16 CFR Section 312
Children’s Online Privacy Protection Rule
(COPPA)
COPPA’s Effective Date was originally April 21, 2000. Under this Act, the FTC can obtain civil penalties for violating the Rule but COPPA does not grant a private right of action but the statute authorizes State
Attorneys General to enforce compliance with the Rule by filing actions in federal court with written notice to the FTC. 15 U.S.C. § 6504.
2

16 CFR Section 312 Amended
Effective July 1, 2013
This Rule was amended with modifications to the definitions of operator, PI and website or online service directed to children. It is also updated requirements set forth in the notice, parental consent, confidentiality and security, safe harbor provisions and added new provisions which became effective July 1, 2013.
3

How COPPA Works
 The first step is to determine if a website is directed to children under the age of 13 (strict liability) or if there is actual knowledge that one is collecting or maintaining PI from a child under the age of
13 (Section 312.3). If the answer to either of these is “yes”, the operator must (a) provide notice of what information it collects and how it uses the information and disclosure practices for the information; (Section 312.4(b)) and (b) obtain verifiable parental consent before collection/use or disclosure. (Section 312.5) and
4

How COPPA Works (cont’d)
(c) provide a reasonable means for parent to review PI and refuse to permit use or maintenance. (Section 312.6) and (d) not condition child’s participation or child disclosing more information than necessary to do activity. (Section 312.7) and (e) establish reasonable procedures to protect the confidentiality, security and integrity of the PI.
5

Does COPPA Apply to You?
6

Step 1: Is There Actual Knowledge You Are Collecting or Maintaining PI of a Child Under 13 - OR - Is Website Directed to Children Under 13 years-old?
Test 1
Do you have actual knowledge you are collecting or maintaining PI of children under
13 even if the site is not child-directed? (section 312.3)
Or
Test 2
If subject matter, visual content, use of animated characters, child oriented activities or incentives, music, child celebrities, etc. appear to be child –directed, you are strictly liable under COPPA.
1
Or
Test 3
If you have actual knowledge that you are collecting PI from Users or Consumers that are on an online site or service directed towards children or when they directly communicate the child directed nature of its content to the other online service (i.e., you) or a child representative of the online service (i.e., you) recognizes the childdirected nature of the content or a case-by-case factual basis. (Section 312.2 definitions of website & online services directed to children).
2
Yes Go to Step 2
No
Stop Here
7

1.
If site is directed towards children you may not use an age screen to block children under 13. (See FTC Complying With COPPA: Frequently Asked Question D4). If you are a general audience site and want to block children under 13 you must do so in a way that does not encourage kids to falsify their age.
2.
Example, Behavior advertiser that targets under 13 year olds = directed to children.
See FTC Complying with COPPA: FAQs D5, referencing 2012 statement of basis & purpose D6, D7 & D8.
8

Step 2: Are You An Operator?
Test 4
 Do you collect or maintain PI for commercial purposes or do you have PI collected or maintained by an agent or service provider of the Operator (i.e., you) or does the Operator (i.e., you) benefit from another person collecting PI.
3
Yes Go to Step 3
No
Stop Here
(just need privacy policy explaining same, direct notice is voluntary)
3.
Note: A child-directed website is responsible even if third party is doing the collecting or placing an ad, etc. Non-profits are not subject to COPPA unless they operate for the profit of their commercial members.
9

Step 3 - Do You Collect or Maintain PI?
Test 5
 You collect PI (see definition below) if you request, prompt or encourage a child to submit PI or you enable a child to make PI publicly available in identifiable form unless you delete all before making it public.
What is PI (individually identifiable information):
First and last name or social security number or telephone number or physical address or geo location or screen name or user name if it can be used to contact person or photo, video or voice if collected after 7/1/13 or persistent identifier, example - IP address, device serial number or customer information in cookie.
If Yes and No Exception
No or an Exception (see next screens for exceptions)
Stop Here
Note: Exception 1, 2, 4 and 5 requires Direct Notice.
Go to Privacy, Direct Notice and
Verifiable Parental Consent.
10

Exceptions - 16 CFR Section 312.5(c) – Where you can collect child’s PI before getting verifiable parental consent:
 Exception 1 – Where the sole purpose of collecting the name or online contact information of the parent or child is to provide notice and obtain parental consent under § 312.4 (c)(1)). If the operator has not obtained parental consent after a reasonable time from the date of the info collection, operator must delete such information from its records. (Requires Direct Notice per § 312.4 (c)(1)). (This allows you to try and get verifiable parental consent but if no response you must delete all PI).
 Exception 2 – where the sole purpose of collecting a parent’s online contact information is to provide voluntary notice to, and subsequently, update the parent about the child’s participation in a website or in an online service that does not otherwise collect, use, or disclose children’s personal information. In such cases, the parent online contact information cannot be used or disclosed for any other purpose and the operator must make reasonable efforts, taking into consideration available technology, to provide parents with direct notice. (Requires Direct Notice per § 312.4 (c)(2)).
 Exception 3 – Where the sole purpose of collecting online contact information from a child is to respond directly on a one-time basis, to a specific request from the child, and where such information is not used to re-contact the child, or for any other purpose, is not disclosed, and is deleted by the operator from its records promptly after responding to the child’s request. (§ 312.5 (c)(3)).
11

