Untitled Document

Asked Questions about the Children’s

Online Privacy Protection Rule

Volume 1

The following FAQs are intended to
supplement the compliance materials available on the FTC’s website. To view
the Rule and the compliance materials, go to www.ftc.gov/kidzprivacy.



1. What is the Children’s
Online Privacy Protection Rule?

The Children’s Online Privacy Protection
Act (COPPA) was passed by Congress in October 1998, with a requirement that
the Federal Trade Commission (FTC) issue and enforce rules concerning children’s
online privacy. The primary goal of the Act and the Rule is to place parents
in control over what information is collected from their children online. The
Rule was designed to be strong, yet flexible, to protect children while recognizing
the dynamic nature of the Internet.

  • The COPPA Rule applies to operators
    of commercial websites and online services directed to children under
    13 that collect personal information from children, and operators
    of general audience sites with actual knowledge that they are collecting information
    from children under 13.
  • Those operators must:

(1) post clear and comprehensive
Privacy Policies on the website describing their information practices
for children’s personal information;

(2) provide notice to parents,
and with limited exceptions, obtain verifiable parental consent
collecting personal information from children;

(3) give parents the choice
to consent to the operator’s collection and use of a child’s information while
prohibiting the operator from disclosing that information to third parties;

(4) provide parents access
to their child’s personal information to review and/or have it deleted;

(5) give parents the opportunity
to prevent further collection or use of the information

(6) maintain the confidentiality,
security, and integrity
of information they collect from children.

  • In addition, the Rule prohibits
    operators from conditioning a child’s participation
    in an online activity
    on the child’s providing more information than is reasonably necessary to
    participate in that activity.

2. Where can I find information
about COPPA?

The FTC has a comprehensive website,
www.ftc.gov, which
has information concerning all the activities of the agency. In the upper section
of the home page is a link that says “Privacy Initiatives.” If you
click on that banner, you will have access to a variety of documents regarding
the Children’s Rule, including the proposed and final Rules, the public comments
received by the Commission in the course of the rulemaking, guides for businesses
and parents, safe harbor applications we’ve received and any public comments
on those applications, notice of any cases brought under the Rule, and announcements
of future activities. Materials concerning general privacy and financial privacy
(including the Gramm-Leach-Bliley rulemaking) are available there as well.

In addition, the FTC has set up a
special web page designed for kids, parents, businesses, and educators at
In addition to providing the Rule and compliance materials for businesses and
parents, this web page features online safety tips for children and other useful
education resources about the Rule and online privacy in general.

All educational materials on our
website are also available free by calling the FTC’s Consumer Response Center’s
toll free number at (877) FTC-HELP.

3. What do I do if I have
questions about the COPPA Rule?

The first thing you should do is
read the educational materials available on our website www.ftc.gov
and through our toll free telephone number (877) FTC-HELP. If you still have
questions, you can email us at kidsprivacy@ftc.gov or contact our Consumer
Response Center at toll free (877) FTC-HELP. The FTC also has an online
form to file complaints or request information at the website.

4. When did COPPA and its
implementing Rule go into effect?

The Act and the Rule went into effect
on April 21, 2000.

5. COPPA applies to “websites
directed to children.” What determines whether or not a website is targeted
to children?

The Rule sets out a number of factors
in determining whether a website is targeted to children, such as its subject
matter, language, whether it uses animated characters, and whether advertising
appearing on the site is directed to children. The Commission will also consider
empirical evidence regarding the ages of the site’s visitors. These standards
are very similar to those previously established for TV, radio, and print advertising.

6. Does COPPA apply to information
about children collected from parents or other adults?

No. COPPA and the Rule only apply
to personal information collected from children, not their parents or other
adults. The Rule’s Statement of Basis and Purpose, however, notes that the Commission
expects that operators will keep confidential any information obtained from
parents in the course of obtaining parental consent or providing for parental
access pursuant to COPPA. See Rule n. 213.

