[Federal Register Volume 64, Number 80 (Tuesday, April 27, 1999)]
[Proposed Rules]
[Pages 22750-22767]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-10250]



[[Page 22749]]

_______________________________________________________________________

Part V





Federal Trade Commission





_______________________________________________________________________



16 CFR Part 312



Children's Online Privacy Protection Rule; Proposed Rule

  Federal Register / Vol. 64, No. 80 / Tuesday, April 27, 1999 / 
Proposed Rules  

[[Page 22750]]



FEDERAL TRADE COMMISSION

16 CFR PART 312


Children's Online Privacy Protection Rule

AGENCY: Federal Trade Commission.

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: In this document, the Federal Trade Commission (the 
``Commission'' or ``FTC'') issues a Notice of Proposed Rulemaking to 
implement the Children's Online Privacy Protection Act of 1998 (``the 
Act''). Section 1303(b) of the Act directs the FTC to promulgate rules, 
not later than 1 year after the date of the enactment of the Act, to 
prohibit unfair and deceptive acts and practices in connection with the 
collection and use of personal information from and about children on 
the Internet.

DATES: Written comments must be submitted on or before June 11, 1999. 
The Commission has reserved July 20, 1999 for a workshop on the 
proposed rule, if the comments submitted indicate that a workshop would 
be necessary or helpful. If a workshop is held, the Commission will 
issue a Federal Register Notice listing the topics to be covered.

ADDRESSES: Written comments should be submitted to: Secretary, Federal 
Trade Commission, Room H-159, 600 Pennsylvania Avenue, NW, Washington, 
DC 20580. The Commission requests that commenters submit the original 
plus five copies, if feasible. To enable prompt review and public 
access, comments also should be submitted, if possible, in electronic 
form, on either a 5\1/4\ or a 3\1/2\ inch computer disk, with a disk 
label stating the name of the commenter and the name and version of the 
word processing program used to create the document. (Programs based on 
DOS or Windows are preferred. Files from other operating systems should 
be submitted in ASCII text format.) Alternatively, the Commission will 
accept comments submitted to the following e-mail address 
[email protected]>. Individual members of the public filing comments 
need not submit multiple copies or comments in electronic form. All 
submissions should be captioned: ``Children's Online Privacy Protection 
Rule--Comment, P994504.'' Rebuttal comments should be submitted 
following the same procedures as those stated above. Comments will be 
posted on the Commission's website: <http://www.ftc.gov>.
    To the extent that the notice requirements of the proposed rule 
constitute ``collections of information'' under the Paperwork Reduction 
Act, comments on such requirements should also be submitted to the 
Office of Information and Regulatory Affairs, Office of Management and 
Budget, Room 10235, New Executive Office Building, Washington, DC 
20503, Attention: Desk Officer for FTC.

FOR FURTHER INFORMATION CONTACT: Toby Milgrom Levin, (202) 326-3156, 
Loren G. Thompson, (202) 326-2049, or Jill Samuels, (202) 326-2066, 
Division of Advertising Practices, Bureau of Consumer Protection, 
Federal Trade Commission, 601 Pennsylvania Ave., NW, Washington, DC 
20580.

SUPPLEMENTARY INFORMATION:

Section A. Background

1. Children's Online Privacy Protection Act of 1998

    On October 21, 1998, Congress enacted and the President signed into 
law the Children's Online Privacy Protection Act of 1998 (``the 
Act''),1 to prohibit unfair and deceptive acts and practices 
in connection with the collection and use of personally identifiable 
information from and about children on the Internet. The goals of the 
Act are: (1) To enhance parental involvement in a child's online 
activities in order to protect the privacy of children in the online 
environment; (2) to help protect the safety of children in online fora 
such as chat rooms, home pages, and pen-pal services in which children 
may make public postings of identifying information; (3) to maintain 
the security of children's personal information collected online; and 
(4) to limit the collection of personal information from children 
without parental consent.2
---------------------------------------------------------------------------

    \1\ Title XIII, Omnibus Consolidated and Emergency Supplemental 
Appropriations Act, 1999, Pub. L.105-277, 112 Stat. 2681, 
____________ (October 21, 1998) reprinted at 144 Cong. Rec. H11240-
42 (Oct. 19, 1998). Since the Act has not yet been codified, 
citations used in this notice are to the section numbers designated 
in Title XIII of the Omnibus Act.
    \2\ 144 Cong. Rec. S12741 (Oct. 7, 1998) (Statement of Sen. 
Bryan). In the three years prior to the Act's passage, the 
Commission sought to educate industry, the public and itself about 
the issues raised by the online collection of personal information 
from children and adult consumers. In June 1996 and June 1997, the 
Commission held public workshops to learn how the rapidly developing 
online marketplace was affecting consumers' privacy. In March 1998, 
the Commission conducted an extensive survey of commercial websites, 
including 212 children's websites, to learn the extent to which they 
were disclosing their information practices, and, with regard to the 
children's websites, the extent to which they were providing for 
parental notice of and consent to the collection and disclosure of 
children's personal information. The Commission reported the results 
of its survey to Congress in June 1998, and recommended that 
Congress enact legislation to protect children's privacy online. 
(Federal Trade Commission, Privacy Online: A Report to Congress, 
June 1998.) The Commission's survey found that few children's 
websites were disclosing their information practices or providing 
for parental consent. 
---------------------------------------------------------------------------

    Section 1303 of the Act directs the FTC to adopt regulations 
prohibiting unfair and deceptive acts and practices in connection with 
the collection and use of personal information from and about children 
on the Internet. Section 1303(b) sets forth a series of privacy 
protections to prevent unfair and deceptive online information 
collection from or about children. The Act specifies that operators of 
websites directed to children or who knowingly collect personal 
information from children (1) provide parents notice of their 
information practices; (2) obtain prior parental consent for the 
collection, use and/or disclosure of personal information from children 
(with certain limited exceptions for the collection of online contact 
information, e.g., an e-mail address); (3) provide a parent, upon 
request, with the ability to review the personal information collected 
from his/her child; (4) provide a parent with the opportunity to 
prevent the further use of personal information that has already been 
collected, or the future collection of personal information from that 
child; (5) limit collection of personal information for a child's 
online participation in a game, prize offer, or other activity to 
information that is reasonably necessary for the activity; and (6) 
establish and maintain reasonable procedures to protect the 
confidentiality, security, and integrity of the personal information 
collected.3
---------------------------------------------------------------------------

    \3\ Supra note 1.
---------------------------------------------------------------------------

    The Act authorizes the Commission to bring enforcement actions for 
violations of the final Rule in the same manner as for other rules 
defining unfair and deceptive acts or practices under section 5 of the 
Federal Trade Commission Act.4 In addition, section 1305 of 
the Act authorizes state attorneys general to enforce compliance with 
the final Rule by filing actions in federal court after serving prior 
written notice upon the Commission when feasible.
---------------------------------------------------------------------------

    \4\ Section 1306(d) of the Act provides that the rule shall be 
treated as a rule issued under Sec. 18 (a)(1)(B) of the FTC Act (15 
U.S.C. 57a (a)(1)(B)).
---------------------------------------------------------------------------

Section B. Overview of the Proposed Rule

    The Internet offers children unprecedented opportunities for 
learning, recreation, and communication in ways scarcely imagined a 
decade ago. Children are actively engaged in a wide variety of online 
activities. They communicate

[[Page 22751]]

with one another in online chat rooms and bulletin boards, through 
online pen-pal services, and by posting personal home pages. They 
participate in games and contests sponsored by websites, and they use 
the Internet to access information on all manner of subjects.
    Despite its obvious attraction for children, the Internet is also a 
medium in which children can be placed at risk. As they use the 
Internet, children, like others, are often asked to provide a wide 
variety of personal information about themselves. Websites and online 
services collect this information by such means as registration pages, 
order forms, contests, surveys, chat rooms, and bulletin boards. In 
general, they have collected this information, and have in some 
instances shared it with third parties, without notice to children or 
their parents. In addition, public posting of children's personal 
information makes it available to anyone on the Internet, including 
those who would harm children.
    The proposed Rule is designed to assist parents in controlling the 
flow of their children's personal information on the Internet. It 
contains a general requirement that operators of websites or online 
services directed to children (``operators'') not condition children's 
participation in online activities on the provision of more personal 
information than is reasonably necessary to participate in the 
activity. This will prevent operators from using popular games and 
activities as a means of obtaining children's information.
    Operators are also required to post prominent links on their 
websites to a notice of how they collect and use personal information 
from children. In most circumstances, the proposed Rule requires 
operators to notify parents that they wish to collect personal 
information from their children and to obtain parental consent prior to 
collecting, using, or disclosing such information. Parents then have 
the option of prohibiting operators from disclosing their child's 
personal information to third parties. In addition, operators must 
allow parents the opportunity to review and make changes to any 
information provided by their children. Parents at any time may also 
require the operator to delete their children's information and 
prohibit the operator from collecting any more information from their 
children in the future. The proposed Rule also requires that operators 
establish procedures to protect the confidentiality, security, and 
integrity of the personal information collected from children.
    Because the proposed Rule applies to the use or disclosure of 
personal information and not just its collection, it protects personal 
information collected from children prior to the effective date of the 
final Rule if an operator wishes to use such information in the future. 
Thus, for example, an operator that maintains a database of children's 
personal information must provide notice to the parent and obtain 
parental consent prior to using such information once the Rule is 
effective.
    Finally, under the proposed Rule, industry groups or others may 
seek Commission approval for self-regulatory guidelines. Operators who 
participate in such approved programs may be subject to the review and 
disciplinary procedures provided in these guidelines in lieu of formal 
Commission investigation and law enforcement.
    Section 312.1 describes the scope of the regulations under this 
Act. Section 312.2 contains the definitions of the terms used in the 
proposed Rule, such as ``operator'' and ``personal information.'' 
Section 312.3 sets out the general requirements that operators must 
follow when seeking to collect, use, and/or disclose personal 
information from children. Section 312.4 contains the requirements for 
providing notice on the website and to parents under the various 
requirements of the proposed Rule. Section 312.5 sets out the 
procedures by which operators can obtain consent from parents to the 
collection, use, and/or disclosure of personal information from 
children. Section 312.6 requires operators to allow parents to review, 
make changes to, or have deleted the personal information collected 
from their children. Section 312.7 prohibits operators from 
conditioning a child's participation in online activities on the 
provision of more personal information than is reasonably necessary to 
participate in those activities. Section 312.8 requires operators to 
establish reasonable procedures to maintain the confidentiality, 
security, and integrity of the information collected from children. 
Section 312.9 establishes that violations of the proposed Rule will be 
treated as a violation of a rule defining an unfair or deceptive act or 
practice under the FTC Act. Section 312.10 establishes procedures by 
which industry groups or other persons can request Commission approval 
for their self-regulatory guidelines. Sections 312.11 and 312.12 
address Commission review of the proposed Rule and the proposed Rule's 
severability.
    Each of the provisions is indented, followed by a brief discussion 
where needed. The full text of the proposed Rule appears in Section J 
of this Notice.

Section 312.1  Scope of Regulations in This Part

    This Rule implements the Children's Online Privacy Protection Act 
of 1998, to be codified at 15 U.S.C. ____________, et seq., which 
prohibits unfair and deceptive acts and practices in connection with 
the collection, use, and/or disclosure of personal information from and 
about children on the Internet.

