In 1998, Congress passed the Children's Online Privacy Protection Act (COPPA) to protect children's personal information in interactions with commercial Web sites. On October 20, 1999, the Federal Trade Commission (FTC) issued a final Rule implementing the Act. The Rule will go into effect on April 21, 2000 and applies to personal information collected online from that date forward. http://www.ftc.gov/os/1999/9910/childrensprivacy.pdf

In general, COPPA:

• requires commercial Web sites and online services directed at children 12 and under, or which collect information about age, to provide parents with notice of their information practices and obtain parental consent prior to the collection of personal information from children; and,
• requires such sites to provide parents with the ability to review and correct information about their children collected by such services.

In addition to protecting children's privacy, the Act sought to ensure that children's ability to speak, seek out information, and publish would not be adversely effected.

The FTC was required to adopt a rule to implement COPPA.

CDT believes that the final Rule has been modified to address many of our initial concerns, and is likely to achieve a sound implementation of COPPA. The final Rule clarifies issues of coverage and liability, and hopefully will create a predictable and understandable environment for the protection of children's privacy online. In particular, the final Rule modifies several definitions that would have interfered with children's' ability to participate, speak, and request information online. See CDT's comments. http://www.FTC.gov/privacy/comments/supplementalcdtacluala.htm

http://www.FTC.gov/privacy/comments/cdt.htm

In our comments on the proposed Rule, CDT urged the FTC to ensure that the final Rule regulated the collection of personal information, not children's interactions, clearly identify the Act's scope and coverage, and, to the extent possible, look to online mechanisms to meet the needs of those with rights and obligations under the Act. The final Rule evidences the FTC's understanding of the medium and shows that the Commission is able to wrestle with the task of applying a complex law to an equally complex medium. We commend the FTC for its effort.

The FTC made important changes to the Rule that we are hopeful will preserve children's ability to communicate. By allowing child-oriented Web sites to offer "chat" and other such offerings without parental consent, as long as personal information is stripped out before communications are publicly displayed, the Rule preserves the ability of Web sites to continue to offer children communication opportunities while protecting their safety and privacy.

We will monitor the implementation and enforcement of the Rules to ensure they meet the goals of the Act.

COPPA's requirements apply to commercial web sites and online services directed at children twelve and under, and those general audience Web sites that have actual knowledge they are dealing with a child. To ensure children could communicate online, the law carves out three exceptions to the parental consent requirement, allowing children:

1. to ask questions via email without any parental involvement;
2. to sign up for an ongoing newsletter as long as their parent is notified and can cancel it; and,
3. to engage her activities the FTC finds necessary.

The proposed Rule, issued in April, raised additional concerns about children's ability to speak online. Under the proposed rule, the FTC defined the word "collection," which was not defined in the law, and expanded the definition of the word "disclosure." The impact of these two changes was to equate the possibility that a child might disclose personal information with the intentional collection of information by a Web site. This would have undermined children's ability to communicate and created a strict liability standard for all commercial Web sites that provide opportunities to communicate -- both child-oriented and general audience sites. The final Rule narrows and clarifies the definitions in response to our concerns.

• Email accounts

The "Statement of Basis and Purpose" issued in conjunction with the Rule states, "to the extent that operators who provide email accounts keep records of email addresses they have assigned, along with any associated information, those operators can be considered to have `collected' those email addresses under the Act," thereby triggering the parental consent requirement. Therefore, under the Rule, child-directed Web sites that provide email accounts must obtain parental consent prior to issuing a child an email account. They must use the more cumbersome methods of fax-back, postal mail, 1-800 numbers, credit card verification, digital certificates, or email combined with a password issued through one of the other verifiable methods.

General audience Web sites do not need to comply with the Act when issuing email addresses -- even though a child may use the account to provide personal information about themselves to others. If a general audience Web site has actual knowledge that the individual seeking the account is a child, it must comply with the Rule.

• Chat

Child-directed Web sites offering chat have two options under the Rule:

1. they can ensure that personal information is stripped from children's messages, and deleted from the site's records, prior to their posting; or
2. they can obtain parental permission via fax-back, postal mail, 1-800 numbers, credit card verification, digital certificates, or email combined with a password issued through one of the other verifiable methods.

Thus, if a child-oriented Web site offers monitored chat, children can participate without parental consent. General audience Web sites can be found liable only if they have actual knowledge that postings are being made by a child, and based on that knowledge fail to comply with the steps outline in (1) above.

• Publishing -- Editorials, Web sites, etc.

The rule for chat would appear to apply here also.