7. Why does
COPPA apply only to children under 13? What about protecting the online privacy
of teens?

Young children may not understand
the safety and privacy issues created by the online collection of personal information,
and are therefore particularly vulnerable. Children under 13 has often been
the standard for distinguishing adolescents from young children who may need
special protections. As a general matter, however, the FTC encourages operators
to afford teens privacy protections, given the risks inherent in the disclosure
of personal information for all ages. The FTC has recommended that Congress
pass legislation to ensure the fair information principles be implemented for
all consumers. In the interim, websites’ information practices are still subject
to Section 5 of the FTC Act, which prohibits deceptive or unfair trade practices.
See July 15, 1997 Staff Opinion Letter to Center for Media Education
for guidance on how Section 5 applies to information practices involving children
and teens.

8. Does the Rule apply to
information collected prior to the its effective date?

No, but if a site collects new information
after the effective date of the Rule, even for existing registrants, they must
comply. For example, if an operator collected a child’s email address prior
to April 21 and now wishes to collect the child’s postal address to send a premium
or prize, the operator must comply with COPPA prior to collecting the mailing

Similarly, if a child registered
at a website prior to April 21, 2000 for an online newsletter and the website
invites the child to sign up for a new chat room, the fact that the child was
already registered with the site does not obviate the need for the operator
to comply with COPPA for purposes of enabling the child to register for the
chat room.

9. Are there any protections
that apply to information collected before COPPA went into effect?

Yes. Although the Rule covers only
information collected after its effective date, previously collected information
is still subject to the protections afforded by Section 5 of the FTC Act. Thus,
if an operator engaged in deceptive or unfair practices when collecting, using
or disclosing information from kids, the operator could face FTC action. See
Staff Opinion Letter to Center for Media Education issued July 15, 1997,
outlining what would be deceptive and/or unfair practices with regard to the
collection and use of children’s information.

10. I know the Rule is triggered
by the collection of personal information from children, but the information
I collect at my site is voluntary and not mandatory. Does the Rule still apply?

Yes. Whether your information collection
is voluntary or mandatory, it still constitutes collection and triggers the

11. Hasn’t the Children’s
Online Privacy Protection Act been declared unconstitutional?

No. The Children’s Online Privacy
Protection Act
(COPPA), has not been challenged and went into effect on
April 21, 2000. Enforcement of the Children’s Online Protection Act
(COPA), which sought to regulate the dissemination of material harmful to minors
on the Internet, was preliminarily enjoined by the U.S. District Court for the
Eastern District of Pennsylvania, ACLU v. Reno, 31 F.Supp.2d 473 (E.D.
Pa.1999). That decision was affirmed by the Third Circuit, 217 F.3d 162 (3d
Cir. 2000). For information on COPA and the work of the Commission on Child
Online Protection, which is studying methods and technologies to help reduce
access by minors to such materials visit www.copacommission.org.

12. Will the COPPA Rule keep
my child from accessing pornography?

No, not directly. COPPA is meant
to give parents control over the collection of their children’s personal
and does not limit children’s access to information publicly
available on the Internet. COPPA may help keep your child off email lists. Information
about COPA, which does address dissemination of pornography to minors, is available
at www.copacommission.org.
If you are concerned about your children accessing pornography or other inappropriate
materials on the Internet, you may want to look for a filtering program
or an Internet Service Provider that offers such tools. Information about such
tools is available at www.getnetwise.org
and www.safekids.com.

Top of Page

13. How will the FTC enforce
the Rule?

The FTC will monitor the Internet
for compliance with the Rule and bring law enforcement actions where appropriate
to deter violations. Parents and others can submit complaints to the FTC through
our website www.ftc.gov
and our toll-free number (877) FTC-HELP. We will also investigate referrals
from consumer groups, industry, and approved safe harbor programs, as appropriate.

14. What are the penalties
for violating the Rule?

Website operators who violate the
Rule could be liable for civil penalties of up to $11,000 per violation.
The level of penalties assessed may turn on a number of factors including egregiousness
of the violation, e.g., the number of children involved, the amount
and type of personal information collected, how the information was used, whether
it was shared with third parties and the size of the company.

15. Do the states or other
government agencies have jurisdiction over this issue?

Yes. COPPA also gives states and
certain federal agencies authority to enforce compliance with the Act with respect
to entities in their jurisdiction. For example, the Office of the Comptroller
of the Currency will handle compliance by national banks and the Department
of Transportation will handle air carriers.

