|Subject:||Children's Online Privacy Protection Act of 1998|
|Date of Memorandum:||06/26/2003|
|Expiration Date:|| |
|Signed By:||Smith, Roland|
|FCA Contact Person:||Glenn, Thomas|
|List of Attachments:|
June 26, 2003
To: The Chief Executive Officer
All Farm Credit System Institutions
From: Roland E. Smith, Director
Office of Examination
Subject: Children’s Online Privacy Protection Act of 1998
The Farm Credit Administration (FCA) reviews Farm Credit System (System) institutions’ Web sites for compliance with various laws, including the Children’s Online Privacy Protection Act of 1998 (COPPA). The COPPA, which can be accessed at Web address http://www.ftc.gov/ogc/coppa1.htm became effective April 21, 1998. It protects the privacy of children using the Internet. This Information Memorandum updates FCA’s prior guidance on the COPPA provided in an Information Memorandum dated November 8, 1999, titled “Web Site and Internet Guidelines.” We are providing additional guidance on the COPPA below.
What does the COPPA require?
The COPPA requires, among other things, that Web site operators that direct their services to children or knowingly provide services to children obtain verifiable parental consent prior to collecting or distributing any information. A core requirement of the COPPA is that, with limited exceptions, the Web site operator must provide written notice to the parent before collecting, using, or disclosing personally identifiable information obtained from a child.
15 U.S.C. §§ 6502-6506
A Web site operator need not obtain verifiable parental consent when: (1) online contact information collected from a child is used to respond directly on a one-time basis to a specific request from a child and is not used to recontact the child and is not maintained in retrievable form by the Web site operator; or (2) a request for the name or online contact information of a parent or child is used for the sole purpose of obtaining parental consent or providing notice under the COPPA and such information is not maintained in retrievable form.
What are the COPPA’s key terms and definitions?
The COPPA and its implementing regulations have several important definitions and terms.
- “Children” are individuals under the age of 13 (12 and under).
- “Operator” means any person who operates a Web site located on the Internet or an online service and who collects or maintains personal information from or about the users of or visitors to the Web site or online service, or on whose behalf such information is collected or maintained, where such Web site or online service is operated for commercial purposes. To determine whether an entity is a Web site “operator” with respect to information collected at a site, the following must be considered: who owns and controls the information; who pays for the collection and maintenance of the information; what the pre-existing contractual relationships are in connection with the information; and what role the Web site plays in collecting or maintaining the information.
· A “Web site or on-line service directed to children” means a commercial Web site or online service, or a portion thereof, that is targeted to children. A commercial Web site or online service is not considered directed to children solely because it refers or links to a commercial Web site or online service directed to children by using information location tools, including a directory, index, reference, pointer, or hypertext link. In determining whether a commercial Web site or online service, or a portion thereof, is targeted to children, the following must be considered: its subject matter; visual or audio content; age of models; language or other characteristics of the Web site or online service; and whether advertising promoting or appearing on the Web site or online service is directed to children. Also considered is competent and reliable empirical evidence regarding audience composition; evidence regarding the intended audience; and whether a site uses animated characters and/or child-oriented activities and incentives.
3. 15 U.S.C. § 1302 and 16 C.F.R. § 312.2.
· Contact information, including the name, mailing address, telephone number, and e-mail address of all Web site operators collecting or maintaining personal information from children through the Web site. This requirement lets parents know who will see and use their children’s personal information. It gives parents the information they need to get in touch with the operators who collect or maintain their children’s personal information.
· That the Web site operator cannot condition a child’s participation in an activity on the child providing more information than is reasonably necessary for the activity.
· That a parent can review the child’s personal information, have it deleted, and refuse to allow the further collection or use of the child’s information, and explain the procedures for doing so.
What must be contained in the notice to a parent?
What is personally identifiable information?
The COPPA applies to personally identifiable information about a child that is collected online. Personally identifiable information includes name, a home or other physical address including street name and name of a city or town, an e-mail address, telephone number, Social Security number, or any other information that would allow someone to identify and contact a child. The COPPA also covers other types of information when connected to personally identifiable information, including hobbies, interests, and information collected through cookies or other types of tracking mechanisms.
What should a System institution do?
A System institution that has a Web site is considered a Web site “operator” under the COPPA. If the System institution directs its site or an area of its site to children, e.g., a link to 4-H activities or to a “Kids Zone,” and collects personally identifiable information from the child (such as the child’s e-mail address), it must comply with the COPPA. At this time, some System institutions direct an area of their Web sites to children. Although these institutions may not be actively collecting personal information from a child, they may be passively collecting personal information through “cookies.” If System institutions are collecting or want to collect personal information from a child, they are encouraged to consult legal counsel to ensure compliance with the COPPA.
Where can System institutions get some guidance?
Congress has given the FTC general authority to enforce the COPPA. In the upper right section of the FTC home page is a "Privacy Initiatives" link. If you click on this link, you will access a variety of information, including the FTC’s proposed and final regulations implementing the COPPA, and guides for businesses and parents. In addition, the FTC has set up a special Web site designed for children, parents, businesses, and educators at http://www.ftc.gov/privacy/index.html which features online safety tips for children and other useful education resources about the COPPA and online privacy in general.
What will the FCA examiners do?
What are the penalties for a violation?
The COPPA grants exclusive authority to the FCA for System compliance. It provides that a System institution violation of the COPPA and its implementing regulations is a violation of the Farm Credit Act of 1971, as amended (Act). Thus, a System institution would be subject to the full range of penalties and enforcement actions available under the Act for a violation of the COPPA, including a civil money penalty, an order to cease and desist, or an order of prohibition.
If you have any questions, please contact Thomas Glenn, Supervisory FCA Examiner, by telephone at (703) 883-4412 or by e-mail at email@example.com.