Section 312.2  Definitions

    Child means an individual under the age of 13.
    Collects or collection means the direct or passive gathering of any 
personal information from a child by any means, including but not 
limited to:
    (a) Any online request for personal information by the operator 
regardless of how that personal information is transmitted to the 
operator;
    (b) Collection using a chat room, message board, or other public 
posting of such information on a website or online service; or
    (c) Passive tracking or use of any identifying code linked to an 
individual, such as a cookie.
    This term includes all online requests for personal information 
regardless whether the personal information is ultimately transmitted 
online or offline. Thus, it would include a situation where the website 
or online service directs the child to print out a form, respond in 
writing to the questions, and mail the form back to the website or 
online service.
    Commission means the Federal Trade Commission.
    Delete means to remove personal information such that it is not 
maintained in retrievable form and cannot be retrieved in the normal 
course of business.
    Disclosure means, with respect to personal information:
    (a) The release of personal information collected from a child in 
identifiable form by an operator for any purpose, except where an 
operator provides such information to a person who provides support for 
the internal operations of the website or online service and who does 
not disclose or use that information for any other purpose, where
    (1) Release of personal information means the sharing, selling, 
renting, or any other means of providing personal information to any 
third party, and
    (2) Support for the internal operations of the website or online 
service means those activities necessary to maintain the technical 
functioning of the website or online service, or to fulfill a request

[[Page 22752]]

of a child as permitted by Secs. 312.5(c) (2) and (3); and
    (b) Making personal information collected from a child by an 
operator publicly available in identifiable form, by any means, 
including by a public posting through the Internet, or through a 
personal home page posted on a website or online service; a pen-pal 
service; an electronic mail service; a message board; a chat room; or 
any other means that would enable a child to reveal personal 
information to others online.
    Contractors who provide technical support or fulfillment services 
for a website or online service are considered to be providing support 
for the website or online service's internal operations. Technical 
support includes providing the server for the website, online service, 
chat, or e-mail services. Fulfillment services include supplying 
children with the items they request from the operator. This provision 
permits an operator to contract for technical and fulfillment 
operations that may involve the handling of personal information 
without triggering a disclosure in the notice.
    The proposed Rule, however, requires operators, among other things, 
to maintain the confidentiality, security, and integrity of the 
personal information it collects from children. (See Sec. 312.7.) Thus 
the operator is responsible for ensuring that any person with whom it 
contracts for these technical services does not disclose the personal 
information and complies with the information safeguards of the 
proposed Rule. As described in the discussion of Sec. 312.7 below, such 
safeguards may include, for example, maintaining the data off the 
server, requiring a password to access the data, and limiting employee 
access to the data.
    Federal agency means an agency, as that term is defined in section 
551(1) of title 5, United States Code.
    Internet means collectively the myriad of computer and 
telecommunications facilities, including equipment and operating 
software, which comprise the interconnected world-wide network of 
networks that employ the Transmission Control Protocol/Internet 
Protocol, or any predecessor or successor protocols to such protocol, 
to communicate information of all kinds by wire, radio, or other 
methods of transmission.
    By including the phrase ``other methods of transmission,'' this 
definition ensures that the proposed Rule adequately addresses future 
technological developments such as wireless transmission and access to 
what is now referred to as the ``Internet.''
    Online contact information means an e-mail address or any other 
substantially similar identifier that permits direct contact with a 
person online.
    Operator means any person who operates a website located on the 
Internet or an online service and who collects or maintains personal 
information from or about the users of or visitors to such website or 
online service, or on whose behalf such information is collected or 
maintained, where such website or online service is operated for 
commercial purposes, including any person offering products or services 
for sale through that website or online service, involving commerce
    (a) Among the several States or with 1 or more foreign nations;
    (b) in any territory of the United States or in the District of 
Columbia, or between any such territory and
    (1) Another such territory, or
    (2) Any State or foreign nation; or
    (c) Between the District of Columbia and any State, territory, or 
foreign nation. This definition does not include any nonprofit entity 
that would otherwise be exempt from coverage under section 5 of the 
Federal Trade Commission Act (15 U.S.C. 45).
    The term ``operator'' includes both a person who collects or 
maintains personal information directly from a visitor through a 
website or online service and a person who collects or maintains such 
information through another's website or online service. The statute 
places the regulatory obligations on the operator. In determining who 
is the operator for purposes of the proposed Rule, the Commission will 
consider such factors as who owns the information, who controls the 
information, who pays for the collection or maintenance of the 
information, the pre-existing contractual relationships surrounding the 
collection or maintenance of the information, and the role of the 
website or online service in collecting and/or maintaining the 
information.
    Where the website or online service merely acts as the conduit 
through which the personal information collected flows to another 
person or to another's website or online service, and the website or 
online service does not have access to the information, then it is not 
an operator under the proposed Rule.5 Where both the website 
or online service and another person have access to or control over the 
information collected, and are considered operators under the factors 
listed above, both parties will have joint responsibility to provide 
the protections required by the proposed Rule. In circumstances of 
joint responsibility, the parties may make arrangements between them to 
facilitate implementation of their responsibilities. For example, it 
may be more efficient for the website or online service to provide 
parental notice and obtain parental consent, since it has the direct 
relationship with its visitors. Nevertheless, each operator is 
responsible for ensuring that the obligations of the proposed Rule are 
fulfilled.
---------------------------------------------------------------------------

    \5\ Similarly, where the website or online service hires a 
contractor to provide support for its ``internal operations,'' the 
contractor would not be deemed an operator if it merely acts as the 
conduit and uses the information only to the extent necessary to 
process the information for the operator.
---------------------------------------------------------------------------

    An operator may choose to release personal information it has 
collected to a ``third party.'' As defined below, a ``third party'' is 
``any person who is neither an operator with respect to the collection 
of personal information on the website or online service, nor the 
person who provides support for the internal operations of the website 
or online service.'' In general, a third party does not collect, own, 
or control the personal information at the time it is collected. In 
determining whether an entity is an ``operator'' or ``third party,'' 
the entity's corporate relationship to another operator, such as 
whether it is an affiliate, is not a determinative factor. Rather, as 
described above, its status is determined by how the data is obtained 
and used.
    Parent includes a legal guardian.
    Person means any individual, partnership, corporation, trust, 
estate, cooperative, association, or other entity.
    Personal information means individually identifiable information 
about an individual collected online, including:
    (a) A first and last name;
    (b) A home or other physical address including street name and name 
of a city or town;
    (c) An e-mail address;
    (d) A telephone number;
    (e) A Social Security number;
    (f) A persistent identifier, such as a customer number held in a 
cookie or a processor serial number, where such identifier is 
associated with personal identifying information; a screen name that 
reveals an individual's e-mail address; an instant messaging user 
identifier; or a combination of a last name with other information such 
that the combination permits physical or online contacting; or
    (g) Information concerning the child or the parents of that child 
that the

[[Page 22753]]

operator collects online from the child and combines with an identifier 
described in this paragraph.
    Section 1302(8)(F) of the Act authorizes the Commission to expand 
the definition of ``personal information'' to include other identifiers 
that permit physical or online contacting of a specific individual. The 
proposed definition, therefore, adds several identifiers to 
Sec. 312.2(f) that were not enumerated in the Act:

    (1) A persistent identifier, such as a cookie or a processor serial 
number, where it is associated with personal identifying information;
    (2) A screen name that reveals an individual's e-mail address;
    (3) An instant messaging user identifier; 6 or
---------------------------------------------------------------------------

    \6\ An ``instant messaging user identifier,'' permits users, 
including children, to conduct what is commonly known as ``ICQ'' or 
``Instant Messaging.'' This service is basically a combination of e-
mail and chat and is offered for free by a number of websites and 
online services. It permits an individual, upon registration, to 
send and receive communication on the Internet in real time. Users 
can also search instant messaging directories which may provide 
users' real names, e-mail addresses, cities, gender and age 
information.
---------------------------------------------------------------------------

    (4) A combination of a last name with other information such that 
the combination permits physical or online contacting, e.g., the name 
of the child's school, zip code, church, or athletic team.
    Each of the above items are specified in the proposed Rule because 
they permit physical or online contacting of a specific individual.
    Third party means any person who is neither an operator with 
respect to the collection of personal information on the website or 
online service, nor a person who provides support for the internal 
operations of the website or online service.
    Obtaining verifiable consent means making any reasonable effort 
(taking into consideration available technology) to ensure that before 
personal information is collected from a child, a parent of the child:
    (a) receives notice of the operator's personal information 
collection, use, and disclosure practices; and
    (b) authorizes any collection, use, and/or disclosure of the 
personal information.
    This definition is taken directly from the Act. Possible examples 
of reasonable efforts are found below in Sec. 312.5(b), describing 
parental consent.
    Website or online service directed to children means a commercial 
website or online service, or portion thereof, that is targeted to 
children. Provided, however, that a commercial website or online 
service, or a portion thereof, shall not be deemed directed to children 
solely because it refers or links to a commercial website or online 
service directed to children by using information location tools, 
including a directory, index, reference, pointer, or hypertext link. In 
determining whether a commercial website or online service, or a 
portion thereof, is targeted to children, the Commission will consider 
its subject matter, visual or audio content, age of models, language or 
other characteristics of the website or online service, as well as 
whether advertising promoting or appearing on the website or online 
service is directed to children. The Commission will also consider 
competent and reliable empirical evidence regarding audience 
composition; evidence regarding the intended audience; and whether a 
site uses animated characters and/or child-oriented activities and 
incentives.
    The definition of ``directed to children'' permits the Commission 
to consider a number of different factors in determining whether a 
website or online service, or a portion thereof, is directed to 
children. The Commission may consider whether the website or online 
service, or portion thereof, is designated as a children's area; the 
site's subject matter, visual or audio content, age of models, language 
or other characteristics; and whether the site uses features designed 
to be attractive to children, such as games, puppets, or animated 
characters and child-oriented activities and incentives.
    This approach is consistent with that taken in other media to 
define what is directed to children, including television, radio, and 
print advertising. It also provides the Commission flexibility as it 
seeks to enforce the proposed Rule in the new and developing online 
medium.
    An operator of a website or online service with a ``portion'' 
directed to children will have duties under the proposed Rule for that 
portion. An operator of a general interest website or online service 
that is not directed to children, however, will have duties under the 
proposed Rule only if it knows that particular visitors are under the 
age of 13.

Section 312.3  Regulation of Unfair and Deceptive Acts and Practices in 
Connection with the Collection, Use, and/or Disclosure of Personal 
Information From and About Children on the Internet

    General requirements. It shall be unlawful for any operator of a 
website or online service directed to children, or any operator that 
has actual knowledge that it is collecting personal information from a 
child, to collect personal information from a child in a manner that 
violates the regulations prescribed under this Rule. Generally, under 
this Rule, an operator must:
    (a) Provide notice on the website or online service of what 
information it collects from children, how it uses such information, 
and its disclosure practices for such information (Sec. 312.4(b));
    (b) Obtain verifiable parental consent for any collection, use, 
and/or disclosure of personal information from children (Sec. 312.5);
    (c) Provide a reasonable means for a parent to review the personal 
information collected from a child and to refuse to permit its further 
use or maintenance (Sec. 312.6);
    (d) Not condition a child's participation in a game, the offering 
of a prize, or another activity on the child disclosing more personal 
information than is reasonably necessary to participate in such 
activity (Sec. 312.7); and
    (e) Establish and maintain reasonable procedures to protect the 
confidentiality, security, and integrity of personal information 
collected from children (Sec. 312.8).
    Section 312.3 of the proposed Rule outlines the general 
requirements that an operator must implement in connection with any 
collection, use, and/or disclosure of personal information obtained 
from children. Failure to abide by these requirements constitutes an 
unfair and/or deceptive act or practice within the meaning of the FTC 
Act. Each of these general requirements is defined in more detail in 
specific paragraphs of the proposed Rule.

Section 312.4  Notice.

