Previous Document IconPrevious Info Memo

Next Document IconNext Info MemoExam Manual Table of Contents IconList of Info Memos

Informational Memorandum
Subject:Children's Online Privacy Protection Act of 1998
Date of Memorandum:06/26/2003
Expiration Date:
Office:OE
Signed By:Smith, Roland
FCA Contact Person:Glenn, Thomas
Contact Phone:703-883-4412
List of Attachments:

INFORMATIONAL MEMORANDUM



June 26, 2003


To: The Chief Executive Officer
All Farm Credit System Institutions

From: Roland E. Smith, Director
Office of Examination

Subject: Children’s Online Privacy Protection Act of 1998


The Farm Credit Administration (FCA) reviews Farm Credit System (System) institutions’ Web sites for compliance with various laws, including the Children’s Online Privacy Protection Act of 1998 (COPPA). The COPPA, which can be accessed at Web address http://www.ftc.gov/ogc/coppa1.htm became effective April 21, 1998. It protects the privacy of children using the Internet. This Information Memorandum updates FCA’s prior guidance on the COPPA provided in an Information Memorandum dated November 8, 1999, titled “Web Site and Internet Guidelines.” We are providing additional guidance on the COPPA below.

What does the COPPA require?

The COPPA requires, among other things, that Web site operators that direct their services to children or knowingly provide services to children obtain verifiable parental consent prior to collecting or distributing any information. A core requirement of the COPPA is that, with limited exceptions, the Web site operator must provide written notice to the parent before collecting, using, or disclosing personally identifiable information obtained from a child.

15 U.S.C. 6502-6506

A Web site operator need not obtain verifiable parental consent when: (1) online contact information collected from a child is used to respond directly on a one-time basis to a specific request from a child and is not used to recontact the child and is not maintained in retrievable form by the Web site operator; or (2) a request for the name or online contact information of a parent or child is used for the sole purpose of obtaining parental consent or providing notice under the COPPA and such information is not maintained in retrievable form.

The COPPA also requires an operator to post a link to a notice of its information practices, usually described as a privacy policy, on the homepage of its Web site and at each area where it collects personal information from children. The links to the privacy policy must be close to the requests for information. An operator of a general audience Web site with a separate children’s area must post on the children’s area a clear and prominent link to its notice of information practices. A privacy policy tells visitors about the types of information the Web site collects, how the site collects the information, how the site uses the information, and whether the site gives the information to anyone else. The privacy policy must be clearly written and understandable. It should not include any unrelated, confusing, or contradictory material. Failure to comply with the COPPA can result in substantial penalties.

What are the COPPA’s key terms and definitions?

The COPPA and its implementing regulations have several important definitions and terms.


A “Web site or on-line service directed to children” means a commercial Web site or online service, or a portion thereof, that is targeted to children. A commercial Web site or online service is not considered directed to children solely because it refers or links to a commercial Web site or online service directed to children by using information location tools, including a directory, index, reference, pointer, or hypertext link. In determining whether a commercial Web site or online service, or a portion thereof, is targeted to children, the following must be considered: its subject matter; visual or audio content; age of models; language or other characteristics of the Web site or online service; and whether advertising promoting or appearing on the Web site or online service is directed to children. Also considered is competent and reliable empirical evidence regarding audience composition; evidence regarding the intended audience; and whether a site uses animated characters and/or child-oriented activities and incentives.

3. 15 U.S.C. 1302 and 16 C.F.R. 312.2.


What must be included in a privacy policy?

To be COPPA-compliant, a privacy policy must contain the following information:

Contact information, including the name, mailing address, telephone number, and e-mail address of all Web site operators collecting or maintaining personal information from children through the Web site. This requirement lets parents know who will see and use their children’s personal information. It gives parents the information they need to get in touch with the operators who collect or maintain their children’s personal information.

The types of information collected and whether such information is collected actively or passively. Web site operators should be specific enough about the types of personal information they collect from children to allow parents to make an informed decision about whether to agree to the collection and use of this information. The policy should use descriptors of the types of information collected, e.g., name, address, telephone number, hobbies, gender, and age. Active collection includes registration forms or e-mail newsletter sign-up boxes. Passive collection includes the use of cookies or other identifiers when the information is combined with personal information.