 Exception 4 – Where the purpose of collecting a child’s and a parent’s online contact information is to respond directly more than once to the child’s specific request, and where such information is not used for any other purpose, disclosed, or combined with any other information collected from the child. Here, the operator must provide parents with direct notice and the means to opt out of allowing the site’s future contact of the child. In providing such notice, the operator must take reasonable efforts, taking into consideration available technology, to ensure that the parent receives appropriate notice and will not be deemed to have made reasonable efforts where the notice to the parents was unable to be delivered.
(Requires Direct Notice per § 312.4 (c)(3).
 Exception 5 – Where the purpose of collecting a child’s and parent’s name and online contact information, is to protect the safety of a child, and where such information is not used or disclosed for any purpose unrelated to the child’s safety. Here, the operator must make reasonable efforts, taking into consideration available technology, to provide a parent with appropriate direct notice. (Requires Direct Notice per § 312.4
(c)(4)).
 Exception 6 – Where the purpose of collecting a child’s name and online contact information is to, protect the security and integrity of its website or online service, take precautions against liability, respond to judicial processes, or to the extent permitted under other provisions of the law, to provide information to the law, to provide information to law enforcement agencies for an investigation on a matter related to public safety.; and where such information is not used for any other purpose.
12

 Exception 7 – Where an operator collects a persistent identifier and no other information and such identifier is used for the sole purpose of providing support for internal operations of the website or online service no direct notice is required. This is defined in Section 312.2 and means “activities necessary for the site or service to maintain or analyze its functioning, perform network communications, authenticate users or personalized content, serve contextual advertising or cap the frequency of advertising, protect the security and integrity of the user, website, or online service, ensure legal or regulatory compliance.” 4
 Exception 8– Where a third-party operator has actual knowledge that it has a presence on a child-directed website, (example – through a social widget or plug-in embedded on the site) it collects a persistent identifier and no other personal information from a visitor from the child-directed site who affirmatively interacts with the operator and whose previous registration with that operator indicate that such user is not a child than no direct notice is required (example – an age-gated registration process).
4. Persistent identifiers collected for the sole purpose of providing support for internal operations of the website or online service do not require parental consent as long as there is no other personal information collected and the persistent identifiers are not used or disclosed to contact a specific individual, including through behavioral advertising, to amass a profile on a specific individual, or for any other purpose. This also applies to third party entities retained by the child-directed website.
Watch out – If you collect other PI beyond persistent identifiers you must do direct notice and get verifiable parental consent.
13

Privacy Notice, Direct Notice and Verifiable Parental Consent
General overview of § 312.3 – It is unlawful for an operator of a website or online service directed to children or operator with actual knowledge of collection or maintaining PI from child, if they do not do the following: a) Provide notice on the Web site or online service of what information it collects form children, how it uses such information, and its disclosure practices for such information (i.e.,
Direct Notice) (§ 312.4(b)); b) Obtain verifiable parental consent prior to any collection, use, and/or disclosure of personal information from children (§ 312.5); c) Provide a reasonable means for a parent to review the personal information collected from a child and to refuse to permit its further use or maintenance (§312.6); d) Not condition a child’s participation in a game, the offering of a prize, or another activity on the child disclosing more personal information than is reasonably necessary to participate in such activity (§ 312.7); and e) Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children (§ 312.8).
14

Privacy Notice, Direct Notice and Verifiable Parental Consent (cont’d)
Privacy Notice § 312.4(d)
If you have met the test for Operator of Child Directed Website under Step 1 or if you have a general audience website with child directed area, then you must:
Post privacy policy on home page or before PI from child is collected and/or prior to point of purchase/prior to download and at each part of website where you collect
PI. Policy must be clear, understandable, complete and contain no unrelated, confusing or contradictory materials. (§ 312.4(a)). Notice must be prominent and stand out. (§ 312.4(d)).
(See next screen for Privacy Notice Requirements)
15