    The proposed Rule requires operators to both post on the website or 
online service and send to parents notices of the operator's 
information collection practices and the intended actions with respect 
to the use and/or disclosure of information collected from 
children.7 Section 312.4 specifies the information that must 
be included in such notices, and states how such notices must be posted 
on the website or online service or provided to parents.
---------------------------------------------------------------------------

    \7\ See, e.g., sections 312.3(a) (requiring notice on the 
website), and 312.5 (setting out the requirements for notice to 
parents and for obtaining verifiable parental consent).
---------------------------------------------------------------------------

    Section 312.4(a) sets out the general principles of effective 
notice; section 312.4(b) sets out the requirements for the notice on 
the website or online service; and section 312.4(c) sets out the 
requirements for notices that are sent

[[Page 22754]]

directly to parents under various other provisions of the proposed 
Rule.
(a) General Principles of Notice
    All notices under Secs. 312.3(a) and 312.5 must be clearly and 
understandably written, be complete, and must contain no unrelated, 
confusing, or contradictory materials.
    The operator's notice will form the basis for a parent's decision 
whether to give the operator consent to collect, use and/or disclose 
personal information from his or her child. In order to provide truly 
informed consent, a parent must have a clear idea of what the operator 
wishes to do. Therefore, it is essential that such notices be prominent 
and easy to find (in the case of a notice posted on the website or 
online service), and be clearly and understandably written. It is also 
essential that such notices contain all relevant information, and 
contain no unrelated, confusing, or contradictory materials.
(b) Notice on the Website or Online Service
    An operator must post a link to a notice of its information 
practices with regard to children on the home page of its website or 
online service and at each place on the website or online service where 
personal information is collected from children.
    (1) Placement of the notice.
    (i) The link to the notice must be clearly labeled as a notice of 
the website or online service's information practices with regard to 
children;
    (ii) The link to the notice must be placed in a prominent place on 
the home page of the website or online service such that a typical 
visitor to the home page can see the link without having to scroll 
down; and
    (iii) There must be a prominent link to the notice at each place on 
the website or online service where children directly provide, or are 
asked to provide, personal information such that a typical visitor to 
those places can see the link without having to scroll down.
    Under section 312.3(a) of the proposed Rule, operators are required 
to provide notice on the website or online service of their practices 
with regard to the collection, use, and disclosure of information 
sought online from children.8 Under section 312.4(b)(1), 
operators must post links to the notice on the website or online 
service's home page and at each place on the website or online service 
where personal information is collected from children. The link on the 
home page must be placed such that a typical visitor does not need to 
scroll down from the initial viewing screen. A small link at the foot 
of the page, for example, is not sufficient, because the risk is great 
that many people will not notice it and will therefore not have the 
opportunity to learn about the operator's policies. In addition, if the 
policy is included as part of a larger document, it is important that 
the required link take visitors directly to the part of the document 
that discusses the operator's information practices with regard to 
children.9 Similarly, it is important to provide a link to 
the policy at each place on the website or online service where 
information is collected from children because (a) not all visitors to 
a website or online service enter it through the home page, and (b) a 
link at the point of information collection guarantees that the notice 
will be seen by a parent who is visiting the website or online service 
to learn about the operator's specific information practices. Being 
able to review an operator's policies in context can help parents 
understand why such information is being collected.
---------------------------------------------------------------------------

    \8\ Often, such information practice policies are referred to as 
``privacy policies.'' The Commission encourages operators to use 
informative names for their information practice policies. A link to 
an information practice policy that is labeled ``About Us'' or 
``What We Do,'' for example, will probably not convey to visitors 
that the link will take them to a statement of the operator's 
information practices.
    \9\ Operators who use more than one set of practices on a 
website (e.g., separate practices for children and adults) must be 
especially careful to label the different practices clearly, and to 
make sure that the notices are written clearly in order to avoid any 
possible confusion.
---------------------------------------------------------------------------

    (2) Content of the notice.
    Generally speaking, parents need to know (a) who is collecting 
information through a website or online service; (b) what kind of 
information is collected through the website or online service; (c) how 
information is collected through the website or online service; (d) how 
such information will be used, including whether it will be disclosed 
to third parties and for what general purposes; (e) what control 
parents can exercise over their children's information, the procedures 
for doing so, and the consequences of their refusal to provide 
information; and (f) what general measures the operator takes to ensure 
the confidentiality, integrity, and quality of the information 
collected. Section 312.4(b)(2) sets out in detail the information 
operators must include in their notices in order to satisfy the 
requirements of this section of the proposed Rule.
    To be complete, the notice of the website or online service's 
information practices must state the following:
    (i) The name, address, phone number, and e-mail address of all 
operators collecting personal information from children through the 
website or online service;
    Section 312.4(b)(2)(i) of the proposed Rule requires all operators 
that are collecting personal information through the website or online 
service to state their name, address, phone number, and e-mail address. 
This information will enable parents to both identify and contact the 
operator should they want further information about the website or 
online service, or to request an opportunity to review information 
collected from their child pursuant to section 312.6 below.
    (ii) The types of personal information collected from children and 
whether the personal information is collected directly or passively;
    Section 312.4(b)(2)(ii) of the proposed Rule requires operators to 
list the types of personal information collected online, e.g., name, 
address, hobbies, and investment information, and whether such 
information is collected directly or passively from children. While 
operators are not required to list each and every piece of information 
collected, the categories operators select should be descriptive enough 
that parents can make an informed decision about whether to consent to 
the operator's collection and/or use of the information. It is not 
necessary to list each item of information collected. A notice, 
however, that simply states ``We collect personal information from your 
kids'' does not provide enough information for parents.
    (iii) How such personal information is or may be used by the 
operator, including but not limited to fulfillment of a requested 
transaction, recordkeeping, marketing back to the child, or making it 
publicly available through a chat room or by other means;
    Section 312.4(b)(2)(iii) of the proposed Rule requires operators to 
list how the personal information will be used once it has been 
collected, including such uses as order fulfillment, recordkeeping, 
marketing back to the child, disclosure to third parties or making it 
publicly available through a chat room or by other means. As in section 
312.4(b)(2)(ii) of the proposed Rule, the challenge for the operator 
will be to provide enough information for parents to make informed 
decisions without listing every specific or possible use of the 
information. For example, the statement that ``we use this information 
to provide information on toys to your child'' is probably just as 
informative as the statement ``we use this information to provide your 
child with information

[[Page 22755]]

on beanie babies, dolls, action figures, puzzles, and stuffed 
animals.''
    In addition, where the operator permits a child to engage in 
interactive activities that enable a child to publicly reveal his or 
her personal information, e.g., a chat room, message board, e-mail 
service, instant message, or personal home page, the operator must 
clearly state that in its notice to the parent.
    (iv) Whether personal information is disclosed to third parties, 
and if so, the types of business in which such third parties are 
engaged, and the general purposes for which such information is used; 
whether those third parties have agreed to maintain the 
confidentiality, security, and integrity of the personal information 
they obtain from the operator; and that the parent has the option to 
consent to the collection and use of their child's personal information 
without consenting to the disclosure of that information to third 
parties;
    Section 312.4(b)(2)(iv) of the proposed Rule relates to the 
operator's practices with respect to third parties. It requires 
operators that disclose children's personal information to third 
parties to provide a brief statement of the types of business in which 
the third parties are engaged, e.g., list brokering, advertising, 
magazine publishing, or retailing, and to state the general purposes 
for which it is disclosed to third parties. See section 312.2 regarding 
the definition of ``third party.'' It is important for parents to know 
not just that their child's information is being disclosed to third 
parties, but for what purposes. Simply telling parents that their 
child's personal information is (or may be) ``disclosed to third 
parties'' does not give parents enough information upon which to base 
their consent or refusal to consent to the operator's information 
practices.
    Section 312.4(b)(2)(iv) also requires operators to state whether 
the third parties to whom they disclose personal information have 
agreed to maintain the confidentiality of that information. An 
operator's good information practices can be rendered useless if 
someone to whom the operator discloses personal information does not 
also protect the information. If their children's personal information 
will not be protected once it leaves the control of the operator, the 
operator must make that clear to parents.
    Finally, section 312.4(b)(2)(iv) requires operators to tell parents 
that they have the option to consent to the collection and use of their 
child's personal information without consenting to the disclosure of 
that information to third parties.
    (v) That the operator is prohibited from conditioning a child's 
participation in an activity on the child's disclosing more personal 
information than is reasonably necessary to participate in such 
activity; and
    Section 312.4(b)(2)(v) provides notice to the parent that the 
operator is prohibited from requiring a child to disclose more personal 
information than is reasonably necessary to participate in an activity 
such as game or contest. This statement merely paraphrases the 
prohibition enumerated in section 312.7 of the proposed Rule. Providing 
this information in the notice enables the parent to evaluate the 
appropriateness of a request for personal information on a website or 
online service.
    (vi) That the parent can review, make changes to, or have deleted 
the child's personal information and state the procedures for doing so.
    Under section 312.4(b)(2)(vi) of the proposed Rule, the operator 
must state in the notice that parents have the right to review 
information provided by their child and make changes to and/or have the 
information deleted. In addition, the operator must describe how 
parents can do so.10
---------------------------------------------------------------------------

    \10\ See section 312.6 (Right of parent to review personal 
information provided by child.) for a more detailed discussion.
---------------------------------------------------------------------------

(c) Notice to a Parent
    Under Sec. 312.5, an operator must make reasonable efforts, taking 
into account available technology, to ensure that a parent of a child 
receives notice of an operator's practices with regard to the 
collection, use, and/or disclosure of the child's personal information, 
including any collection, use, and/or disclosure to which the parent 
has not previously consented.
    This section of the proposed Rule requires operators to make 
reasonable efforts, taking into account available technology, to 
provide direct notice to a parent whose child wants to provide personal 
information or from whose child the operator wishes to collect personal 
information. This notice will form the basis for the parent's decision 
regarding the operator's request to collect information from or about 
the child. To that end, the notice must (a) give the parent 
comprehensive information about the operator's information practices 
and policies, including informing parents of changes requiring a new 
consent; (b) lay out the parent's options with regard to consent; (c) 
describe the procedures by which the parent can provide verifiable 
consent (see section 312.5 of the proposed Rule); and (d) describe the 
parent's right to review and make changes to information provided by 
the child and lay out the procedures for doing so (see section 312.6 of 
the proposed Rule). Section 312.4(c)(1) details the information that 
must be included in the notice to the parent.
    Reasonable efforts to provide parents with notice under this 
section can include, but are not limited to, sending the notice by 
postal mail, sending the notice to the parent's e-mail address, or 
having the child print out a form to give to the parent.
    An operator must also send the parent an updated notice and request 
for consent for any collection, use, or disclosure of his or her 
child's personal information not covered by a previous consent. A new 
notice and request for consent will be required, for example, if the 
operator wishes to use the information in a manner that was not 
included in the original notice, such as disclosing it to parties not 
covered by the original consent, including parties created by a merger 
or other corporate combination involving existing operators or third 
parties.
    (1) Content of the notice to the parent.
    (i) All notices must state the following:
    (A) That the operator wishes to collect personal information from 
the child;
    (B) The information set forth in paragraph 312.4(b) of this 
section.
    (ii) In the case of a notice to obtain verifiable parental consent 
under Sec. 312.5(a), the notice must also state that the parent's 
consent is required for the collection, use, and/or disclosure of such 
information, and the means by which the parent can provide verifiable 
consent to the collection of information.
    The operator must tell the parent that the operator wishes to 
collect personal information from the child. Section 312.4(c)(1)(i) 
requires that all notices, whether pursuant to section 312.5(a) or 
312.5(c)(3), contain the information set forth in section 312.4(b). 
Section 312.4(c)(1)(ii) applies to notice pursuant to section 312.5(a), 
which requires prior verifiable parental consent. In such cases, the 
operator must inform the parent that his or her consent is required for 
the collection, use, and/or disclosure of the child's personal 
information, and that no collection, use, or disclosure will take place 
absent the parent's affirmative consent. The operator must also tell 
the parent how to provide verifiable consent or refuse to consent to 
the operator's desired collection, use, and/or disclosure of the 
child's information. See section 312.5 of the proposed Rule for further 
detail on providing parental consent.

[[Page 22756]]

    (iii) In the case of a notice under the exception in 
Sec. 312.5(c)(3), the notice must also state the following:
    (A) That the operator has collected the child's e-mail address or 
other online contact information to respond to the child's request for 
information and that the requested information will require more than 
one contact with the child;
    (B) That the parent may refuse to permit further contact with the 
child and require the deletion of the e-mail address or other online 
contact information; and
    (C) That if the parent fails to respond to the notice, the operator 
may use the information for the purpose(s) stated in the notice.
    Under section 312.4(c)(1)(iii) of the proposed Rule, if the child 
has made a direct request of the operator that would require the 
operator to make repeated contact with the child (see section 
312.5(c)(3) of the proposed Rule), the operator must tell the parent of 
the child's request, notify the parent that his or her child has 
provided the operator with an e-mail address so the operator can 
fulfill that request, and state that the parent may refuse to permit 
further contact with the child and require the operator to delete the 
child's online contact information. Because this type of contact with 
the child does not require a parent's affirmative consent, the operator 
must clearly notify the parent that, in this instance, if the parent 
fails to respond to the notice, the operator may use the information 
for the purpose(s) stated in the notice.
    (iv) In the case of a notice under the exception in 
Sec. 312.5(c)(4), the notice must also state the following:
    (A) That the operator has collected the child's name and an e-mail 
address or other online contact information to protect the safety of 
the child participating on the website or online service;
    (B) That the parent may refuse to permit the use of the information 
and require the deletion of the information; and
    (C) That if the parent fails to respond to the notice, the operator 
may use the information for the purpose stated in the notice.
    Section 312.4(c)(1)(iv) requires an operator to give a parent 
notice and an opportunity to refuse to permit the continued use of the 
information where the operator has collected the child's name and 
online contact information for purposes of providing for the safety of 
the child. (See discussion of the safety concerns in the discussion of 
Sec. 312.5(c)(4).)

