United States: Guide To Compliance With The Amended COPPA Rule

What Is COPPA?

  • Children's Online Privacy Protection Act, enacted by Congress in 1998
  • Congress directed the Federal Trade Commission (FTC), the nation's consumer protection agency, to issue and enforce regulations concerning children's online privacy
  • The FTC issued the Children's Online Privacy Protection Rule, effective April 21, 2000
  • The FTC issued an amended COPPA Rule on December 12, 2012, with an effective date of July 1, 2013.

PURPOSE OF COPPA: To place parents in control over what information is collected online from their children under 13.

SCOPE OF COPPA: applies to the following three (3) categories of online operators:

  1. Operators of commercial Web sites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information (PI) from children under 13 (including personal information about themselves, their parents, friends or other persons);

    1. "Online service" is broadly defined to cover any service available over the Internet, or that connects to the Internet or a wide-area network. Examples: services that allow users to play network-connected games, engage in social networking activities, purchase goods or services online, receive online advertisements or interact with other online content or services, mobile applications that connect to the Internet, VoIP services, Internet-enabled location-based services, Internet-enabled gaming platforms.
    2. "Web site or online service directed to children" is defined in §312.2 of COPPA. The following factors should be considered when determining whether a Web site or online service or portion thereof is directed to children: (i) the subject matter, (ii) the visual content, (iii) use of animated characters or child-oriented activities and incentives, (iv) music or other audio content, (v) age of models, (vi) presence of child celebrities or celebrities who appeal to children, (vii) language or other characteristics of the Web site or online service, and (viii) whether advertising promoting or appearing on the Web site or online service is directed to children. The FTC will also consider "competent and reliable empirical evidence" regarding the audience composition or intended audience of the Web site or online service. Lastly, a Web Site or online service will be deemed "directed to children" if it has actual knowledge that it is collecting PI directly from users of another Web site or online service that is directed to children.

  2. Operators of general audience Web sites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13;

    The Rule does not define the term "actual knowledge," but the FTC said that an operator has "actual knowledge" of a user's age if the site or service asks for — and receives — information from the user that allows it to determine the user's age. From article titled "Children's Online Privacy Protection Rule: Not Just for Kids' Sites" published by the FTC in April 2013]. Examples: (a) an operator who asks for a date of birth on a site's registration page has "actual knowledge" as defined by COPPA if a user responds with a year that suggests the user is under 13, or (b) an operator may also have "actual knowledge" based on answers to "age-identifying" questions like the following: "What grade are you in?" or "What type of school do you go to? (a) elementary; (b) middle; (c) high school; (d) college."

  3. Web sites or online services with "actual knowledge" that they are collecting personal information directly from users of another Web site or online service directed to children under 13. Examples: providers of plug-ins, advertising networks, and other third-party service providers

    1. A plug-in is a piece of software that acts as an add-on to a web browser and gives the browser additional functionality. Plug-ins can allow a web browser to display additional content it was not originally designed to display. Well-known browser plug-ins include the Adobe Flash Player, Adobe Reader, the Macromedia Flash Player, the QuickTime Player, and the Java plug-in. Most plug-ins are available as free downloads. To install the plug-in, you visit the website of the plug-in's developer and click on a link that will download the installer for the plug-in you have selected. Once you have downloaded the installer, you can open it and follow the prompts to install the plug-in on your system.
    2. An online advertising network or ad network is a company that connects advertisers to Web sites that want to host advertisements. The key function of an ad network is aggregation of ad space supply from publishers and matching it with advertiser demand. Online ad networks use a central ad server (a computer server, specifically a web server, that stores advertisements used in online marketing and delivers them to website visitors) to deliver advertisements to consumers, which enables targeting, tracking and reporting of impressions.

Examples of a third party's actual knowledge under COPPA: (a) if the operator of a child-directed site directly communicates to an ad network or plug-in about the nature of its site, the ad network or plug-in will have "actual knowledge" under COPPA, or (b) a representative of the ad network or plug-in recognizes the child-directed nature of the site's content [according to the FTC FAQ 39, it is unlikely that the mere collection of a URL from a child-directed site or service will constitute "actual knowledge"], or (c) if a concerned parent or someone else informs a representative of the ad network or plug-in that it is collecting PI from children under 13.

In addition, if in the future, an industry standard or agreed-upon convention is developed under which sites or services signal their child-directed status (e.g. via explicit signaling from the embedding web page to the third party), this will be deemed "actual knowledge" [See FTC FAQ 39].

PLEASE NOTE:

COPPA applies to the online collection of PI from children under 13 by a covered operator, even if children volunteer the PI OR are not required by the operator to input the information to participate on the Web site or service. COPPA does not apply to information about children under 13 collected online from parents or other adults, although the FTC expects that operators will keep confidential any information obtained from parents in the course of obtaining parental consent or providing for parental access pursuant to COPPA.