Privacy Notice, Direct Notice and Verifiable Parental Consent (cont’d)
Privacy Notice Requirements 16 C.F.R. § 312.4(d)
 The name, address, telephone number, and email address of all operators collecting or maintaining personal information through the site or service (or, after listing all such operators, provide the contact information for one that will handle all inquiries from parents); 5
 A description of exactly what information the operator collects from children, (i.e., list categories of PI collected) including whether the operator enables children to make their personal information publicly available, how the operator uses such information, and the operator’s disclosure practices for such information; and
 That the parent can review or have deleted the child’s personal information and refuse to permit its further collection or use, and state the procedures for doing so.
6
5. § 312.4(d)(1) can put list of operators in a clear and permanent link in privacy policy.
6. An operator of a general audience website or online service that has a separate children’s area must post a link to its notice on home page or landing screen of the children’s areas § 312,4(d). 16

Privacy Notice, Direct Notice and Verifiable Parental Consent (cont’d)
§ 312.4 – The Specific Direct Notice (in addition to posted privacy
1. § 312.4(c)(1) - Where an operator seeks to obtain a parent’s verifiable consent under (§
312.5(c)(1)) prior to the collection, use, or disclosure of a child’s personal information. In this case, the direct notice must:
• State that the operator has collected the parent’s online contact information from the child, and, if such is the case, the name of the child or the parent in order to obtain the parent’s consent;
• State that the parent’s consent is required for the collection, use, or disclosure of such information, and that the operator will not collect, use, or disclose any personal information from the child if the parent does not provide such consent;
• Set forth the additional items of personal information the operator intends to collect from the child, or the potential opportunities for the disclosure of personal information, should the parent provide consent;
17

§ 312.4 – The Specific Direct Notice (in addition to posted privacy
(cont’d)
• Contain a hyperlink to the operator’s online notice of its information practices (i.e., its privacy policy);
• Provide the means by which the parent can provide verifiable consent to the collection, use, and disclosure of the information; and
• State that if the parent does not provide consent within a reasonable time from the date the direct notice was sent the operator will delete the parent’s online contact information from its records. See 16 C.F.R. § 312.4(c)(1).
Go To Verifiable Parental Consent – Required !!
7. Under § 312.5(c)(1) exception – you do not need to get verifiable parental consent if the parent fails to respond to direct notice within a reasonable time and operator deletes all PI.
18

Privacy Notice, Direct Notice and Verifiable Parental Consent (cont’d)
2.
§ 312.4(c)(2) - Where an operator voluntarily seeks to provide notice to a parent of a child’s online activities that do not involve the collection, use or disclosure of personal information § 312.5(c)(2). In this case, the direct notice must:
 State that the operator has collected the parent’s online contact information from the child in order to provide notice to, and subsequently update the parent about, a child’s participation in a Website or online service that does not otherwise collect, use, or disclosure children’s personal information;
 State that the parent’s online contact information will not be used or disclosed for any other purpose;
 State that the parent may refuse to permit the child’s participation in the website or online service and may require the deletion of the parent’s online contact information, and how the parent can do so; and
 Provide a hyperlink to the operator’s online notice of its information practices. See 16 C.F.R. § 312.4(c)(2).
No Verifiable Parental Consent Required
3.
§ 312.4(c)(3) - Where an operator intends to communicate with the child multiple times via the child’s online contact information and collects no other information § 312.5(c)(4). In this case, the direct notice must:
 State that the operator has collected the child’s online contact information from the child in order to provide multiple online communications to the child;
19

Privacy Notice, Direct Notice and Verifiable Parental Consent (cont’d)
 State that the operator has collected the parent’s online contact information form the child in order to notify the parent that the child has registered to receive multiple online communications from the operator.
 State that the online contact information collected from the child will not be used for any other purpose, disclosed, or combined with any other information collected from the child;
 State that the parent may refuse to permit further contact with the child and require the deletion of the parent’s and child’s online contact information, and how the parent can do so;
 State that if the parent fails to respond to this direct notice, the operator may use the online contact information collected from the child for the purpose stated in the direct notice; and
 Provide a hyperlink to the operator’s online notice of its information practices. See 16 C.F.R. § 312.4(c)(3).
No Verifiable Parental Consent Required
20

Privacy Notice, Direct Notice and Verifiable Parental Consent (cont’d)
4.
§ 312.4(c)(4) - Where the operator’s purpose for collecting a child’s and a parent’s name and online contact information is to protect a child’s safety and the information is not used or disclosed for any other purpose §
312.5(c)(5) . In this case, the direct notice must:
 State that the operator has collected the name and the online contact information of the child and the parent in order to protect the safety of a child;
 State that the information will not be used or disclosed for any purpose unrelated to the child’s safety;
 State that if the parent may refuse to permit the use, and require the deletion, of the information collected, and how the parent can do so;
 State that if the parent fails to respond to this direct notice, the operator may use the information for the purpose stated in the direct notice; and
 Provide a hyperlink to the operator’s online notice of its information practices. See 16 C.F.R. § 312.4(c)(4).
No Verifiable Parental Consent Required
21

