---

In October, 1998, President Clinton signed the Children's Online Privacy Protection Act ("COPPA").  That statute gave the Federal Trade Commission ("FTC" or "Commission") one year in which to promulgate regulations governing the on-line collection of information from children.  The regulations were to apply to any "operator of a website or online service directed to children" or "any operator that has actual knowledge that it is collecting personal information from a child . . ." [1]   The FTC's regulations also were to give effect to the following requirements:

All children's website operators must provide notice on the website of what information is collected from children, how the website operator uses the information and the operator's disclosure practices for such information.

All children's website operators must obtain verifiable parental consent for the collection, use or disclosure of personal information from children.  "Verifiable parental consent" is defined as "any reasonable effort (taking into consideration available technology) . . . to ensure that a parent of a child receives notice of the operator's personal information collection, use, and disclosure practices, and authorizes the collection, use, and disclosure . . . personal information and the subsequent use of that information before that information is collected from that child." [2]

Children's website operators must provide parents, upon request, a description of the types of personal information collected from a child of the requesting parent.  Children's website operators also must, upon a parent's request, give the parent the opportunity to refuse to permit the operator's further collection from, or maintenance or use of, personal information of that parent's child.

Children's website operators may not condition a child's participation on a game or prize offering upon the child's disclosure of more information that is reasonably necessary to participate in the activity.

Children's website providers must establish and maintain reasonable procedures to protect the confidentiality, security and integrity of personal information collected from children.

COPPA also offers website operators some safe harbors and exceptions.  Notably, website operators need not obtain verifiable parental consent for information that is obtained from a child to respond on a one-time basis to a specific request, and that is not maintained in retrievable form by the operator or used to make a subsequent contact with the child. [3]   More generally, children's website operators may comply with the statute by observing industry self-regulatory guidelines approved by the FTC. [4]>   The FTC must approve or reject such self-regulatory guidelines within 180 days of the filing of a request for approval of those guidelines. [5]

In November of 1999, the Federal Trade Commission ("FTC" or "Commission") adopted rules under which it will administer and enforce the Children's Online Privacy Protection Act.  The new rules, which are summarized in the attached FTC publication, add important detail to the general obligations established in COPPA.  Notably, the FTC rules:

(1) identify factors the FTC will consider when deciding whether a website or online service is directed to children;

(2) establish requirements for the placement and content of notices concerning an operator's privacy policy;

(3) announce that until April, 2002, the Commission will assess operators' methods of obtaining verifiable parental consent according to a "sliding scale," under which more or less vigorous methods of consent will be required depending upon how information obtained from children will be used;

(4) announce that the FTC will conduct a review of methods of obtaining verifiable parental consent beginning in April, 2001; and

(5) clarify the circumstances under which operators may acquire information from a child without a parent's advance consent.

After April, 2000, the FTC will bring enforcement actions and impose civil penalties for failure to comply with COPPA.  Accordingly, operators of website operators and other online services should review their information-gathering practices now to ensure compliance.  Similarly, industry groups or operators that wish to adopt approved self-regulatory programs should develop those programs, and submit them to the FTC for public comment and agency review, as soon as possible.