Section 312.5  Parental Consent

(a) General Requirements
    (1) An operator is required to obtain verifiable parental consent 
before any collection, use, and/or disclosure of personal information 
collected from children, including any collection, use and/or 
disclosure to which the parent has not previously consented.
    (2) An operator must give the parent the option to consent to the 
collection and use of the child's personal information without 
consenting to disclosure of his or her personal information to third 
parties.
    As described in Sec. 312.3(b), the general rule is that an operator 
is required to obtain verifiable parental consent ``before'' any 
collection, use, and/or disclosure of personal information from 
children under the age of 13. As noted above, this means that an 
operator must obtain verifiable parental consent prior to using or 
disclosing any information already in its possession as of the 
effective date of the proposed Rule. Moreover, where an operator 
changes its collection, use and/or disclosure practices from that 
provided in the notice, it must obtain verifiable parental consent to 
the new practice(s) before using the personal information. See 
discussion of Section 312.4(c), above. Section (a)(2) gives parents the 
right to consent to an operator's collection and use of their 
children's information without consenting to the disclosure of that 
information to third parties. This provision ensures that operators 
will not be able to condition a child's participation in any online 
activity on obtaining parental consent to disclosure to third parties.
(b) Mechanisms for Verifiable Parental Consent
    An operator must make reasonable efforts to obtain verifiable 
parental consent, taking into consideration available technology. Any 
method to obtain verifiable parental consent must be reasonably 
calculated, in light of available technology, to ensure that the person 
providing consent is the child's parent.
    Operators may develop any number of ways to implement this 
requirement. At this time, the Commission is not prepared to commit to 
any particular method or methods, but rather, invites comments on the 
feasibility, costs, and benefits of various methods of obtaining 
parental consent. Among other possibilities, an operator could provide 
a consent form to be signed by the parent and returned to the operator 
by postal mail or facsimile, require a parent to use a credit card in 
connection with a transaction, or have a parent call a toll-free 
telephone number. Another possibility could be an e-mail accompanied by 
a valid digital signature. The Commission is also considering whether 
there are other e-mail-based mechanisms that would satisfy the Act's 
requirements--i.e., whether they could provide sufficient assurance 
that the person providing the consent is the child's parent. See 
questions ________ and ________, below.
    One way to comply with this requirement would be for portal sites, 
online services that offer their own proprietary areas, or others to 
provide a parental consent service for their content partners. In 
addition, it may be acceptable for a business to provide notice and 
consent services for individual operators. Such services must, however, 
provide adequate notice to parents about the information practices of 
the participating partners to ensure that a parent's consent to the 
sharing of their child's personal information is informed and 
meaningful.
    (c) Exceptions to prior parental consent.
    Verifiable parental consent is required prior to any collection, 
use and/or disclosure of personal information from a child except as 
set forth in this paragraph. The exceptions to prior parental consent 
are as follows:
    (1) Where the operator collects the name or online contact 
information of a parent or child to be used for the sole purpose of 
obtaining parental consent or providing notice under Sec. 312.4. If the 
operator has not obtained parental consent after a reasonable time from 
the date of the information collection, the operator must delete such 
information from its records;
    This exception permits an operator to collect the parent or child's 
name or e-mail address to provide notice and obtain parental consent. 
While section 1303(b)(2)(B) of the Act permits collection of a parent 
or child's online contact information, the Commission encourages 
operators to collect only the parent's e-mail address and the child's 
first name for purposes of this exception. (Collection of the child's 
first name should be adequate to inform the parent which child's 
information is being sought.) In many instances the child's e-mail 
address may be the same as the parent's. Nevertheless, since this 
exception is solely to enable the operator to provide parental notice 
and obtain parental consent, collection of the child's information 
would seem to be unnecessary.
    (2) Where the operator collects online contact information from a 
child for the

[[Page 22757]]

sole purpose of responding directly on a one-time basis to a specific 
request from the child, and where such information is not used to 
recontact the child and is deleted by the operator from its records;
    This exception is intended to permit operators to respond to 
specific requests from a child, such as to provide homework assistance 
or to answer questions posed by the child. A request must be specific 
in scope and should be initiated by the child. Under this exception, 
the operator responds to the child's request for information by sending 
an e-mail containing the answer or response, but does not retain the 
child's e-mail address for any further use. Operators should consider, 
however, whether frequently requested information cannot just as easily 
be posted on the website or online service, thus obviating the need for 
the collection of any online contact information in the first instance.
    (3) Where the operator collects online contact information from a 
child to be used to respond directly more than once to a specific 
request from the child, and where such information is not used to 
recontact the child beyond the scope of that request. In such case, the 
operator must make reasonable efforts, taking into consideration 
available technology, to ensure that a parent receives notice and has 
the opportunity to request that the operator make no further use of the 
information, as described in Sec. 312.4(c), immediately after the 
initial response and before making any additional response to the 
child. Mechanisms to provide such notice include, but are not limited 
to, sending the notice by postal mail or sending the notice to the 
parent's e-mail address, but do not include asking a child to print a 
notice form or sending an e-mail to the child;
    This paragraph permits an operator to respond to a child's request 
for an online newsletter, for example, or to conduct a contest 
requiring later notification of the winner. Section 1303(b)(2)(C) of 
the Act does not specify whose online contact information may be 
collected, the parent or the child's; however, because the operator 
must already collect the parent's online contact information for 
purposes of providing the parent notice under this section, the 
Commission recommends that the operator collect the parent's e-mail 
address and offer the parent the option of substituting the child's e-
mail address. Because under this paragraph a parent's silence after 
receiving notice constitutes consent to the operator's intended use, it 
is critical that the operator choose a method that ensures the parent 
receives the notice. Therefore, the proposed Rule includes examples of 
acceptable and unacceptable methods of providing notice under this 
paragraph.
    (4) Where the operator collects a child's name and online contact 
information to the extent reasonably necessary to protect the safety of 
a child participant on the website or online service, where such 
information is
    (i) Used only for the purpose of protecting the child's safety;
    (ii) Not used to recontact the child or for any other purpose;
    (iii) Not disclosed on the website or online service;

and the operator uses reasonable efforts to provide a parent notice as 
described in Sec. 312.4(c); and
    This exception is intended to permit an operator to collect limited 
personal information that is reasonably necessary to protect the safety 
of a child participating in such interactive activities as a chat room, 
message board, or e-mail service. For certain safety purposes, however, 
the Commission notes that the collection of the parent's rather than 
the child's online contact information may be sufficient. Indeed, 
parents are in the best position, for example, to intervene if a child 
is threatening another child while engaged in a chat room. The 
Commission, therefore, seeks additional guidance on this issue. See 
question 13 below.
    (5) Where the operator collects a child's name and online contact 
information to the extent reasonably necessary
    (i) To protect the security or integrity of its website or online 
service;
    (ii) To take precautions against liability;
    (iii) To respond to judicial process; or
    (iv) To the extent permitted under other provisions of law, to 
provide information to law enforcement agencies or for an investigation 
on a matter related to public safety;

and such information is used only for such purpose and is not used to 
recontact the child for any other purpose.
    This provision authorizes an operator to collect a child's name and 
online contact information without notice to the parent or parental 
consent for certain limited purposes. It is not intended to authorize 
collection of personal information on the basis of purely hypothetical 
concerns. It is contemplated that the information may be useful in 
identifying website hackers. Although not required by the Act, the 
Commission recommends that when an operator relies on this exception, 
the operator provide parents notice of the collection and use of such 
information as described in section 312.4(c) of the proposed Rule.
    Certain exceptions specifically require that the personal 
information be deleted following the fulfillment of the purpose for 
which it was collected. (See Secs. 1303(b)(2)(A) and (b)(2)(B) of the 
Act and paragraphs (c)(1) and (c)(2) of this section of the proposed 
Rule.) For those exceptions that do not require deletion, the 
Commission recommends that operators delete the information 
voluntarily. This will reduce the risk of unauthorized access, use, or 
disclosure of personal information that was collected without prior 
parental consent.

Section 312.6.  Right of Parent to Review Personal Information Provided 
by Child.

    (a) Upon request of a parent whose child has provided personal 
information to a website or online service, and upon proper 
identification of that parent, the operator of that website or online 
service is required to provide to that parent the following:
    (1) A description of the specific types or categories of personal 
information collected from the child by the operator, such as name, 
address, telephone number, e-mail address, hobbies, and extracurricular 
activities;
    (2) The opportunity at any time to refuse to permit the operator's 
further use or collection of personal information from that child, and 
to direct the operator to delete the child's personal information; and
    (3) Notwithstanding any other provision of law, a means of 
reviewing and making changes to any personal information collected from 
the child. The means employed by the operator to carry out this 
provision must:
    (i) Ensure that the requestor is a parent of that child, taking 
into account available technology; and
    (ii) Not be unduly burdensome to the parent.
    (b) Neither an operator nor the operator's agent shall be held 
liable under any Federal or State law for any disclosure made in good 
faith and following reasonable procedures in responding to a request 
for disclosure of personal information under this section.
    This provision of the Rule describes how operators can comply with 
the Act's requirement that they allow parents to review, make changes 
to, or have deleted any information provided by their child. The Act 
allows a two-tiered approach to parental review. First, upon request of 
a properly-identified parent, the operator must tell the parent what 
types of information

[[Page 22758]]

have been collected by the child, for example, ``Your child has given 
us his name, address, e-mail address, and a list of his favorite 
computer games.'' Section 312.6(a)(1). Subsequently, if the parent 
wishes to review the specific information provided by his child, the 
operator must provide a means for doing so that ensures that the person 
requesting the information is the parent, but not unduly burdensome to 
the parent, under section 312.6(a)(3).11 In addition, the 
parent may, at any time, direct the operator to delete any or all of 
the child's information in the operator's files, refuse to permit the 
operator to continue to use that information, or prohibit the operator 
from collecting any further information in the future. Section 
312.6(a)(2).12
---------------------------------------------------------------------------

    \11\ Operators are free to skip the first step (description of 
the types of information provided by the child) and simply allow 
parents to review the specific information provided by the child 
under section 312.6(a)(3).
    \12\ Section 312.6 is not intended to require operators to keep 
databases of personal information collected from children even after 
the consented-to uses have been discontinued--for example, because 
the parent may someday request it. If a parent asks to review his or 
her child's information after the operator has deleted it, the 
operator can reply that it has no information on that child.
---------------------------------------------------------------------------

    Because compliance with section 312.6(a)(3) of this Rule requires 
operators to release personal information collected from children, it 
is critical that operators use a system for checking identification 
that reasonably ensures that the person requesting the information is, 
in fact, a parent of that child.13 The identification method 
chosen by the operator should not be so burdensome that parents 
effectively cannot exercise their rights under this provision, i.e., 
requiring parents to come to its office headquarters to show proof of 
parentage.
---------------------------------------------------------------------------

    \13\ As a practical matter, it may be acceptable for an operator 
to use a less stringent identification requirement when giving out 
the types of information collected from the child under section 
312.6(a)(1).
---------------------------------------------------------------------------

    A number of methods can be used to check identity that provide a 
degree of certainty without unduly burdening either the operator or the 
parent. For example, the operator may require a copy of the parent's 
driver's license showing that the parent and child live at the same 
address. In addition, an operator could devise a password system in 
conjunction with its procedure for obtaining verifiable parental 
consent that could serve as an aid in identification. By contrast, 
simply providing a toll-free telephone number for parents to call and 
request information would not be sufficient to ensure that a caller is 
actually the child's parent.14 Operators who disclose the 
information to parents in good faith and follow reasonable procedures 
in responding to a request for disclosure will be exempt from liability 
under any Federal or State laws.
---------------------------------------------------------------------------

    \14\ There may be ways to utilize toll-free telephone numbers 
that would be sufficient to ensure that the requestor is a parent of 
the child. For example, a reasonable procedure might involve giving 
the parent the toll-free telephone number and a password unique to 
that parent after the operator receives the parent's verifiable 
consent.
---------------------------------------------------------------------------

    (c) Subject to the limitations set forth in Sec. 312.7, an operator 
may terminate any service provided to a child whose parent has refused, 
under paragraph (a)(2) of this section, to permit the operator's 
further use or collection of personal information from his or her child 
or has directed the operator to delete the child's personal 
information.
    Section 312.7 prohibits operators from conditioning a child's 
participation in a game, the offering of a prize, or another activity 
on the child disclosing more personal information than is reasonably 
necessary to participate in the activity. See infra. The corollary to 
that prohibition is that operators may terminate a child's access to or 
participation in those activities or services when a parent who has 
consented to the information collection subsequently requires the 
operator to delete the information that was necessary for the child to 
participate. For example, an operator requires children to provide an 
e-mail address to participate in a chat room so that the operator can 
contact the child if the child is misbehaving in the chat room. After 
giving consent, a parent changes her mind and requires the operator to 
delete her child's information. The operator may refuse to allow the 
child to participate in the chat room in the future. If, however, there 
are other activities or services on the operator's website that do not 
require that information, then the operator must allow the child to 
have access to those activities or services.

