Privacy Law and Policy Reporter
The United States’ often erratic mix of privacy laws expands to cover children from April 2000 when the Children’s Online Privacy Protection Act 1998 (COPPA, at 15 USC 6501 et seq) comes into force. In October 1999, the Federal Trade Commission (FTC) issued regulations (FTC rule 312 under the Federal Register) which spell out the detail of how website operators must comply with the COPPA and how it will be enforced. The main purpose of the COPPA is to require that all commercial websites that knowingly collect information from children under the age of 13 will be required to obtain consent from the children’s parents. In addition, the legislation establishes requirements for notice, rights to access personal information, and rights to prevent further use of the information by other parties. It also establishes a general limitation on the collection of personal information from children to what is reasonably necessary. In overall terms, COPPA is one of the most comprehensive pieces of national privacy legislation to be enacted in the US.
COPPA was a response to rising concerns in the US about the collection of information from children on websites. The FTC initiated a three year effort to identify and educate industry and the public about the issues raised by the online collection of personal information from children and adult consumers. The FTC pushed for legislation following a March 1998 survey of 212 commercial children’s websites which showed that only 24 per cent posted privacy policies and only 1 per cent required parental consent to the collection or disclosure of children’s personal information. The legislation itself was signed into law on 21 October 1998 and the FTC was given a one year deadline to issue rules to implement its privacy protections. The FTC’s rules were finalised after consultation during 1999, including receiving 145 comments from business, privacy and consumer groups and technology companies.
COPPA and the FTC rules have most of the features of general private sector privacy legislation: requirement of notice, clear requirements for consent, rights to access and alter information and control its use, limitations on collection and security requirements. An interesting feature of the FTC regulations is the extent to which they do grapple with making the basic privacy principles work. In fact, as a package, the legislation and the rules have relatively little of the vagueness which can often be found in privacy laws. This perhaps reflects the very specific issues which it targets (online activities and children only) but it also reflects a serious intent on the part of US lawmakers.
Both the legislation and the FTC rules are quite stringent in their requirement that companies give notice of their information practices. The websites are required to place a link to a statement about their information practices on their websites in ‘a clear and prominent place and manner on the home page of the website or online service’: 312.4(b)(1)(ii). The FTC has said that the link must stand out and be noticeable to the site’s visitors such as by using a larger font, different colour or contrasting background. The FTC has made it clear that it will not accept a link which is in small print at the bottom of the home page or that is indistinguishable from other adjacent links. The link must also be placed ‘at each area on the website or online service where children directly provide or are asked to provide personal information and in close proximity to the requests for information in each such area’: 312.4(b)(1)(ii). The notice itself must state the name and contact information of all operators, the types of personal information collected from children, how such personal information is used and whether personal information is disclosed to third parties.
In addition to these general notice requirements, the information statement must make it clear that the operator is not allowed to require that a child give more personal information than is reasonably necessary as a precondition for the child participating in an activity. It must also indicate that parents can review and have deleted their child’s personal information and can refuse to permit further collection or use of the child’s information.
One of the most debated features of privacy laws and codes in recent years has been how to interpret and enforce the notion that companies must obtain genuine consent from consumers for their collection and use of personal information. This issue was particularly controversial with COPPA, as the consent needed to come not from the person disclosing the information — that is, the child — but from a parent. The COPPA statute requires ‘verifiable parental consent’ which is defined as ‘any reasonable effort (taking into consideration available technology) ... to ensure that a parent of a child ... authorises the collection, use and disclosure’ of a child’s personal information: 15 USC 6501(9). The FTC rules have set out in more detail how this requirement for verifiable parental consent will work.
The FTC is requiring what it describes as a ‘sliding scale’ approach. For the first two years, if an operator is only using information to communicate directly back to a child, it will be acceptable to receive parental consent through email, so long as additional steps are taken to ensure that the parent is providing consent. These steps include sending a delayed confirming email to the parent or obtaining a postal address or telephone number from the parent and confirming the parent’s consent by letter or telephone call. Where there is a higher risk to children’s privacy, such as if information is disclosed to third parties or being made available through chat rooms and billboards, the FTC will require ‘more reliable’ methods of consent, including a ‘print and send’ form returned via post or facsimile, use of a credit card or toll free telephone number, digital signature or email accompanied by a PIN or a password.
The detail of the FTC rules demonstrates how seriously the consent issue can be thought through when there is the legislative will to do it. The rules also require that if there is a material change in the operator’s collection, use or disclosure practices, the operator must go back to the parent to get consent to cover this new usage. Consent for disclosure to third parties is also separate from the consent for the initial collection and use of the information, and parents must explicitly give consent for third party disclosure before it is allowed.
Website operators must give parents access to information on their children at their request. This does not impose a requirement to retain the information if they would not otherwise keep it; however, if the information is held it must be fully accessible to the parent. Parents can also refuse to permit further use or further collection of information from their child. Parents are not able, however, to make changes to information which their child has provided.
The FTC has stated that websites should not collect more information from children than is reasonably necessary to provide their service. Operators are not permitted to require anything more than what is necessary for children to participate in activities such as games or prize offerings.
The FTC rules includes the standard privacy requirement of maintaining reasonable procedures to protect the confidentiality, security and integrity of personal information which has been collected from children.
In overall terms, COPPA represents a substantial and serious effort to provide privacy protection. From an outsider’s point of view it is simply strange that US citizens are left with such lopsided privacy safeguards — once an individual turns 13, they lose their privacy rights. There are of course particular sensitivities relating to the vulnerability of children, but the overall outcome of a specific and quite detailed law alongside a generally unregulated market of enormous flows of personal information is strikingly inconsistent. Clearly the American legislature can implement detailed privacy legislation when it wants; for example, the FTC rules make it clear that they do apply to network advertising companies which provide banner ads on websites and collect personal information in situations where the ads are on websites aimed at children and it is clearly likely to be a child who is clicking on the ads. Likewise, in relation to cookies, the FTC has stated that if an operator collects individually identifiable information using a cookie or collects non-individually identifiable information using a cookie but combines it with an identifier, then the cookie operator is collecting personal information and must comply with the rules.
Nevertheless, there are exceptions to the application of COPPA’s rules. Five exceptions are allowed:
The legislation still gives some scope for self-regulation by allowing operators of industry groups to form ‘safe harbours’ in which the FTC would approve a self-regulatory set of rules which still achieve the purposes of the Act. The FTC would still need to approve these guidelines, but they would allow greater flexibility to take into account industry specific concerns and technological develop-ments. However, the FTC can still pursue an enforcement action if those guidelines are breached.
COPPA’s coverage extends beyond sites which are exclusively aimed at children — it covers all operators who have actual knowledge that they are collecting personal information from children. This may involve some interesting dilemmas for website operators; for example, if the operator of a general audience chat site has actual knowledge that a child is posting personal information on the site then they must comply with the Act, but if they do not monitor the chatroom, the operator is not likely to have the requisite knowledge under the Act and it would not apply. Once a website operator is aware that a child is providing personal information on their website, they need to either strip any posting of individually identifiable information before it is made public, or comply with the requirements of the Act to provide notice and obtain consent.
In time, the Children’s Online Privacy Protection Act might be seen as one more law sewed onto the patchwork of privacy protection in a country which gives better protection for people’s video rental records than their personal health files. On the other hand, it may be seen as one more step in a slow progression towards a more comprehensive set of online privacy safeguards. There is growing reason to suspect that the latter may be the case, and that it could come sooner rather than later.
Tim Dixon is an Associate at Baker & McKenzie in Sydney and Chairman of the Australian Privacy Foundation.