Privacy Notice, Direct Notice and Verifiable Parental Consent (cont’d)
How To Get Verifiable Parental Consent
§ 312.5
If operator has qualified for COPPA protection under Step 1, 2 and 3 and no exceptions or safe harbor apply, verifiable parent consent MUST be obtained as follows:
The Rule sets forth several non-exhaustive options and you can apply to the FTC for pre-approval of a new consent mechanism, as set out in 16 C.F.R. § 312.5(b).
If you are going to disclose children’s personal information to third parties, or allow children to make it publicly available (e.g., through a social networking service, online forums, or personal profiles) then you must use a method that is reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent. Such methods include:
 Providing a consent form to be signed by the parent and returned via U.S. mail, fax, or electronic scan to the operator (the “print-and-send” method); or
 Requiring the parent, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder; or
 Having the parent call a toll-free telephone number staff by trained personnel, or have the parent connect to trained personnel via video-conference; or
22

Privacy Notice, Direct Notice and Verifiable Parental Consent (cont’d)
 Verifying a parent’s identity by checking a form of government-issued identification against databases of such information, provided that you promptly delete the parent’s identification after completing the verification; or
 Provided that, an operator that does not “disclose” (as defined by § 312.2) children’s personal information, may use an email coupled with additional steps to provide assurances that the person providing the consent is the parent. Such additional steps include: Sending a confirmatory email to the parent following receipt of consent, or obtaining a postal address or telephone number from the parent and confirming the parent’s consent by letter or telephone call. An operator that uses this method must provide notice that the parent can revoke any consent given in response to the earlier email .
Note: Even if PI is only collected for internal purposes if you collected any other PI other than persistent identifiers then you do not meet exception 7 in § 312.5(c) and you must do direct notice and get verifiable parental consent as follows:
If you are going to use the children’s personal information only for internal purposes – that is, you will not be disclosing the information to third parties or making it publicly available – then you can use any of the above methods or you can use the “email plus” method of parental consent. “Email plus” allows you to request (in the direct notice sent to the parent’s online contact address) that the parent indicate consent in a return message. To properly use the email plus method, you must take an additional confirming step after receiving the parent’s message (this is the “plus” factor).
The confirming step may be:
23

Privacy Notice, Direct Notice and Verifiable Parental Consent (cont’d)
 Requesting in your initial message to the parent that the parent include a phone or fax number or mailing address in the reply message, so that you can follow up with a confirming phone call, fax or letter to the parent; or
 After a reasonable time delay, sending another message via the parent’s online contact information to confirm consent. In this confirmatory message, you should include all the original information contained in the direct notice, inform the parent that he or she can revoke the consent, and inform the parent how to do so.
24

Privacy Notice, Direct Notice and Verifiable Parental Consent (cont’d)
Right of Parent to Review Child PI § 312.6
Upon request of patient the operator must provide descriptions of specific PI collected and an opportunity for parent to refuse to permit use or collection and child PI and request deletion. Operator may terminate service provided to child if parent makes this request.
§ 312.7 – prohibition against conditioning a child’s participation or collection of PI – cannot condition child’s participation in a game or activity or child disclosing more PI than is reasonably necessary to participate in activity.
§ 312.8 – Confidentiality, security and integrity of PI collected from children. Operator must have reasonable procedures to protect child’s PI and must make sure 3 rd parties it shares PI with can maintain security, confidentiality and integrity of PI and 3 rd party must provide assurances of same.
§ 312.9 Enforcement – Subject to § 6503 and 6505 of COPPA 1998 a violation under § 6502(a) of COPPA shall be treated as a violation as defined in the unfair or deceptive act or practice under § 18(a)(1()B) of the FTC Act § 15 U.S.C. 57a(a)(1)(B).
§ 312.10 Data Retention and Deletion – Operation shall only return child PI as long as reasonably necessary to fulfill purpose for which it was collected. The operator must delete PI using reasonable measure to protect form unauthorized access or use in process of deletion.
§ 312.11 Safe Harbor – This is a detailed section but essentially one can apply to FTC to have their own self-regulatory program. It is complicated and basically all of the intended protections of COPPA must be satisfied to get “Safe Harbor”.
§ 312.12 – Voluntary Commission Approval Processes – this is similar to Safe Harbor but for a narrower purpose of getting
“pre-approval” for a verifiable parental consent method that is not enumerated under § 312.5(b)(1) from FTC
25

Penalties for Violating COPPA
A Court can hold operators who violate the Rule liable for civil penalties up to $16,000 per violation. States and certain federal agencies have authority to enforce compliance.
See FTC’s Complying With COPPA: Frequently Asked Question, Question #B(2) and (3).
26