Section 312.7.  Prohibition Against Conditioning a Child's 
Participation on Collection of Personal Information.

    An operator is prohibited from conditioning a child's participation 
in a game, the offering of a prize, or another activity on the child's 
disclosing more personal information than is reasonably necessary to 
participate in such activity.
    The purpose of this section is to encourage a child's access to 
activities, but to prevent operators from tying collection of personal 
information to such popular and persuasive incentives as prizes or 
games. The proposed rule authorizes operators to condition 
participation on the collection of only such personal information as is 
reasonably necessary to conduct an activity--for example, collection of 
an e-mail address for purposes of awarding a prize to a contest winner. 
The operator, however, must always obtain verifiable parental consent 
to the collection of any personal information from the child, even if 
it is reasonably necessary to participate in an activity, unless one of 
the exceptions to prior parental consent defined in section 312.5(c) of 
the proposed Rule applies.
    Section 312.7 of the proposed Rule precludes, for example, an 
operator from requiring a child to provide personal information for the 
purpose of registering merely to access the website or online service 
if such personal information is not reasonably necessary to engage in 
its activities.

Section 312.8  Confidentiality, Security, and Integrity of Personal 
Information Collected From Children

    The operator must establish and maintain reasonable procedures to 
protect the confidentiality, security, and integrity of personal 
information collected from children.
    Operators must have adequate procedures for protecting personal 
information, including policies and standards to protect children's 
personal information from loss, misuse, unauthorized access, or 
disclosure. Such protections may include the following: designating an 
individual in the organization to be responsible for maintaining and 
monitoring the security of the information; requiring passwords to 
access the personal information; creating firewalls; utilizing 
encryption; implementing access control procedures in addition to 
passwords; implementing devices and procedures to protect the physical 
security of the data processing equipment; storing the personal 
information collected online on a secure server that is not accessible 
from the Internet; installing security cameras and intrusion-detection 
software to monitor who is accessing the personal information; and 
installing authentication software to determine whether a user is 
authorized to enter through a firewall. In addition, effective security 
implementation requires a clear statement of employee responsibilities 
and sanctions, as well as employee training to ensure that privacy and 
security policies are implemented effectively.
    The Commission encourages operators to establish reasonable 
procedures for the destruction of personal information once it is no

[[Page 22759]]

longer necessary for the fulfillment of the purpose for which it was 
collected. Timely elimination of data is the ultimate protection 
against misuse or unauthorized disclosure.

Section 312.9  Enforcement

    Subject to sections 1304 and 1306 of the Children's Online Privacy 
Protection Act of 1998, a violation of a regulation prescribed under 
section 1303 of this Act shall be treated as a violation of a rule 
defining an unfair or deceptive act or practice prescribed under 
section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
57a(a)(1)(B)).

Section 312.10  Safe Harbors

(a) In General
    An operator will be deemed to be in compliance with the 
requirements of this Rule if that operator complies with self-
regulatory guidelines, issued by representatives of the marketing or 
online industries, or by other persons, that, after notice and comment, 
are approved by the Commission.
    As an incentive for industry self-regulation, and to ensure that 
the protections afforded children under this proposed Rule are 
implemented in a manner that takes into account industry-specific 
concerns and technological developments, this section of the proposed 
Rule provides that an operator's compliance with Commission-approved 
self-regulatory guidelines serves as a safe harbor in any enforcement 
action for violations of this Rule. To receive safe harbor treatment, 
an operator can comply with any Commission-approved guidelines that 
meet all the criteria set forth in section 312.10(b). The operator need 
not independently apply for approval, if in fact the operator is fully 
complying with guidelines already approved by the Commission, which are 
applicable to the operator's business. (See the discussion of section 
312.10(b), below.)
    In an enforcement action, the Commission has the burden of proving 
non-compliance with the proposed Rule's requirements. The standards 
enunciated in the proposed Rule thus remain the benchmark against which 
industry's conduct will ultimately be judged. Compliance with approved 
guidelines, however, will serve as a safe harbor in any enforcement 
action under the proposed rule. That is, if an operator can show full 
compliance with approved guidelines, the operator will be deemed in 
compliance with the proposed Rule. The Commission retains discretion to 
pursue enforcement under the Rule if approval of the guidelines was 
obtained based upon incomplete or inaccurate factual representations or 
if there was a substantial change in circumstances.
(b) Criteria for Approval of Self-Regulatory Guidelines
    To be approved by the Commission, guidelines must include the 
following:
    (1) A requirement that operators subject to the guidelines 
(``subject operators'') implement the protections afforded children 
under this Rule;
    (2) An effective, mandatory mechanism for the independent 
assessment of subject operators' compliance with the guidelines. This 
requirement may be satisfied by:
    (i) Periodic reviews of subject operators' information practices 
conducted on a random basis either by the industry group promulgating 
the guidelines or by an independent entity;
    (ii) Periodic reviews of all subject operators' information 
practices, conducted either by the industry group promulgating the 
guidelines or by an independent entity; or
    (iii) Seeding of subject operators' databases, if accompanied by 
either (i) or (ii); and
    (3) Effective incentives for subject operators' compliance with the 
guidelines. This requirement may be satisfied by:
    (i) Mandatory, public reporting of disciplinary action taken 
against subject operators by the industry group promulgating the 
guidelines;
    (ii) Consumer redress;
    (iii) Voluntary payments to the United States Treasury in 
connection with an industry-directed program for violators of the 
guidelines; or
    (iv) Referral to the Commission of operators who engage in a 
pattern or practice of violating the guidelines.
    The assessment mechanism required under paragraph (b)(2) of this 
section can be provided by an independent enforcement program, such as 
a seal program. In considering whether to initiate an investigation or 
to bring an enforcement action for violations of this Rule, and in 
considering appropriate remedies for such violations, the Commission 
will take into account whether an operator has been subject to self-
regulatory guidelines approved under this section and whether the 
operator has taken remedial action pursuant to such guidelines, 
including but not limited to actions set forth in paragraphs (b)(3)(i) 
through (iii) of this section.
    Section 312.10(b) of the proposed Rule sets out the criteria that 
self-regulatory guidelines must meet in order to be approved by the 
Commission. Under section 312.10(b)(1), guidelines must require 
implementation of the requirements of this Rule. Sections 312.10(b)(2)-
(3), which require that guidelines include independent assessment 
mechanisms and incentives for compliance, are intended to permit 
maximum flexibility, consistent with the protections afforded children 
under the proposed Rule. For this reason, each sets out a mandatory 
performance standard and suggested means of meeting that standard. 
Promulgators of guidelines are thus free to use their particular 
expertise to craft guidelines that meet the performance standards while 
taking into account industry-specific concerns and technological 
developments.
    Where guidelines are drafted to be industry-specific, they must 
define the nature of the businesses to which they apply. An operator 
can rely on a particular set of guidelines only if it meets the 
guidelines' definition of applicable businesses.
    In making its determination as to whether to approve submitted 
guidelines, the Commission will review all elements of those 
guidelines, including assessment mechanisms, in light of the particular 
characteristics of the industry or sector that the guidelines are 
intended to govern.15
---------------------------------------------------------------------------

    \15\ The Commission will also consider any possible anti-
competitive misuse of self-regulatory guidelines.
---------------------------------------------------------------------------

    Section 312.10(b) clarifies that industry groups, or others, who 
create self-regulatory guidelines may contract with an independent 
entity, such as a seal program, to implement the assessment mechanism 
requirement. Under the performance standard enunciated in section 
312.10(b)(2), assessment mechanisms must not be based solely on self-
assessment by subject operators.
(c) Request for Commission Approval of Self-Regulatory Guidelines
    (1) To obtain Commission approval of self-regulatory guidelines, 
industry groups or other persons must file a request for approval. A 
request shall be accompanied by the following:
    (i) A copy of the full text of the guidelines for which approval is 
sought and any accompanying commentary;
    (ii) A comparison of each provision of Sec. 312.3 through 
Sec. 312.9 with the corresponding provisions of the guidelines; and
    (iii) A statement explaining:
    (A) How the guidelines, including the applicable assessment 
mechanism, meet the requirements of this Rule; and
    (B) How the assessment mechanism and compliance incentives required

[[Page 22760]]

under paragraphs (b)(2) and (3) of this section provide effective 
enforcement of the requirements of this Rule.
    (2) The Commission shall act upon a request under this section 
within 180 days of the filing of such request and shall set forth its 
conclusions in writing.
    Section 312.10(c) of the proposed Rule requires that persons 
requesting Commission approval of self-regulatory guidelines submit, in 
addition to the guidelines and any attendant commentary, documentation 
supporting the proposition that the guidelines meet the requirements of 
this Rule. The 180-day period for the Commission to review and approve 
or reject any request will not begin until all of the documents 
required under section 312.10(c) have been submitted. If a request is 
denied and resubmitted, the 180-day period will run from the date of 
the resubmission.
    An original and six paper copies of the request and supporting 
materials should be submitted to the Secretary, Federal Trade 
Commission, Room 159, 600 Pennsylvania Avenue, NW, Washington, D.C. 
20580. To enable prompt review and accessibility to the public, the 
request and supporting materials should also be submitted, if possible, 
in electronic form, on either one 51/4 or one 31/2 inch computer disk 
with a label stating the name of the person filing the request and the 
name and version of the word processing program used. (Programs based 
on DOS or Windows are preferred. Files from other operating systems 
should be submitted in ASCII text format.)
    Following initial review of a request under this section, the 
Commission will publish a notice of the filing of the request both in 
the Federal Register and on its website at <www.ftc.gov>, and will make 
a copy of the request available for examination by interested persons 
during business hours at the Federal Trade Commission, Public Reference 
Room, Room 130, 600 Pennsylvania Avenue, NW, Washington, D.C. 200580. A 
period of time will be allowed for interested parties to submit written 
comments to the Commission regarding the request.
    If the Commission determines that the guidelines submitted meet the 
requirements of the proposed Rule, the Commission will approve the 
guidelines and publish a notice of the approval both in the Federal 
Register and on its website at <www.ftc.gov>. The Commission will 
furnish a copy of the notice to the person who filed the request. The 
approval will become effective 45 days from its publication in the 
Federal Register and on the Commission's website.
    If the Commission determines that it cannot approve the guidelines, 
the Commission will notify the persons who filed the request of the 
facts upon which its findings are based and will afford those persons a 
reasonable opportunity to resubmit their request. If, after reviewing 
the resubmitted request, the Commission finds that it still cannot make 
a favorable determination, the Commission will publish a notice of its 
determination both in the Federal Register and on its website at 
<www.ftc.gov>, and will furnish a copy of the notice to the persons who 
filed the request.
    Under section 1304(c) of the Children's Online Privacy Protection 
Act, final action by the Commission on a request for approval of self-
regulatory guidelines, or the Commission's failure to act within 180 
days of the filing of such request, may be appealed to a district court 
of the United States of appropriate jurisdiction as provided for in 
section 706 of title 5, United States Code.16
---------------------------------------------------------------------------

    \16\ Section 1304(c), Omnibus Consolidated and Emergency 
Supplemental Appropriations Act, 1999, Pub. L. 105-277, 112 Stat. 
2681, ________, ________ U.S.C. ________, ________ (October 21, 
1998).
---------------------------------------------------------------------------

(d) Records
    Industry groups or other persons who seek safe harbor treatment by 
compliance with guidelines that have been approved under this Rule 
shall maintain and upon request make available to the Commission for 
inspection and copying
    (1) Consumer complaints alleging violations of the guidelines by 
subject operators, for a period not less than three years following 
receipt of such complaints;
    (2) Records of disciplinary actions taken against subject 
operators; and
    (3) Results of the independent assessments of subject operators' 
compliance required under paragraph (b)(2) of this section.
(e) Revocation of Approval
    The Commission reserves the right to revoke any approval granted 
under this section if at any time it determines that the approved self-
regulatory guidelines and their implementation do not, in fact, meet 
the requirements of this Rule.
    Before revoking any approval of self-regulatory guidelines, the 
Commission will notify the persons filing the request for approval, or 
their designees, of the facts or conduct that, in the Commission's 
opinion, warrant such revocation, and will afford those persons such 
opportunity as the Commission deems appropriate in the circumstances to 
demonstrate that the guidelines and their implementation comply with 
the proposed Rule.
    If, after considering all of the facts, the Commission determines 
that the guidelines or their implementation do not comply with the 
proposed Rule, the Commission will publish a notice of its intention to 
revoke approval of the guidelines both in the Federal Register and on 
its website at <www.ftc.gov>. A period of time will be allowed for 
interested persons to submit written comments to the Commission 
regarding the intention to revoke approval.
    If the Commission revokes its approval of the guidelines, it will 
publish notice of the revocation both in the Federal Register and on 
its website at <www.ftc.gov>, and a copy of such notice will be 
furnished to the persons who filed the request, or their designees. The 
revocation will become effective 45 days from its publication in the 
Federal Register and on the Commission's website.

