The Basic Requirements
A privacy policy tells
the visitor about the information collection practices of
the website. For sites that are covered by COPPA, the
policy must explain what types of personal information are
collected, how it is collected, and how the website will
use the information. It also needs to tell the visitor
whether the website gives the personal information to
anyone else. If so, the policy must identify the third
parties and tell the visitor how the third parties will in
general use the information. The privacy policy must be
placed where it can be found easily, and it must be
written so that the average person can understand what it
says.
Location
To comply with the
Rule, a website directed to children must put the link to
its privacy policy in a clear and prominent place on the
home page and at every area on the website where children
are asked to provide personal information. The links to
the privacy policy also must be close to the requests for
information.
General audience
websites with separate children's areas must post a clear
and prominent link on the home page of the children's
area, as well as at every area where personal information
is collected from children. A general audience website is
not required to have a separate privacy policy for its
children's area, and may combine its general audience and
children's privacy policies into one document. However, a
website without a separate privacy policy for its
children's area should clearly disclose at the top of its
privacy policy that a specific section discusses the
site's information practices with respect to children. A
general audience site also can link from the children's
area directly to the part of its privacy policy that
pertains to children.1
Clear and Prominent
Links
The Rule requires that
the link to the privacy policy be placed in a clear and
prominent place on the home page and everywhere that
children provide - or are asked to provide - personal
information.2 "Clear and prominent" means that the link
stands out and is noticeable to visitors through the use
of different type sizes, different fonts, different
colors, or contrasting backgrounds. A link that is in tiny
print at the bottom of the home page - or one that is
indistinguishable from adjacent links - is not considered
clear and prominent.3
Clear Labels
The link must be
labeled clearly, which allows the visitor to know the link
goes to the site's privacy policy and a description of its
information collection practices. For example, a link that
says Privacy Policy, Privacy Statement or Information
Collection Practices Statement is considered to be labeled
clearly. Links labeled Important Information, Legal Notice
or Note to Parents would not be as effective in letting
the visitor know that a click would take him or her to the
site's privacy policy.
Location: The Basics
-
Place a
link to the privacy policy on the website's homepage - or
on the homepage of the children's area of a general
audience site.
-
Place a
link to the privacy policy close to all areas where
personal information is collected from children.
-
Make
the link to the privacy policy "clear and prominent."
-
Label
the link clearly so visitors know it goes to the website's
privacy policy.
|
Content
A privacy policy tells
visitors about the types of information the website
collects, how the site handles the information, and
whether the site gives the information to anyone else. The
Rule requires that the privacy policy be clear and
understandable. The policy must give a complete
description of the site's information practices; it must
not contain confusing or contradictory information.
The privacy policy
plays a very important role in a parent's decision to
agree to a website's request for information from their
children. One that is clearly written, easy-to-understand,
and full of relevant information helps parents make an
informed decision.
To be COPPA-compliant,
a privacy policy must contain the following information:
-
Contact information,
including the name, mailing address, telephone number, and
email address of all operators collecting or maintaining
personal information from children through the website.
This requirement lets parents know who will see and use
their children's personal information; it gives them the
information they need to get in touch with the operators
who collect or maintain their children's personal
information.
According to the Rule,
if several operators are collecting information through
the website, the site operator may list the name, address,
phone number, and email address of one operator who will
respond to all inquiries from parents about the operators'
privacy policies and uses of children's information - but
only if it makes the names of all the operators available,
either by listing them in the policy or linking to them
from the policy.4
-
What types of
personal information are collected, and how. Website
operators should be specific enough about the types of
personal information they collect from children to allow
parents to make an informed decision about whether to
agree to the collection and use of the information. A
policy that uses descriptors like name, address, telephone
number, hobbies, gender, and age tells parents exactly the
types of personal information that the website collects
from children. A privacy policy that notes it collects
"contact information" gives parents no idea whether the
website is collecting an email address or a home telephone
number.
In addition, the
privacy policy must state whether personal information is
collected actively or passively. Active collection
includes registration forms and email newsletter sign-up
boxes. Passive collection includes the use of cookies or
other identifiers when the information is combined with
"personal information."
5
-
How the website will
use the personal information. The privacy policy should
state if the personal information is to be used to fulfill
a requested transaction, keep records or market back to
the child. For example, it should explain that email
addresses are used to send weekly newsletters, or that a
mailing address is used to send a prize or magazine
subscription or fulfill another request.