16. Have any cases ever been
brought for deceptive collection of online information from children?

Yes. Even prior to COPPA, the FTC
brought enforcement actions in this area under Section 5 of the FTC Act. In
the agency’s first Internet privacy case, Geocities agreed to settle charges
of deceptively collecting personal information from children and adults. Geocities,
FTC Dkt. No. C-3849 (Feb. 12, 1999). The Liberty Financial
case involved the “Young Investors” website which deceptively promised
to maintain only anonymous information from children and teens. Liberty
Financial Companies, Inc.
, FTC Dkt. No. C-3891 (Aug. 12, 1999).
In Toysmart, the FTC alleges that the defendants collected personal
information from children without obtaining prior parental consent in violation
of COPPA, 16 C.F.R. ? 312.5(c)(2). FTC. v. Toysmart.com LLC and Toysmart.com,
, No. 00-11341-RGS, (D. Mass. filed July 10, 2000, amended July 21,
2000). Commission cases are available on its website via the Privacy Initiatives
link from the home page or via its search engine.

17. What do I do if my site
isn’t in compliance with the Rule?

If you are not collecting any personal
information from children, then you are not subject to the Rule. So the quickest
thing to do until you can get your site into compliance is to stop collecting
personal information from children under 13. In fact, many sites that we have
talked to have realized that collection of such information is not necessary.

Then, review your website, your privacy
policy, and the Rule carefully. The materials on the Commission’s website can
provide you with helpful guidance. Take a close look at: what information you
collect; how you collect it; how you use it; whether the information you seek
to collect is necessary for the activities on your site; whether you have adequate
mechanisms for providing parents with notice and obtaining consent; and whether
you have adequate methods for parents to review their children’s information
and for verifying that the people requesting access to kids’ information really
are their parents.

18. Are websites run by nonprofit
entities subject to the Rule?

The Act and the Rule expressly state
that they apply to commercial websites and not to nonprofits that would
otherwise be exempt from coverage under Section 5 of the FTC Act. Thus, in general,
most non-profits are not subject to the Rule. However, nonprofits that operate
for the profit of their for-profit members may be subject to the Rule. See
FTC v. California Dental Association
526 U.S. 756 (1999), for additional
guidance on when nonprofits are subject to FTC jurisdiction. Although true nonprofits
are not subject to COPPA, we encourage them to set an example by posting privacy
policies and providing the protections set forth in COPPA to children providing
personal information at their sites.

19. Does COPPA apply to websites
operated by the Federal Government?

It is federal policy that all Federal
websites and contractors when operating on behalf of agencies comply with the
standards set forth in COPPA. See www.whitehouse.gov/OMB/memoranda/m00-13.html

20. The Internet is truly
a global medium. Do websites set up and run abroad have to comply with the Rule?

Yes. Foreign-run websites must comply
with COPPA if they are directed to children in the U.S. or knowingly collect
information from children in the U.S. For example, foreign-run kid-oriented
websites would be subject to COPPA if they advertised in offline media in the
U.S. or on popular U.S. websites. The Rule’s definition of an “operator”
– who is subject to the Act – includes foreign websites that are involved in
commerce in the United States or its territories.

of Page

21. My site does not collect
any personally identifiable information. Do I still need to post a privacy policy?

No. COPPA only applies to those websites
that collect personal information from children. However, the FTC recommends
that all websites post privacy policies, so visitors have an easily
recognizable place to go to find out about the operator’s information practices.
Surveys show that most parents are uncomfortable with their children giving
out any personal information on the Internet, so as a practical matter, parents
will be pleased to read your privacy policy and find out quickly that you do
not collect personally identifiable information.

22. What information must
I include in my privacy policy and in the direct notice to parents?

The Rule identifies the information
that must be disclosed in the privacy policy and in the direct notice
– the notice sent directly to the parent. See ?312.4(b) for information
regarding the content of the privacy policy and ?312.4(c) for information regarding
the content of the direct notice to the parent. Remember, that in addition to
including the content required in the privacy policy, the direct notice to parents
needs to tell the parent that you wish to collect personal information from
the child, that consent is required for you to do so, and how the parent may
provide consent. The Rule also requires that the privacy policy be posted clearly
and prominently on the home page and that a hyperlink to the policy be provided
at each area where personal information is collected.

23. Do I have to disclose
my use of cookies, GUIDS, IP addresses, or the use of other passive information
collection technology?