Section 312.11  Rulemaking Review

    No later than five years after the effective date of this Rule, the 
Commission shall initiate a rulemaking review proceeding to evaluate 
the implementation of this rule, including the effect of the 
implementation of this Rule on practices relating to the collection and 
disclosure of information relating to children, children's ability to 
obtain access to information of their choice online, and on the 
availability of websites directed to children; and report to Congress 
on the results of this review.

Section 312.12  Severability

    The provisions of this Rule are separate and severable from one 
another. If any provision is stayed or determined to be invalid, it is 
the Commission's intention that the remaining provisions shall continue 
in effect.

Section C. Invitation to Comment

    Before adopting this rule as final, the Commission will give 
consideration to any written comments submitted to the Secretary of the 
Commission on or before June 11, 1999. Comments submitted will be 
available for public inspection in accordance with the Freedom of 
Information Act (5 U.S.C. 552) and Commission regulations, on normal 
business days between the hours of 8:30 a.m. and 5 p.m. at the Public 
Reference Section, Room 130, Federal Trade Commission, 600 Pennsylvania 
Avenue NW., Washington, DC 20580. Comments will also be posted on the 
Commission website, <www.ftc.gov>.

[[Page 22761]]

Section D. Communications by Outside Parties to Commissioners or 
Their Advisors

    Written communications and summaries or transcripts of oral 
communications respecting the merits of this proceeding from any 
outside party to any Commissioner or Commissioner's advisor will be 
placed on the public record. See 16 CFR 1.26(b)(5) (1998).

Section F. Regulatory Flexibility Act

    The provision of the Regulatory Flexibility Act requiring an 
initial regulatory flexibility analysis (5 U.S.C. 603) does not apply 
because it is believed that the Rule will not have a significant 
economic impact on a substantial number of small entities (5 U.S.C. 
605). This notice also serves as certification to the Small Business 
Administration of that determination.
    The Rule's requirements are expressly mandated by the Children's 
Online Privacy Protection Act of 1998.17 Thus, the economic 
impact of the Rule itself is not anticipated to be significant, since 
any additional costs of complying with the Rule, beyond those imposed 
by the statute or otherwise likely to be incurred in the ordinary 
course of business, are expected to be comparatively minimal. Where the 
Act permits, the regulations have been drafted so as to permit maximum 
flexibility in the way that affected firms achieve the goals of the 
Act. In any event, the costs borne by all firms, including small 
businesses, appear unavoidable under the terms of the Act.
---------------------------------------------------------------------------

    \17\ Supra note 1.
---------------------------------------------------------------------------

    Nonetheless, to ensure that no significant economic impact on a 
substantial number of small entities is overlooked, the Commission 
hereby requests public comment on the effect of the proposed Rule on 
the costs, profitability, and competitiveness of, and employment in, 
small entities. After considering such comments, if any, the Commission 
will determine whether preparation of a final regulatory flexibility 
analysis (pursuant to 5 U.S.C. 604) is required.

Section G. Paperwork Reduction Act

    Pursuant to the Paperwork Reduction Act (PRA) (as amended 44 U.S.C. 
3507(d)), the Commission has submitted the proposed Children's Online 
Privacy Protection Rule to the Office of Management and Budget for its 
review. The Children's Online Privacy Protection Act mandates specific 
disclosure requirements relating to the collection of personal 
information from children. Specifically, the Act requires that 
operators subject to this Act provide notice to parents.18 
Based upon survey data,19 informal discussions with industry 
members, and public information, the Commission has estimated for 
purposes of the PRA the burden-hour on operators subject to this rule, 
both individually and as an industry, to provide notice to parents. To 
the extent that the proposed rule's notice requirements are expressly 
mandated by the Act, the Commission has adopted a performance standard 
suggested by the Act to provide flexibility in implementing the 
requirements.
---------------------------------------------------------------------------

    \18\ The sections of the proposed Rule that refer to notice are 
Secs. 312.3(a), 312.4, 312.5(c), and 312.6(a). These sections 
implement Secs. 1302(9), 1303 (b)(1)(A)(i), (b)(2)(B), 
(b)(2)(C)((i), and (b)(2)(D)(iii) of the Act.
    \19\ Federal Trade Commission, Privacy Online: A Report to 
Congress, June 1998.
---------------------------------------------------------------------------

    Because the online marketplace is a very new industry, costs for 
providing privacy protection have not been gathered to date. 
Nevertheless, we have attempted to estimate costs associated with 
providing notice for purposes of the PRA. In particular, the Commission 
seeks comments on how to minimize the burden of the notice requirement 
through the use of appropriate automated, electronic, mechanical, or 
other technological mechanisms.
    The estimate of the burden imposed by the notice requirement is 
divided into first year start-up costs and subsequent year costs. For 
purposes of providing notice, the estimated cost for 300 websites 
directed to children, at 60 hours per site (the estimated time needed 
to develop the privacy policy, post it on the website and design a 
mechanism to provide the notice, e.g., an e-mail program), represents a 
total burden of 18,000 hours for the first year. Subsequent years would 
be much less, since the start-up costs, such as crafting a privacy 
policy and posting it online, are generally one-time costs. We estimate 
the burden-hour in subsequent years would be about 1800 hours to cover 
the cost of new children's sites coming into the marketplace and 
providing notice to parents.

Section H. Effective Date

    The Children's Online Privacy Protection Act directs the Commission 
to ``promulgate'' regulations within one year of its enactment. An 
effective date for these rules will be announced by the Commission when 
it publishes these regulations in final form.

Section I. Questions on the Proposed Rule

    The Commission is seeking comment on various aspects of the 
proposed Rule, and is particularly interested in receiving comment on 
the questions that follow. These questions are designed to assist the 
public and should not be construed as a limitation on the issues on 
which public comment may be submitted. Responses to these questions 
should cite the numbers and subsection of the questions being answered. 
For all comments submitted, please submit any relevant data, 
statistics, or any other evidence, upon which those comments are based.

General Question

    1. Please provide comment on any or all of the provisions in the 
proposed Rule. For each provision commented on please describe (a) the 
impact of the provision(s) (including any benefits and costs), if any, 
and (b) what alternatives, if any, the Commission should consider, as 
well as the costs and benefits of those alternatives.

Definitions

    2. Section 312.2 defines ``Internet.'' Is this definition 
sufficiently flexible to account for changes in technology? If not, how 
should it be revised?
    3. Section 312.2 defines ``operator.''
    (a) Is this definition sufficiently clear to provide notice as to 
who is covered by the Rule?
    (b) What is the impact of defining the term in this way?
    4. Section 312.2 defines ``personal information,'' in part, to 
include a persistent identifier, such as a customer number held in a 
cookie, or a processor serial number, where such identifier is 
associated with personal identifying information; an instant messaging 
user identifier; a screen name that reveals an individual's e-mail 
address; or a combination of a last name with other information such 
that the combination permits physical or online contacting. Are there 
additional identifiers that the Commission should consider adding to 
this list?

Notice

    5. Section 312.4(b) lists an operator's obligations with respect to 
the online placement of the notice of its information practices.
    (a) Are there other effective ways of placing notices that should 
be included in the proposed rule?
    (b) How can operators make their links to privacy policies 
informative for parents and children?
    6. Section 312.4(b)(2)(i) requires the notice on the website or 
online service

[[Page 22762]]

to state the name, address, phone number, and e-mail address of all 
operators collecting personal information through the website. Where 
there are multiple operators collecting personal information through 
the website, are there other efficient means of providing information 
about the operators that the Commission should consider?
    7. Section 312.4(b)(2)(iv) requires an operator to state whether 
the third parties to whom it discloses personal information have agreed 
to maintain the confidentiality, security, and integrity of that 
information. How much detail should an operator be required to disclose 
about third parties' information practices?
    8. Section 312.4(b)(2)(vi) requires an operator's notice to state 
that the parent has the right to review personal information provided 
by his or her child and to make changes to and/or have that information 
deleted, and to describe how the parent can do so. Is this information 
needed in the notice on the website or online service, or should it be 
included only in the notice provided directly to the parent under 
section 312.4(c)?
    9. Section 312.4(c) lists several methods an operator may employ to 
provide direct notice to a parent whose child wants to provide personal 
information or from whose child the operator wishes to collect personal 
information. Are there other, equally effective methods of providing 
notice to parents that the Commission should consider?
    10. Section 312.4(c)(1) details the information that must be 
included in the notice to the parent.
    (a) What, if any, of this information is unnecessary?
    (b) What, if any, other information should be included in the 
notice to the parent?
    11. Section 312.5 requires the operator to send a new notice and 
request for consent to parents in certain circumstances. The proposal 
covers instances where the operator wishes to use the information in a 
manner that was not included in the original notice, such as disclosing 
it to parties not covered by the original consent, including parties 
created by a merger or other corporate combination involving existing 
operators or third parties.
    (a) Does this formulation sufficiently protect children's privacy 
given the high merger activity in this industry?
    (b) Is this formulation more burdensome than necessary to protect 
those interests?
    (c) Is there an alternative formulation that would sufficiently 
protect children's privacy without unnecessarily burdening operators?

Parental Consent

    12. Section 312.5(a)(2) requires operators to give the parent the 
opportunity to consent to the collection and use of the child's 
personal information without consenting to the disclosure of that 
information to third parties. Should the rule also require that the 
parent be given the option to refuse to consent to different internal 
uses of the child's personal information by the operator?
    13. The commentary on section 312.5(b) identifies a number of 
methods an operator might use to obtain verifiable parental consent.
    (a) Are the methods listed in the commentary easy to implement?
    (b) What are the costs and benefits of using the methods listed?
    (c) Are there studies or other sources of data showing the 
feasibility, costs, and/or benefits of the methods listed?
    (d) Are there existing methods, or methods in development, to 
adequately verify consent using an e-mail-based mechanism?
    (e) What are the costs and benefits of obtaining consent using an 
e-mail-based mechanism?
    (f) To what extent is digital signature technology in use now? Are 
there obstacles to the general commercial availability or use of 
digital signature technology?
    (g) What, if any, other methods of obtaining consent should the 
Commission consider? Please describe how those methods work, their 
effectiveness, feasibility, costs and/or benefits, and, if still in 
development, when they will be available.
    14. With respect to methods of obtaining verifiable parental 
consent, should the Commission allow greater flexibility in mechanisms 
used to obtain verifiable parental consent in cases where the operator 
does not disclose children's personal information to third parties or 
enables a child to make such information publicly available through, 
for example, a chat room or bulletin board?
    15. Are there any studies or other sources of data regarding the 
ease or frequency with which children can fabricate parental consent 
using any of the methods discussed in the proposed Rule?
    16. Would additional research regarding children's behavior in the 
online environment be useful in assessing the appropriateness of 
various parental consent mechanisms?
    17. Section 312.5(c)(1) allows an exception to prior parental 
consent where an operator collects the name or online contact 
information of a parent or child to be used for the sole purpose of 
obtaining parental consent or providing notice under this rule. Under 
this exception, if an operator has not obtained parental consent after 
a ``reasonable time'' from the date of the information collection, the 
operator must delete the information from its records.
    (a) What is a ``reasonable time'' for purposes of this requirement? 
On what is this estimate of a ``reasonable time'' based?
    (b) Alternatively, should an operator be required to maintain a 
``do-not-contact'' list so as to avoid sending multiple requests for 
consent to a parent who has previously refused to consent? What are the 
costs and benefits of such a ``do-not-contact'' list?
    18. Section 1303(b)(2)(B) of the Children's Online Privacy 
Protection Act and Section 312.5(c)(1) of the proposed Rule allow an 
operator to collect the name or online contact information of a parent 
or child solely for the purpose of obtaining parental consent or 
providing notice. Are there circumstances that would necessitate 
collection of the child's online contact information rather than the 
parent's?
    19. Section 312.5(c)(4) allows an exception to prior parental 
consent where an operator collects information from a child in order to 
protect the safety of a child participant on its site. What specific 
circumstances should trigger this exception?
    20. Section 312.5(c)(5) allows an exception to prior parental 
consent where an operator collects information from a child for certain 
limited purposes. To what extent is a child's name or e-mail address 
necessary:
    (a) To protect the security of the website;
    (b) To aid in the judicial process; or
    (c) To aid in law enforcement?
    21. Section 1303(b)(2)(C)(ii) of the Children's Online Privacy 
Protection Act authorizes the Commission to allow other exceptions to 
prior parental consent in this rule ``in such circumstances as the 
Commission may determine are appropriate, taking into consideration the 
benefits to the child of access to information and services, and risks 
to the security and privacy of the child.'' What other circumstances 
might merit such an exception? What are the risks and benefits of 
creating such an exception?