In addition, the
privacy policy must state whether the website offers
activities that allow the child or the site to disclose
the child's personal information publicly - for example,
through chat rooms, message boards or email accounts.
If the website shares
personal information with third parties, the privacy
policy must explain the types of businesses the third
parties are in and the general purposes for which they
will use the information. The privacy policy also must
tell the visitor whether the third parties have agreed to
maintain the confidentiality, security and integrity of
the personal information they obtain from the website
operator.
Third Parties
The Rule defines a
third party as a person who is not an operator of the
website or who does not provide support for the internal
operations of the website.7
If the website is
sharing the personal information with a company or person
whose only role is to provide support for the internal
operations of the website - like a fulfillment house or a
shipping company - the disclosure of the personal
information is not to a "third party" and does not have to
be spelled out in the privacy policy. The Rule
specifically defines "third party" to exclude people who
provide internal support. These providers are obligated to
use the personal information only to carry out their
specific obligations. They cannot use the information for
any other purpose.
Whether an "affiliated
or related company" is considered a third party and
triggers the third-party disclosure requirements, depends
on the affiliated or related company's relationship to the
personal information. If the affiliated or related company
is an operator of the website because it collects personal
information on the site, or because personal information
is being collected on its behalf, it is not considered a
third party. Rather, it is considered an operator - and
subject to the Rule. If the affiliated or related company
is not an operator and isn't providing internal support
services, it is considered a third party. The privacy
policy must tell parents about the sharing of personal
information with this affiliated or related company and
must give parents the choice to allow the disclosure of
information - or not.
The Ban on Conditioning
Participation on Information Collection
The Rule prohibits
website operators from conditioning a child's
participation in an activity - like a game or prize offer
- on the child's disclosure of more personal information
than is reasonably necessary to participate in the
activity. This provision prevents tying personal
information from children to popular and persuasive
incentives like games and prizes, and preserves a child's
access to such activities. For example, to send a child a
prize, it is reasonably necessary for a website to collect
the child's mailing address. Asking the child for a postal
or mailing address when offering an email newsletter would
not be reasonably necessary. The Rule requires that
privacy policies state this prohibition explicitly.
Parental Rights
The privacy policy must
state that a parent can review the child's personal
information, have it deleted, and refuse to allow the
further collection or use of the child's information - and
explain the procedures for doing so. For example, the
privacy policy could provide contact information, like an
email address or toll-free telephone number, for the
parent to use.
Content: The Basics
The privacy policy
must:
-
Be written clearly
and understandably. It should not contain any confusing or
contradictory information.
-
Describe the site's information practices completely and
accurately.
-
Include
contact information (name, mailing address, telephone
number, and email address) for all operators collecting or
maintaining personal information through the website.
-
Explain
what types of personal information the site collects,
whether it collects the information actively or passively,
and how it will use the information.
-
Provide
all the required information about the disclosure of
personal information to third parties.
-
Tell
parents they can consent to the collection and use of
their child's personal information without consenting to
the disclosure of the information to third parties.
-
Explain
that website operators cannot condition a child's
participation in an activity on the child providing more
personal information than is reasonably necessary for the
activity.
-
Tell
parents that they can review their child's personal
information, have it deleted and refuse to permit any
further collection - and how to do it.
|
Endnotes
[back to top]
2 64 Fed. Reg. 59,888,
59,894 at n.98 (Nov. 3, 1999).
3 See 16 C.F.R.
312.4(b)(1)(ii) and (iii).
4 64 Fed. Reg. at
59,894.
5 See 16 C.F.R.
312.4(b)(2)(i).
6 The Rule defines
personal information as including information collected
through the use of cookies or other identifiers when tied
to personal information, such as an email address. 16
C.F.R. ÿ312.2.
If your site uses
cookies and links the information stored in the cookie
with other individually identifiable information, such
collection must be disclosed in the privacy policy.
7 Because the Rule
regulates operators and not "third parties," the Rule
requires operators to tell parents about the third party
and what the third party plans to do with the information
given to it by the operator.
8 16 C.F.R. ÿ312.2.
[back
to top]
Get
Adobe Acrobat Reader
|