Children's Online Privacy Protection Act of 1998
Children's Online Privacy Protection Act of 1998 | |
---|---|
Short Title | Children's Online Privacy Protection Act of 1998 (COPPA) |
Official Text | Children's Online Privacy Protection Act of 1998 |
Country/Jurisdiction | United States |
State or Province | |
Regulatory Bodies | |
Date Enacted | 1998/10/21 |
Scope of the Law | Children, Parents, Website or Online Service Operators |
Information | |
Taxonomy | Decisional Interference, Disclosure, Exclusion, Identification, Insecurity, Interrogation, Secondary Use, Surveillance |
Strategies |
The COPPA protects children from operators which may have a purpose to collect their personal information while operators direct to children with their online services. The Act also prevents operators from disclosing children's personal information.
Text of the law
15 U.S.C. § 6502.Regulation of unfair and deceptive acts and practices in connection with collection and use of personal information from and about children on the Internet
(a)Acts prohibited
(1)In general Decisional Interference, Surveillance
It is unlawful for an operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child, to collect personal information from a child in a manner that violates the regulations prescribed under subsection (b).
(2)Disclosure to parent protected Disclosure
Notwithstanding paragraph (1), neither an operator of such a website or online service nor the operator’s agent shall be held to be liable under any Federal or State law for any disclosure made in good faith and following reasonable procedures in responding to a request for disclosure of personal information under subsection (b)(1)(B)(iii) to the parent of a child.
(b)Regulations
(1)In general
Not later than 1 year after October 21, 1998, the Commission shall promulgate under section 553 of title 5 regulations that—
(A)require the operator of any website or online service directed to children that collects personal information from children or the operator of a website or online service that has actual knowledge that it is collecting personal information from a child—
(i) Exclusion to provide notice Inform "Strategies#list" contains a listed "#" character as part of the property label and has therefore been classified as invalid.on the website of what information is collected from children by the operator, how the operator uses such information, and the operator’s disclosure practices for such information; and
(ii)to obtain verifiable parental consent for the collection, use, or disclosure of personal information from children; Exclusion
(B)require the operator to provide, upon request of a parent under this subparagraph whose child has provided personal information to that website or online service, upon proper identification of that parent, to such parent— Identification
(i)a description of the specific types of personal information collected from the child by that operator;
(ii)the opportunity at any time to refuse to permit the operator’s further use or maintenance in retrievable form, or future online collection, of personal information from that child; and Decisional Interference
(iii)notwithstanding any other provision of law, a means that is reasonable under the circumstances for the parent to obtain any personal information collected from that child;
(C)prohibit conditioning a child’s participation in a game, the offering of a prize, or another activity on the child disclosing more personal information than is reasonably necessary to participate in such activity; and
(D)require the operator of such a website or online service to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children. Insecurity
(2)When consent not required The regulations shall provide that verifiable parental consent under paragraph (1)(A)(ii) is not required in the case of—
(A)online contact information collected from a child that is used only to respond directly on a one-time basis to a specific request from the child and is not used to recontact the child and is not maintained in retrievable form by the operator;
(B)a request for the name or online contact information of a parent or child that is used for the sole purpose of obtaining parental consent or providing notice under this section and where such information is not maintained in retrievable form by the operator if parental consent is not obtained after a reasonable time; Interrogation, Secondary Use
(C)online contact information collected from a child that is used only to respond more than once directly to a specific request from the child and is not used to recontact the child beyond the scope of that request—
(i)if, before any additional response after the initial response to the child, the operator uses reasonable efforts to provide a parent notice of the online contact information collected from the child, the purposes for which it is to be used, and an opportunity for the parent to request that the operator make no further use of the information and that it not be maintained in retrievable form; or
(ii)without notice to the parent in such circumstances as the Commission may determine are appropriate, taking into consideration the benefits to the child of access to information and services, and risks to the security and privacy of the child, in regulations promulgated under this subsection;
(D)the name of the child and online contact information (to the extent reasonably necessary to protect the safety of a child participant on the site)—
(i)used only for the purpose of protecting such safety;
(ii)not used to recontact the child or for any other purpose; and
(iii)not disclosed on the site,
if the operator uses reasonable efforts to provide a parent notice of the name and online contact information collected from the child, the purposes for which it is to be used, and an opportunity for the parent to request that the operator make no further use of the information and that it not be maintained in retrievable form; or
(E)the collection, use, or dissemination of such information by the operator of such a website or online service necessary—
(i)to protect the security or integrity of its website; Insecurity
(ii)to take precautions against liability;
(iii)to respond to judicial process; or
(iv)to the extent permitted under other provisions of law, to provide information to law enforcement agencies or for an investigation on a matter related to public safety.
(3)Termination of service
The regulations shall permit the operator of a website or an online service to terminate service provided to a child whose parent has refused, under the regulations prescribed under paragraph (1)(B)(ii), to permit the operator’s further use or maintenance in retrievable form, or future online collection, of personal information from that child.
(c)Enforcement
Subject to sections 6503 and 6505 of this title, a violation of a regulation prescribed under subsection (a) shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 57a(a)(1)(B) of this title.
(d)Inconsistent State law
No State or local government may impose any liability for commercial activities or actions by operators in interstate or foreign commerce in connection with an activity or action described in this chapter that is inconsistent with the treatment of those activities or actions under this section.
15 U.S.C. § 6503.Safe harbors
(a)Guidelines
An operator may satisfy the requirements of regulations issued under section 6502(b) of this title by following a set of self-regulatory guidelines, issued by representatives of the marketing or online industries, or by other persons, approved under subsection (b).
(b)Incentives
(1)Self-regulatory incentives In prescribing regulations under section 6502 of this title, the Commission shall provide incentives for self-regulation by operators to implement the protections afforded children under the regulatory requirements described in subsection (b) of that section.
(2)Deemed compliance
Such incentives shall include provisions for ensuring that a person will be deemed to be in compliance with the requirements of the regulations under section 6502 of this title if that person complies with guidelines that, after notice and comment, are approved by the Commission upon making a determination that the guidelines meet the requirements of the regulations issued under section 6502 of this title.
(3)Expedited response to requests
The Commission shall act upon requests for safe harbor treatment within 180 days of the filing of the request, and shall set forth in writing its conclusions with regard to such requests.
(c)Appeals
Final action by the Commission on a request for approval of guidelines, or the failure to act within 180 days on a request for approval of guidelines, submitted under subsection (b) may be appealed to a district court of the United States of appropriate jurisdiction as provided for in section 706 of title 5.
Disclaimer: The text of this law may not be the most recent version. We make no warranties or representations about the accuracy, completeness, or adequacy of the information contained on this site. Please check official sources.