Right of Parent to Review Personal Information Provided by Child

    22. Section 312.6 gives a parent whose child has provided personal

[[Page 22763]]

information to a website the right, upon proper identification of that 
parent, to review the personal information provided by the child. The 
commentary on this section lists several methods an operator may employ 
to obtain proper identification of a parent.
    (a) Are there any other methods of identification that the 
Commission should consider?
    (b) In particular, are there other methods that could constitute 
proper identification in non-traditional family situations (e.g., where 
the child and parent do not live at the same address or where someone 
other than a parent is the legal guardian)?
    (c) Are there any technological advances under development that may 
ease the process of obtaining proper identification of a parent?

Prohibition Against Conditioning a Child's Participation on Collection 
of Personal Information

    23. Section 312.7 prohibits operators from conditioning a child's 
participation in a game, the offering of a prize, or another activity 
on the child's disclosing more personal information than is reasonably 
necessary to participate in such activity. What kinds of information do 
sites collect as a condition of allowing a child to participate in a 
game, contest, chat room, or other online activity?

Confidentiality, Security and Integrity of Personal Information 
Collected From Children

    24. Section 312.8 requires operators to establish and maintain 
reasonable procedures to protect the confidentiality, security, and 
integrity of personal information collected from children.
    (a) What practices are commonly used to maintain the safety and 
confidentiality of data collected online?
    (b) What practices provide the strongest protection?
    (c) How much does it cost to implement such practices?

Safe Harbor

    25. Section 312.10(b)(2) requires that, in order to be approved by 
the Commission, self-regulatory guidelines include an effective, 
mandatory mechanism for the independent assessment of subject 
operators' compliance with the guidelines. Section 312.10(b)(2) lists 
several examples of such mechanisms. What other mechanisms exist that 
would provide similarly effective and independent compliance 
assessment?
    26. Section 312.10(b)(3) requires that, in order to be approved by 
the Commission, self-regulatory guidelines include effective incentives 
for compliance with the guidelines. Section 312.10(b)(3) lists several 
examples of such incentives. What other incentives exist that would be 
similarly effective?
    27. Section 1304(b)(1) of the Children's Online Privacy Protection 
Act requires the Commission to provide incentives for self-regulation 
by operators to implement the protections afforded children under the 
Act. The safe harbor provisions of section 312.10 of the proposed rule 
are one such incentive. What other incentives should the Commission 
consider?

Paperwork Reduction Act

    28. The Commission solicits comments on the notice requirements of 
the proposed Rule to the extent that they constitute ``collections of 
information'' within the meaning of the Paperwork Reduction Act. The 
Commission requests comments that will enable it to:
    (a) Evaluate whether the proposed collections of information are 
necessary for the proper performance of the functions of the agency, 
including whether the information will have practical utility;
    (b) Evaluate the accuracy of the agency's estimate of the burden of 
the proposed collections of information, including the validity of the 
methodology and assumptions used;
    (c) Enhance the quality, utility, and clarity of the information to 
be collected; and
    (d) Minimize the burden of the collections of information on those 
who must comply, including through the use of appropriate automated, 
electronic, mechanical, or other technological collection techniques or 
other forms of information technology.

Section J. Proposed Rule

List of Subjects in 16 CFR Part 312

    Children, Communications, Consumer protection, Electronic mail, E-
mail, Internet, Online service, Privacy, Record retention, Safety, 
Science and technology, Trade practices, Website, Youth.

    Accordingly, the Federal Trade Commission proposes to amend 16 CFR 
chapter I by adding a new Part 312 to read as follows:

PART 312--CHILDREN'S ONLINE PRIVACY PROTECTION RULE

Sec.
312.1  Scope of regulations in this part.
312.2  Definitions.
312.3  Regulation of unfair and deceptive acts and practices in 
connection with the collection, use, and/or disclosure of personal 
information from and about children on the Internet.
312.4  Notice.
312.5  Parental consent.
312.6  Right of parent to review personal information provided by a 
child.
312.7  Prohibition against conditioning a child's participation on 
collection of personal information.
312.8  Confidentiality, security, and integrity of personal 
information collected from children.
312.9  Enforcement.
312.10  Safe harbors.
311.11  Rulemaking review.
312.12  Severability.

    Authority: Secs. 1301-1308, Pub. L. 105-277, 112 Stat. 2681.


Sec. 312.1  Scope of regulations in this part.

    This part implements the Children's Online Privacy Protection Act 
of 1998, [to be codified at 15 U.S.C. ________, et seq.,] which 
prohibits unfair and deceptive acts and practices in connection with 
the collection, use, and/or disclosure of personal information from and 
about children on the Internet.


Sec. 312.2  Definitions.

    Child means an individual under the age of 13.
    Collects or collection means the direct or passive gathering of any 
personal information from a child by any means, including but not 
limited to:
    (a) Any online request for personal information by the operator 
regardless of how that personal information is transmitted to the 
operator;
    (b) Collection using a chat room, message board, or other public 
posting of such information on a website or online service; or
    (c) Passive tracking or use of any identifying code linked to an 
individual, such as a cookie.
    Commission means the Federal Trade Commission.
    Delete means to remove personal information such that it is not 
maintained in retrievable form and cannot be retrieved in the normal 
course of business.
    Disclosure means, with respect to personal information:
    (a) The release of personal information collected from a child in 
identifiable form by an operator for any purpose, except where an 
operator provides such information to a person who provides support for 
the internal operations of the website or online service and who does 
not disclose or use that information for any other purpose, where:
    (1) Release of personal information means the sharing, selling, 
renting, or

[[Page 22764]]

any other means of providing personal information to any third party, 
and
    (2) Support for the internal operations of the website or online 
service means those activities necessary to maintain the technical 
functioning of the website or online service, or to fulfill a request 
of a child as permitted by Sec. 312.5(c)(2) and (3); and
    (b) Making personal information collected from a child by an 
operator publicly available in identifiable form, by any means, 
including by a public posting through the Internet, or through a 
personal home page posted on a website or online service; a pen pal 
service; an electronic mail service; a message board; a chat room; or 
any other means that would enable a child to reveal personal 
information to others online.
    Federal agency means an agency, as that term is defined in Section 
551(1) of title 5, United States Code.
    Internet means collectively the myriad of computer and 
telecommunications facilities, including equipment and operating 
software, which comprise the interconnected world-wide network of 
networks that employ the Transmission Control Protocol/Internet 
Protocol, or any predecessor or successor protocols to such protocol, 
to communicate information of all kinds by wire, radio, or other 
methods of transmission.
    Online contact information means an e-mail address or any other 
substantially similar identifier that permits direct contact with a 
person online.
    Operator means any person who operates a website located on the 
Internet or an online service and who collects or maintains personal 
information from or about the users of or visitors to such website or 
online service, or on whose behalf such information is collected or 
maintained, where such website or online service is operated for 
commercial purposes, including any person offering products or services 
for sale through that website or online service, involving commerce:
    (a) Among the several States or with 1 or more foreign nations;
    (b) In any territory of the United States or in the District of 
Columbia, or between any such territory, and
    (1) Another such territory, or
    (2) Any State or foreign nation; or
    (c) Between the District of Columbia and any State, territory, or 
foreign nation. This definition does not include any nonprofit entity 
that would otherwise be exempt from coverage under section 5 of the 
Federal Trade Commission Act (15 U.S.C. 45).
    Parent includes a legal guardian.
    Person means any individual, partnership, corporation, trust, 
estate, cooperative, association, or other entity.
    Personal information means individually identifiable information 
about an individual collected online, including:
    (a) A first and last name;
    (b) A home or other physical address including street name and name 
of a city or town;
    (c) An e-mail address;
    (d) A telephone number;
    (e) A Social Security number;
    (f) A persistent identifier, such as a customer number held in a 
cookie or a processor serial number, where such identifier is 
associated with personal identifying information; a screen name that 
reveals an individual's e-mail address; an instant messaging user 
identifier; or a combination of a last name with other information such 
that the combination permits physical or online contacting; or
    (g) Information concerning the child or the parents of that child 
that the operator collects online from the child and combines with an 
identifier described in this definition.
    Third party means any person who is neither an operator with 
respect to the collection of personal information on the website or 
online service, nor a person who provides support for the internal 
operations of the website or online service.
    Obtaining verifiable consent means making any reasonable effort 
(taking into consideration available technology) to ensure that before 
personal information is collected from a child, a parent of the child:
    (a) Receives notice of the operator's personal information 
collection, use, and disclosure practices; and
    (b) Authorizes any collection, use, and/or disclosure of the 
personal information.
    Website or online service directed to children means a commercial 
website or online service, or portion thereof, that is targeted to 
children. Provided, however, that a commercial website or online 
service, or a portion thereof, shall not be deemed directed to children 
solely because it refers or links to a commercial website or online 
service directed to children by using information location tools, 
including a directory, index, reference, pointer, or hypertext link. In 
determining whether a commercial website or online service, or a 
portion thereof, is targeted to children, the Commission will consider 
its subject matter, visual or audio content, age of models, language or 
other characteristics of the website or online service, as well as 
whether advertising promoting or appearing on the website or online 
service is directed to children. The Commission will also consider 
competent and reliable empirical evidence regarding audience 
composition; evidence regarding the intended audience; and whether a 
site uses animated characters and/or child-oriented activities and 
incentives.


Sec. 312.3  Regulation of unfair and deceptive acts and practices in 
connection with the collection, use, and/or disclosure of personal 
information from and about children on the Internet.

    General requirements. It shall be unlawful for any operator of a 
website or online service directed to children, or any operator that 
has actual knowledge that it is collecting personal information from a 
child, to collect personal information from a child in a manner that 
violates the regulations prescribed under this part. Generally, under 
this part, an operator must:
    (a) Provide notice on the website or online service of what 
information it collects from children, how it uses such information, 
and its disclosure practices for such information (Sec. 312.4(b));
    (b) Obtain verifiable parental consent for any collection, use, 
and/or disclosure of personal information from children (Sec. 312.5);
    (c) Provide a reasonable means for a parent to review the personal 
information collected from a child and to refuse to permit its further 
use or maintenance (Sec. 312.6);
    (d) Not condition a child's participation in a game, the offering 
of a prize, or another activity on the child disclosing more personal 
information than is reasonably necessary to participate in such 
activity (Sec. 312.7); and
    (e) Establish and maintain reasonable procedures to protect the 
confidentiality, security, and integrity of personal information 
collected from children (Sec. 312.8).


Sec. 312.4  Notice.