• Email questions and comments

Under the Rule, children can send an email requesting information and a child-oriented Web site can respond without triggering the parental consent requirement as long as the site deletes the child's email address and does not use it for other purposes. General audience Web sites are only impacted if they have actual knowledge they are dealing with a child.

• Subscriptions (email or other)

A child-oriented Web site can, at the child's request, send multiple emails or other communications, as long as an attempt is made to notify the parent and the parent is able to refuse future contacts with the child.

• Child-directed Web sites

COPPA places requirements on child-directed Web sites and those with actual knowledge they are dealing with a child. In our comments, CDT requested that the final Rule provide greater clarity about when and how obligations under the Act are triggered. Due to the broad diversity of players, we wanted to ensure that there would be limited, if any, uncertainty about who and what was covered. Both under, and over, compliance could have negative impacts -- young children's information could be collected in violation of the law, or older minors, who were not covered by the bill, could have their access to information and privacy unintentionally infringed.

Under the final Rule, the FTC maintains the flexibility to consider a variety of factors in determining whether a site is "directed to children." The FTC clarified that the "overall character of a site -- and not just the presence or absence of one or more factors" -- will be examined. The fact that the FTC will look at the overall character of a site is critical. We hope that the FTC will provide guidance through self-assessment tools, bright-line rules (where possible), and illustrative examples to assist Web sites in understanding the application of COPPA to their activities.

• Conduits

The final Rule clarifies that the law does not cover mere conduits.

In its discussion of the proposed Rule, the FTC expressly drew a critical distinction between "conduits" and "operators." The discussion stated: "Where the website or online service merely acts as the conduit through which the personal information collected flows to another person or to another's website or online service, and the website or online service does not have access to the information, then it is not an operator under the proposed Rule." However, the proposed Rule was in tension with this statement. The problem arose in two specific definitions found in the proposed Rule: that of "disclosure" and "collect." Separately, either definition could have been read to mean that the mere provision of communications capability (even if the operator of the service did not collect information) could trigger the requirements of the law.

The final Rule changed the definition of both terms. Under the Rule, a child can participate in "chat" (or other communication services) at child-oriented Web site without parental consent if it is monitored to ensure that personal information is removed prior to posting. General audience Web sites can only be found to have "collected" information triggering the law if they have actual knowledge that postings are being made by a child, and based on that knowledge fail to remove them. (See above for more detail.)

In our comments on the proposed Rule, CDT urged the FTC to the extent possible to use the Internet itself to guide the implementation of the Rule. Specifically we urged the FTC, to the extent possible, to encourage use of the Internet in meeting parents' rights to access, to object, and to grant or deny consent. We also encouraged the FTC to use the Internet to enhance understanding about the application and requirements of COPPA through tutorials, self-assessment tools, and other guidance materials. Acknowledging that there were difficult issues to be resolved, we argued that all parties should strive to find workable online tools to meet the communication needs of the law.

The Rule adopted a sliding scale approach to implementing "verifiable parental consent" and set up an early review to assess it. If a Web site intends to use information internally, it may use email accompanied by additional steps to assure a parent is consenting. If a Web site intends to disclose information to other parties, or allows for communication functions that are not monitored to removed personal information before it is posted, then consent must be obtained through postal mail, fax, credit card authorization, phone, or digital signatures. The FTC stated that the added risk to children's safety in these cases requires a heightened assurance that a parent has in fact consented.

The Rule modified the mechanisms for providing parents with access to information collected from their child. Under the Rule a parent can gain access to the general categories of information collected without providing any proof of identification. CDT had suggested that this would limit the collection of information about parents and promote greater openness about the kinds of information collected at Web sites. However, to gain information provided by their child, parents must use one of the mechanisms for obtaining "verifiable parental consent" outlined above.

The passage of the Children's Online Privacy Protection Act (COPPA) was a watershed event. This rulemaking is the first effort by a federal agency to implement rules specifically for the Internet environment. In many ways, COPPA is the test bed for whether government intervention can be successful in the online environment. CDT is hopeful that the Rule will lead to a predictable and understandable framework that will protect children's privacy, address parents' concerns, and provide businesses with clarity as to their obligations. The successful implementation and enforcement of the COPPA will have an impact on the future of privacy protections, free speech, and commerce on the Internet. We look forward to continuing our work with the FTC and the Congress to ensure privacy is protected in the Digital Age.

Free Speech | Data Privacy | Government Surveillance | Cryptography | Domain Names | International | Bandwidth | Security | Internet Standards, Technology and Policy Project | Terrorism | Authentication | Right to Know | Spam

Our Mission / Get Involved / Staff / Publications / Links / Search CDT / Jobs / Action! Previous Headlines | Legislative Tracking | CDT's Privacy Policy