Yes, when such information is combined
with “personal information.” The Rule defines personal information
to include individually identifiable information about an individual collected
online, including any persistent identifier that is tied to identifying information.
Where such passive forms of information collection are tied to identifying information,
including a persistent identifier that can be used to identify, contact, or
locate an individual, then it is considered personal information under the Rule.

24. Can I include in my privacy
policy materials promoting products, services, and/or websites of mine and my

No. The Rule requires that privacy
policies must be “clearly and understandably written, be complete, and
contain no unrelated, confusing, or contradictory materials.” See
?312.4(a). The more complicated and confusing a policy is, the more likely it
will be that parents won’t understand or even read the policy. And remember,
parents who find your policy confusing or difficult to comprehend may be less
likely to grant you consent.

25. I run a general audience
site, but I offer a specific children’s section. Is it acceptable for me to
structure my privacy policy so that information about my children’s practices
and non-children’s practices are mixed in together, or do I have to have a separate
privacy policy about my practices with respect to children?

In the commentary of the Final Rule,
the Commission noted that “[o]perators are free to combine the privacy
policies into one document, as long as the link for the children’s policy takes
visitors directly to the point in the document where the operator’s policies
with respect to children are discussed, or it is clearly disclosed at the top
of the statement that there is a specific section discussing the operator’s
information practices with respect to children.” 64 Fed. Reg. 59894 at
n.98. In addition, the link for the privacy policy pertaining to the children’s
area must appear on the home page of the children’s area and at each area where
personal information is collected from children. Sites may also wish to post
it as part of their general privacy policy.

26. Is it okay for the link
to my privacy policy to be at the very bottom of my home page?

As long as the link is “clear
and prominent” it is okay to have it at the bottom of the home page. The
Rule requires that the link to your privacy policy “be placed in a clear
and prominent place and manner on the home page of the website or online service”
and at each area where children provide, or are asked to provide, personal information.
See ??312.4(b)(1)(ii) and (iii). In its explanation of this requirement,
the Commission noted that “‘[c]lear and prominent’ means that the link
must stand out and be noticeable to the site’s visitors through use, for example,
of a larger font size in a different color on a contrasting background. The
Commission does not consider ‘clear and prominent’ a link that is in small print
at the bottom of the page, or a link that is indistinguishable from a number
of other, adjacent links.” 64 Fed. Reg. 59894.

27. When I send the notice
to parents, can I simply email them a link to the privacy policy?

Yes. You may send your direct notice
to parents via email, and you may include in that email a link to your privacy
policy. Remember that the direct notice to the parent also needs to tell the
parents that you wish to collect personal information from the child, that the
parent’s consent is required for you to do so, and how the parent may provide

It is also important to remember
that the notices must not contain unrelated, confusing, or contradictory information.
For example, your notice to parents may not include so much additional information
that the message about needing consent or the link to the privacy policy is

28. Do I have to list the
names, addresses, phone numbers, etc. of all of the operators at my site? This
will make my privacy policy very long and confusing.

Under the Rule, if there are multiple
operators collecting information through your site, you may list the name, address,
phone number, and email address of one operator who will respond to
all inquiries from parents regarding all of the operators’ privacy policies
and uses of children’s information, as long as the names of all the
operators are also listed in the notice. See ?312.4(b)(2)(i).

If you wish to list the contact information
of all the operators but still keep your privacy policy and notice simple, you
can include a link in the privacy policy or notice to the list of operators.
Just make sure that when you send the notice to parents to request consent,
they can access that list.

of Page

29. When do I have to get
verifiable parental consent?

The general rule is that an operator
must obtain verifiable parental consent before collecting personal information
from a child unless the collection fits into one of the exceptions for the collection
of online contact information. As described below, the method for obtaining
such consent will vary with the use of the information.

30. Can I first collect information
from children and then get consent from parents as long as I don’t use the information
until I get consent?

In most cases, no. COPPA clearly
states that operators must get verifiable parental consent before collecting
personal information from children under 13. There are several exceptions to
this requirement which allow an operator:

(1) to collect a child’s name and parent’s email address for purposes of providing the required notice and obtaining consent;

(2) to collect a
child’s email address to respond once to a specific request from a child, as long as the email address is deleted immediately after responding;

(3) to collect a child’s email address to respond more than once to a specific request of a child (ie, requesting a subscription).

Source: FTC