website or online service directed to children must post a link to a notice of its information practices with regard to children on the home page of its website or online service and at each area on the website or online service where personal information is collected from children. An operator of a general audience website or online service that has a separate children’s area or site must post a link to a notice of its information practices with regard to children on the home page of the children’s area.

(1)     Placement of the notice. (i) The link to the notice must be clearly labeled as a notice of the website or online service’s information practices with regard to children;

(ii)    The link to the notice must be placed in a clear and prominent place and manner on the home page of the website or online service; and

(iii)   The link to the notice must be placed in a clear and prominent place and manner at each area on the website or online service where children directly provide, or are asked to provide, personal information, and in close proximity to the requests for information in each such area.

(2)     Content of the notice. To be complete, the notice of the website or online service’s information practices must state the following:

(i)     The name, address, telephone number, and e-mail address of all operators collecting or maintaining personal information from children through the website or online service.

Provided that: the operators of a website or online service may list the name, address, phone number, and e-mail address of one operator who will respond to all inquiries from parents concerning the operators’ privacy policies and use of children’s information, as long as the names of all the operators collecting or maintaining personal information from children through the website or online service are also listed in the notice;

(ii)    The types of personal information collected from children and whether the personal information is collected directly or passively;

(iii)   How such personal information is or may be used by the operator(s), including but not limited to fulfillment of a requested transaction, recordkeeping, marketing back to the child, or making it publicly available through a chat room or by other means;

(iv)    Whether personal information is disclosed to third parties, and if so, the types of business in which such third parties are engaged, and the general purposes for which such information is used; whether those third parties have agreed to maintain the confidentiality, security, and integrity of the personal information they obtain from the operator; and that the parent has the option to consent to the collection and use of their child’s personal information without consenting to the disclosure of that information to third parties;

(v)     That the operator is prohibited from conditioning a child’s participation in an activity on the child’s disclosing more personal information than is reasonably necessary to participate in such activity; and

(vi)    That the parent can review and have deleted the child’s personal information, and refuse to permit further collection or use of the child’s information, and state the procedures for doing so.

Sec. 312.5 Parental consent.

(a)     General requirements.

(1)     An operator is required to obtain verifiable parental consent before any collection, use, and/or disclosure of personal information from children, including consent to any material change in the collection, use, and/or disclosure practices to which the parent has previously consented.

(2)     An operator must give the parent the option to consent to the collection and use of the child’s personal information without consenting to disclosure of his or her personal information to third parties.

(b)     Mechanisms for verifiable parental consent.

(1)     An operator must make reasonable efforts to obtain verifiable parental consent, taking into consideration available technology. Any method to obtain verifiable parental consent must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent.

(2)     Methods to obtain verifiable parental consent that satisfy the requirements of this paragraph include: providing a consent form to be signed by the parent and returned to the operator by postal mail or facsimile; requiring a parent to use a credit card in connection with a transaction; having a parent call a toll-free telephone number staffed by trained personnel; using a digital certificate that uses public key technology; and using e-mail accompanied by a PIN or password obtained through one of the verification methods listed in this paragraph. Provided that: For the period until April 21, 2005 [extended indefinitely], methods to obtain verifiable parental consent for uses of information other than the “disclosures” defined by Sec. 312.2 may also include use of e-mail coupled with additional steps to provide assurances that the person providing the consent is the parent. Such additional steps include: sending a confirmatory e-mail to the parent following receipt of consent; or obtaining a postal address or telephone number from the parent and confirming the parent’s consent by letter or telephone call. Operators who use such methods must provide notice that the parent can revoke any consent given in response to the earlier e-mail.

(c)     Exceptions to prior parental consent. Verifiable parental consent is required prior to any collection, use and/or disclosure of personal information from a child except as set forth in this paragraph.

The exceptions to prior parental consent are as follows:

(1)     Where the operator collects the name or online contact information of a parent or child to be used for the sole purpose of obtaining parental consent or providing notice under Sec. 312.4. If the operator has not obtained parental consent after a reasonable time from the date of the information collection, the operator must delete such information from its records;

(2)     Where the operator collects online contact information from a child for the sole purpose of responding directly on a one-time basis to a specific request from the child, and where such information is not used to recontact the child and is deleted by the operator from its records;

(3)     Where the operator collects online contact information from a child to be used to respond directly more than once to a specific request from the child, and where such information is not used for any other purpose. In such cases, the operator must make reasonable efforts, taking into consideration available technology, to ensure that a parent receives notice and has the opportunity to request that the operator make no further use of the information, as described in Sec. 312.4(c), immediately after the initial response and before making any additional response to the child. Mechanisms to provide such notice include, but are not limited to, sending the notice by postal mail or sending the notice to the parent’s e-mail address, but do not include asking a child to print a notice form or sending an e-mail to the child;

(4)     Where the operator collects a child’s name and online contact information to the extent reasonably necessary to protect the safety of a child participant on the website or online service, and the operator uses reasonable efforts to provide a parent notice as described in Sec. 312.4(c), where such information is:

(i)     Used for the sole purpose of protecting the child’s safety;

(ii)    Not used to recontact the child or for any other purpose;

(iii)   Not disclosed on the website or online service; and

(5)    Where the operator collects a child’s name and online contact information and such information is not used for any other purpose, to the extent reasonably necessary:

(i)     To protect the security or integrity of its website or online service;

(ii)    To take precautions against liability;

(iii)   To respond to judicial process; or

(iv)    To the extent permitted under other provisions of law, to provide information to law enforcement agencies or for an investigation on a matter related to public safety.

Sec. 312.6 Right of parent to review personal information provided by a child.

(a)     Upon request of a parent whose child has provided personal information to a website or online service, the operator of that website or online service is required to provide to that parent the following:

(1)     A description of the specific types or categories of personal information collected from children by the operator, such as name, address, telephone number, e-mail address, hobbies, and extracurricular activities;

(2)     The opportunity at any time to refuse to permit the operator’s further use or future online collection of personal information from that child, and to direct the operator to delete the child’s personal information; and

(3)     Notwithstanding any other provision of law, a means of reviewing any personal information collected from the child. The means employed by the operator to carry out this provision must:

(i)     Ensure that the requestor is a parent of that child, taking into account available technology; and

(ii)    Not be unduly burdensome to the parent.

(b)     Neither an operator nor the operator’s agent shall be held liable under any Federal or State law for any disclosure made in good faith and following reasonable procedures in responding to a request for disclosure of personal information under this section.

(c)     Subject to the limitations set forth in Sec. 312.7, an operator may terminate any service provided to a child whose parent has refused, under paragraph (a)(2) of this section, to permit the operator’s further use or collection of personal information from his or her child or has directed the operator to delete the child’s personal information.

Sec. 312.7 Prohibition against conditioning a child’s participation on collection of personal information.

An operator is prohibited from conditioning a child’s participation in a game, the offering of a prize, or another activity on the child’s disclosing more personal information than is reasonably necessary to participate in such activity.

Sec. 312.8 Confidentiality, security, and integrity of personal information collected from children.

The operator must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.