How the operator will use the personal information. The privacy policy should state whether the personal information will be used to fulfill a requested transaction, keep records, or market back to the child. For example, the privacy policy could explain that an e-mail address is used to send weekly newsletters, or that a mailing address is used to send a prize or magazine subscription or fulfill another request. In addition, the privacy policy must state whether the Web site offers activities that allow the child or the site to disclose the child’s personal information publicly, e.g., through chat rooms, message boards, or e-mail accounts.

Whether the operator discloses the child’s personal information to third parties. The privacy policy must also state that parents can consent to the collection and internal use of personal information while refusing to permit the Web site to share the information with third parties. If the personal information is disclosed to third parties, the privacy policy must identify the types of businesses the third parties are in and tell how the third parties will, in general, use the information. The privacy policy must also state whether the third parties have agreed to maintain the confidentiality, security, and integrity of the personal information they obtain from the Web site operator. That the Web site operator cannot condition a child’s participation in an activity on the child providing more information than is reasonably necessary for the activity. That a parent can review the child’s personal information, have it deleted, and refuse to allow the further collection or use of the child’s information, and explain the procedures for doing so.

What must be contained in the notice to a parent?

The notice to a parent must state that the Web site operator wishes to collect, use, or disclose personally identifiable information from the child, that a parent’s consent is required to do so, and how a parent may provide consent. This notice must also contain the same information as that in the privacy policy (which is discussed above). The Web site operator must notify a parent by e-mail, postal mail, facsimile, or in other similar ways. The COPPA also provides parents with access to their child’s personal information to review and/or have it deleted. Thus, parents have the opportunity to prevent the further collection or use of the information.

What is personally identifiable information?

The COPPA applies to personally identifiable information about a child that is collected online. Personally identifiable information includes name, a home or other physical address including street name and name of a city or town, an e-mail address, telephone number, Social Security number, or any other information that would allow someone to identify and contact a child. The COPPA also covers other types of information when connected to personally identifiable information, including hobbies, interests, and information collected through cookies or other types of tracking mechanisms.

What should a System institution do?

A System institution that has a Web site is considered a Web site “operator” under the COPPA. If the System institution directs its site or an area of its site to children, e.g., a link to 4-H activities or to a “Kids Zone,” and collects personally identifiable information from the child (such as the child’s e-mail address), it must comply with the COPPA. At this time, some System institutions direct an area of their Web sites to children. Although these institutions may not be actively collecting personal information from a child, they may be passively collecting personal information through “cookies.” If System institutions are collecting or want to collect personal information from a child, they are encouraged to consult legal counsel to ensure compliance with the COPPA.

Where can System institutions get some guidance?

Congress has given the FTC general authority to enforce the COPPA. In the upper right section of the FTC home page is a "Privacy Initiatives" link. If you click on this link, you will access a variety of information, including the FTC’s proposed and final regulations implementing the COPPA, and guides for businesses and parents. In addition, the FTC has set up a special Web site designed for children, parents, businesses, and educators at http://www.ftc.gov/privacy/index.html which features online safety tips for children and other useful education resources about the COPPA and online privacy in general.

What will the FCA examiners do?

The examiners will continue to review System institution Web sites during the examination process to ensure compliance with the COPPA. System institutions that are directing their site or an area of the site to children and collecting personally identifiable information from the child must institute internal controls and procedures to ensure compliance with the COPPA. Specifically, the System institution should maintain for FCA examiner review: a copy of their privacy policy; the notices to parents; and the parents’ consents.

What are the penalties for a violation?

The COPPA grants exclusive authority to the FCA for System compliance. It provides that a System institution violation of the COPPA and its implementing regulations is a violation of the Farm Credit Act of 1971, as amended (Act). Thus, a System institution would be subject to the full range of penalties and enforcement actions available under the Act for a violation of the COPPA, including a civil money penalty, an order to cease and desist, or an order of prohibition.

If you have any questions, please contact Thomas Glenn, Supervisory FCA Examiner, by telephone at (703) 883-4412 or by e-mail at glennt@fca.gov.