    (a) General principles of notice. All notices under Secs. 312.3(a) 
and 312.5 must be clearly and understandably written, be complete, and 
must contain no unrelated, confusing, or contradictory materials.
    (b) Notice on the website or online service. An operator must post 
a link to a notice of its information practices with regard to children 
on the home page of its website or online service and at each place on 
the website or online service where personal information is collected 
from children.
    (1) Placement of the notice.
    (i) The link to the notice must be clearly labeled as a notice of 
the website

[[Page 22765]]

or online service's information practices with regard to children;
    (ii) The link to the notice must be placed in a prominent place on 
the home page of the website or online service such that a typical 
visitor to the home page can see the link without having to scroll 
down; and
    (iii) There must be a prominent link to the notice at each place on 
the website or online service where children directly provide, or are 
asked to provide, personal information such that a typical visitor to 
those places can see the link without having to scroll down.
    (2) Content of the notice. To be complete, the notice of the 
website or online service's information practices must state the 
following:
    (i) The name, address, phone number, and e-mail address of all 
operators collecting personal information from children through the 
website or online service;
    (ii) The types of personal information collected from children and 
whether the personal information is collected directly or passively;
    (iii) How such personal information is or may be used by the 
operator, including but not limited to fulfillment of a requested 
transaction, recordkeeping, marketing back to the child, or making it 
publicly available through a chat room or by other means;
    (iv) Whether personal information is disclosed to third parties, 
and if so, the types of business in which such third parties are 
engaged, and the general purposes for which such information is used; 
whether those third parties have agreed to maintain the 
confidentiality, security, and integrity of the personal information 
they obtain from the operator; and that the parent has the option to 
consent to the collection and use of their child's personal information 
without consenting to the disclosure of that information to third 
parties;
    (v) That the operator is prohibited from conditioning a child's 
participation in an activity on the child's disclosing more personal 
information than is reasonably necessary to participate in such 
activity; and
    (vi) That the parent can review, make changes to, or have deleted 
the child's personal information and state the procedures for doing so.
    (c) Notice to a parent. Under Sec. 312.5, an operator must make 
reasonable efforts, taking into account available technology, to ensure 
that a parent of a child receives notice of an operator's practices 
with regard to the collection, use, and/or disclosure of the child's 
personal information, including any collection, use, and/or disclosure 
to which the parent has not previously consented.
    (1) Content of the notice to the parent.
    (i) All notices must state the following:
    (A) That the operator wishes to collect personal information from 
the child;
    (B) The information set forth in paragraph (b) of this section.
    (ii) In the case of a notice to obtain verifiable parental consent 
under Sec. 312.5(a), the notice must also state that the parent's 
consent is required for the collection, use, and/or disclosure of such 
information, and state the means by which the parent can provide 
verifiable consent to the collection of information.
    (iii) In the case of a notice under the exception in 
Sec. 312.5(c)(3), the notice must also state the following:
    (A) That the operator has collected the child's e-mail address or 
other online contact information to respond to the child's request for 
information and that the requested information will require more than 
one contact with the child;
    (B) That the parent may refuse to permit further contact with the 
child and require the deletion of the e-mail address or other online 
contact information; and
    (C) That if the parent fails to respond to the notice, the operator 
may use the information for the purpose(s) stated in the notice.
    (iv) In the case of a notice under the exception in 
Sec. 312.5(c)(4), the notice must also state the following:
    (A) That the operator has collected the child's name and e-mail 
address or other online contact information to protect the safety of 
the child participating on the website or online service;
    (B) That the parent may refuse to permit the use of the information 
and require the deletion of the information; and
    (C) That if the parent fails to respond to the notice, the operator 
may use the information for the purpose stated in the notice.


Sec. 312.5  Parental consent.

    (a) General requirements. (1) An operator is required to obtain 
verifiable parental consent before any collection, use, and/or 
disclosure of personal information from children, including any 
collection, use, and/or disclosure to which the parent has not 
previously consented.
    (2) An operator must give the parent the option to consent to the 
collection and use of the child's personal information without 
consenting to disclosure of his or her personal information to third 
parties.
    (b) Mechanisms for verifiable parental consent. An operator must 
make reasonable efforts to obtain verifiable parental consent, taking 
into consideration available technology. Any method to obtain 
verifiable parental consent must be reasonably calculated, in light of 
available technology, to ensure that the person providing consent is 
the child's parent.
    (c) Exceptions to prior parental consent. Verifiable parental 
consent is required prior to any collection, use and/or disclosure of 
personal information from a child except as set forth in this 
paragraph. The exceptions to prior parental consent are as follows:
    (1) Where the operator collects the name or online contact 
information of a parent or child to be used for the sole purpose of 
obtaining parental consent or providing notice under Sec. 312.4. If the 
operator has not obtained parental consent after a reasonable time from 
the date of the information collection, the operator must delete such 
information from its records;
    (2) Where the operator collects online contact information from a 
child for the sole purpose of responding directly on a one-time basis 
to a specific request from the child, and where such information is not 
used to recontact the child and is deleted by the operator from its 
records;
    (3) Where the operator collects online contact information from a 
child to be used to respond directly more than once to a specific 
request from the child, and where such information is not used for any 
other purpose. In such cases, the operator must make reasonable 
efforts, taking into consideration available technology, to ensure that 
a parent receives notice and has the opportunity to request that the 
operator make no further use of the information, as described in 
Sec. 312.4(c), immediately after the initial response and before making 
any additional response to the child. Mechanisms to provide such notice 
include, but are not limited to, sending the notice by postal mail or 
sending the notice to the parent's e-mail address, but do not include 
asking a child to print a notice form or sending an e-mail to the 
child;
    (4) Where the operator collects a child's name and online contact 
information to the extent reasonably necessary to protect the safety of 
a child participant on the website or online service, and the operator 
uses reasonable efforts to provide a parent notice as described in 
Sec. 312.4(c), where such information is:
    (i) Used for the sole purpose of protecting the child's safety;

[[Page 22766]]

    (ii) Not used to recontact the child or for any other purpose;
    (iii) Not disclosed on the website or online service;
    (5) Where the operator collects a child's name and online contact 
information and such information is not used for any other purpose, to 
the extent reasonably necessary:
    (i) To protect the security or integrity of its website or online 
service;
    (ii) To take precautions against liability;
    (iii) To respond to judicial process; or
    (iv) To the extent permitted under other provisions of law, to 
provide information to law enforcement agencies or for an investigation 
on a matter related to public safety.


Sec. 312.6.  Right of parent to review personal information provided by 
a child.

    (a) Upon request of a parent whose child has provided personal 
information to a website or online service, and upon proper 
identification of that parent, the operator of that website or online 
service is required to provide to that parent the following:
    (1) A description of the specific types or categories of personal 
information collected from the child by the operator, such as name, 
address, telephone number, e-mail address, hobbies, and extracurricular 
activities;
    (2) The opportunity at any time to refuse to permit the operator's 
further use or collection of personal information from that child, and 
to direct the operator to delete the child's personal information; and
    (3) Notwithstanding any other provision of law, a means of 
reviewing and making changes to any personal information collected from 
the child. The means employed by the operator to carry out this 
provision must:
    (i) Ensure that the requestor is a parent of that child, taking 
into account available technology; and
    (ii) Not be unduly burdensome to the parent.
    (b) Neither an operator nor the operator's agent shall be held 
liable under any Federal or State law for any disclosure made in good 
faith and following reasonable procedures in responding to a request 
for disclosure of personal information under this section.
    (c) Subject to the limitations set forth in Sec. 312.7, an operator 
may terminate any service provided to a child whose parent has refused, 
under paragraph (a)(2) of this section, to permit the operator's 
further use or collection of personal information from his or her child 
or has directed the operator to delete the child's personal 
information.


Sec. 312.7  Prohibition against conditioning a child's participation on 
collection of personal information.

    An operator is prohibited from conditioning a child's participation 
in a game, the offering of a prize, or another activity on the child's 
disclosing more personal information than is reasonably necessary to 
participate in such activity.


Sec. 312.8  Confidentiality, security, and integrity of personal 
information collected from children.

    The operator must establish and maintain reasonable procedures to 
protect the confidentiality, security, and integrity of personal 
information collected from children.


Sec. 312.9  Enforcement.

    Subject to sections 1304 and 1306 of the Children's Online Privacy 
Protection Act of 1998, a violation of a regulation prescribed under 
section 1303 of this Act shall be treated as a violation of a rule 
defining an unfair or deceptive act or practice prescribed under 
section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
57a(a)(1)(B)).


Sec. 312.10.  Safe harbors.

    (a) In general. An operator will be deemed to be in compliance with 
the requirements of this part if that operator complies with self-
regulatory guidelines, issued by representatives of the marketing or 
online industries, or by other persons, that, after notice and comment, 
are approved by the Commission.
    (b) Criteria for approval of self-regulatory guidelines. To be 
approved by the Commission, guidelines must include the following:
    (1) A requirement that operators subject to the guidelines 
(``subject operators'') implement the protections afforded children 
under this part;
    (2) An effective, mandatory mechanism for the independent 
assessment of subject operators' compliance with the guidelines. This 
requirement may be satisfied by:
    (i) Periodic reviews of subject operators' information practices 
conducted on a random basis either by the industry group promulgating 
the guidelines or by an independent entity;
    (ii) Periodic reviews of all subject operators' information 
practices, conducted either by the industry group promulgating the 
guidelines or by an independent entity; or
    (iii) Seeding of subject operators' databases, if accompanied by 
either paragraphs (b)(2)(i) or (b)(2)(ii) of this section; and
    (3) Effective incentives for subject operators' compliance with the 
guidelines. This requirement may be satisfied by:
    (i) Mandatory, public reporting of disciplinary action taken 
against subject operators by the industry group promulgating the 
guidelines;
    (ii) Consumer redress;
    (iii) Voluntary payments to the United States Treasury in 
connection with an industry-directed program for violators of the 
guidelines; or
    (iv) Referral to the Commission of operators who engage in a 
pattern or practice of violating the guidelines.
    (c) Implementation and effect. The assessment mechanism required 
under paragraph (b)(2) of this section can be provided by an 
independent enforcement program, such as a seal program. In considering 
whether to initiate an investigation or to bring an enforcement action 
for violations of this part, and in considering appropriate remedies 
for such violations, the Commission will take into account whether an 
operator has been subject to self-regulatory guidelines approved under 
this section and whether the operator has taken remedial action 
pursuant to such guidelines, including but not limited to actions set 
forth in paragraphs (b)(3)(i) through (iii) of this section.
    (d) Request for Commission approval of self-regulatory guidelines. 
(1) To obtain Commission approval of self-regulatory guidelines, 
industry groups or other persons must file a request for such approval. 
A request shall be accompanied by the following:
    (i) A copy of the full text of the guidelines for which approval is 
sought and any accompanying commentary;
    (ii) A comparison of each provision of Secs. 312.3 through 312.9 
with the corresponding provisions of the guidelines; and
    (iii) A statement explaining:
    (A) How the guidelines, including the applicable assessment 
mechanism, meet the requirements of this part; and
    (B) How the assessment mechanism and compliance incentives required 
under paragraphs (b)(2) and (3) of this section provide effective 
enforcement of the requirements of this part.
    (2) The Commission shall act upon a request under this section 
within 180 days of the filing of such request and shall set forth its 
conclusions in writing.
    (e) Records. Industry groups or other persons who seek safe harbor 
treatment by compliance with guidelines that have been approved under 
this part shall maintain and upon request make available to the 
Commission for inspection and copying:
    (1) Consumer complaints alleging violations of the guidelines by 
subject

[[Page 22767]]

operators, for a period not less than three years following receipt of 
such complaints;
    (2) Records of disciplinary actions taken against subject 
operators; and
    (3) Results of the independent assessments of subject operators' 
compliance required under paragraph (b)(2) of this section.
    (f) Revocation of approval. The Commission reserves the right to 
revoke any approval granted under this section if at any time it 
determines that the approved self-regulatory guidelines and their 
implementation do not, in fact, meet the requirements of this part.


Sec. 312.11  Rulemaking review.

    No later than five years after [the effective date of the final 
rule], this Rule, the Commission shall initiate a rulemaking review 
proceeding to evaluate the implementation of this part, including the 
effect of the implementation of this part on practices relating to the 
collection and disclosure of information relating to children, 
children's ability to obtain access to information of their choice 
online, and on the availability of websites directed to children; and 
report to Congress on the results of this review.


Sec. 312.12  Severability.

    The provisions of this part are separate and severable from one 
another. If any provision is stayed or determined to be invalid, it is 
the Commission's intention that the remaining provisions shall continue 
in effect.

    By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 99-10250 Filed 4-26-99; 8:45 am]
BILLING CODE 6750-01-P