The Children's Online Privacy Protection Act

THE CHILDREN’S ONLINE PRIVACY PROTECTION ACT

IVAN HOFFMAN, B.A., J.D.

On April 21, 2000, the Children’s Online Privacy Protection Act (“the Act”) went into effect. If you are a web site operator who has a site that is directed toward children covered by the Act, or if you are a web site designer building or host hosting such a site, you must be familiar with the legal provisions and ramifications of the Act.

To determine whether a web site is directed to children, defined as being 13 years old and younger, the Federal Trade Commission, the governmental body in charge of enforcement, looks at several factors as to the site, including:

the subject matter;
the visual or audio content;
the age of models on the site;
language;
whether advertising on the site is directed to children;
information regarding the age of the actual or intended audience; and
whether a site uses animated characters or other child-oriented features.

By these standards, the Act deals with sites that either actively cater to children or who have actual knowledge that children come to the site. Thus, if your site fits into these categories or others and also collects information about children, you are subject to the Act’s provisions and failure to comply with those provisions can subject you to rather substantial penalties. Indeed, it would be very prudent for you to comply with the applicable provisions of the Act’s requirement even if your site is even likely to attract children whether or not you actively promote the same. It would appear that if your site even features advertising that is directed toward children that the site then falls within the scope of the Act.

To determine whether you are an “operator” of the site, the FTC considers the following factors, among others:

who owns and controls the information;
who pays for the collection and maintenance of the information;
what the pre-existing contractual relationships are in connection with the information; and
what role the web site plays in collecting or maintaining the information.

Therefor, if your site collects information about children (see below) and you are deemed to be the “operator” of the site, you may be liable for compliance under the Act.

And while these provisions may not appear to apply directly to web designers, in the web design/client relationship there may be an implication that the designer should be held to know about such laws and failing to include the appropriate provisions to make the site comply with the Act may subject the designer to liability as to the client. The same would apply to the client/host relationship and the host should have these same kinds of legal protections from the site. Thus, designers and hosts should be examining their written contracts with their respective clients to make certain that the burden of compliance does not fall on the designer’s or host’s shoulders.

What Kind of Information Is Covered By The Act?

The Act is designed to protect children from certain personal information gathering procedures without parental consent. Thus, if your site collects information such as names, addresses, phone numbers, email addresses and other information from which a child’s identity can be determined, either online or offline, the Act applies to your site. But the Act also applies to information such as about hobbies, interests and information collected through cookies or other types of tracking mechanisms if those mechanisms can be tied to individually identifiable information.

What Must the Site Owner Do To Comply?

If the Act applies to your site, you must post a link to a notice of your site’s information practices on the home page of your site and at each area where the site collects the above information from children. If you run a site that is more of a general audience site but which has a separate area that targets children, you must post a link to your privacy notice on the home page of the children’s area.

The link to this notice must be “clear and prominent.” And the FTC guidelines suggest that you may want to use a larger size font or different color type on a contrasting background and it specifically states that merely having a link at the bottom of the page is not sufficient.

The notice must contain:

the name and address of all the operators of the site;
the kinds of information being collected and how it is being collected;
how the operator intends to use the information;
whether the operator provides this information to third parties and information about those third parties and how they intend to use the information;
a notice to parents that they have the right to allow the collection of the information by the operator but not by third parties; and
that the parent can review the child’s information and ask to have it deleted.

There are other provisions that must be included in the notice as well.

One of the key parts of the Act is that the operators must provide a written procedure for a notice sent directly to the parents and for the parents to actively consent, in writing, to the collection of this information prior to the information being collected. The site operator must notify a parent in the form of an email, postal mail, fax and in other similar ways set forth in the regulations and the operator must then get a “verifiable parental consent” to the entire process. During an interim period, there are specific regulations about how this consent is to be obtained based upon how the information is going to be used. The more public the use of the information, the more stringent are the requirements for consent. And there are regulations that specify what “verifiable” means in the context of the Act.

In the event the site changes how the information is collected, used or disclosed, a new, verifiable parental consent must be obtained and, of course, the written policy must be changed on the site.

At any time, the parent can revoke any previously granted consent either to the collection of information or to its use. Thus, if you disseminate this information to third parties, you must have a corresponding procedure to have such third parties delete any information so requested to be deleted by the parent.

Conclusion

The above discussion is not intended to be exhaustive of the Act’s scope nor its requirements and you should consult with an experienced Internet law attorney to advise you about how the Act may apply to your site.

Given the potential severity of the impact on children as well as the significant legal liability to which the site may be exposed by failure to comply, you as a site owner are well advised to seek appropriate legal advice.

****************

This article is not intended as a substitute for legal advice. The specific facts that apply to your matter may make the outcome different than would be anticipated by you. You should consult with an attorney familiar with the issues and the laws. **************** No portion of this article may be copied, retransmitted, reposted, duplicated or otherwise used without the express written approval of the author.

FOR MORE INFORMATION:

MAIL

Where Next?

Ivan Hoffman Attorney At Law || More Helpful Articles For Writers and Publishers|| More Internet and Electronic Rights Articles|| More Articles About Privacy || More Articles for Web Site Designers and Site Owners || Home