COPPA also covers operators that allow children under 13 to publicly post PI, such as in chat boards or product reviews.

COPPA also covers the passive tracking of PI of children under 13 through a persistent identifier and not just active collection.

COPPA does not require operators to investigate the age of visitors. An operator of a general audience Web site or service that chooses to screen its users for age may rely on the age information its users enter, even if that age information is not accurate (in some circumstances, this may mean that the children are registering on a site or service in violation of the operator's Terms of Service). However, if the operator later determines that a particular user is a child under 13, COPPA's notice and parental consent requirements will be triggered.

SCREENING USERS FOR AGE: Web sites or online services (including apps) directed to children may NOT screen users for age, unless it falls under a narrow exception: the Website or online service does not target children under 13 as its primary audience (e.g., Disney.com is a child-directed site that targets children under 13 as well as parents and younger teens). An operator meeting these standards may age-screen its users if it: (i) does not collect PI from any visitor before collecting age information, and (ii) prevents the collection, use, or disclosure of PI from visitors who identify themselves as under the age 13 without first complying with the Amended Rule's notice and parental consent provisions. An operator of a Web site or online service directed to children may NOT block children from participating in the Web site or online service; you may decide to offer different activities or functions to your users depending on age, but you may NOT altogether prohibit children from participating in your child-directed site or online service.

However, operators of a general audience Web site or online service MAY block children under 13 from participating if they choose to do so, the FTC staff recommends using a cookie to prevent children from back-buttoning to enter a different age.

COPPA does not apply to nonprofit entities, unless they operate for the profit of their commercial members (essentially COPPA only applies to entities that are subject to Section 5 of the FTC Act, i.e. all persons engaged in commerce, including banks). However, the FTC encourages such entities to post privacy policies online and to provide COPPA's protections to their visitors who are children under 13.

Foreign-based Web sites and online services must comply with COPPA if they are directed to children under 13 in the U.S. OR if they knowingly collect personal information from children under 13 in the U.S. The definition of "operator" under COPPA includes foreign-based Web sites and online services that are involved in commerce in the U.S. or its territories. Also, U.S.-based sites that collect information from foreign children are also subject to COPPA.

What Is Personal Information (PI) Under COPPA?

One or more of the following elements:

  1. First and last name; OR
  2. A home or other physical address including street name and name of city/town; OR
  3. Online contact information; OR
  4. A screen or user name that functions as online contact information (includes not only an email address, but any other "substantially similar identifier that permits direct contact with a person online"); OR
  5. A telephone number; OR
  6. A social security number; OR
  7. A persistent identifier that can be used to recognize a user over time and across different Web sites or online services (such as a customer number held in a cookie, an IP address, a processor or device serial number, or a unique device identifier that can be used to recognize a user over time and across different sites, even where such identifier is NOT paired with other items of PI); OR
  8. A photo, video, or audio file, where such file contains a child's imagine or voice [but NOT if facial features are blurred by operator before posting on the site, provided that all other PI is removed, such as geolocation metadata]; OR
  9. Geolocation information sufficient to identify street name and name of a city/town (including where an app take the user's longitude and latitude coordinates and translates them into a precise location on a map); OR
  10. Information concerning the child or the parents of that child that an operator collects online from the child and combines with an identifier described above.

What Must Operators Covered by the Rule Do to Comply with COPPA?

  1. Post a clear and comprehensive online privacy policy describing their information practices for PI collected online from children under 13;
  2. Make reasonable efforts (taking into account available technology) to provide direct notice to parents of the operator's practices with regard to the collection, use, or disclosure of PI from children under 13, including notice of any material change to such practices to which the parents has previously consented;
  3. Obtain verifiable parental consent, with limited exceptions, prior to any collection, use, and/or disclosure of PI from children under 13;
  4. Provide a reasonable means for a parent to review the PI collected from their child and to refuse to permit its further use or maintenance;
  5. Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of the PI collected from children under 13, including by taking reasonable steps to disclose/release such PI only to parties capable of maintaining its confidentiality and security; and
  6. Retain PI collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use.
  7. Operators are prohibited from conditioning a child's participation in an online activity on the child providing more information than is reasonably necessary to participate in that activity.

Changes to Be Implemented By Operators to Comply with the Amended Rule

The Amended Rule applies to any PI that is collected after the effective date of July 1, 2013. However, since the Amended Rule added 4 new categories of PI, operators that collected and used such information before it was considered PI will have the following obligations regarding use and disclosure as of July 1, 2013:

  1. GEOLOCATION INFORMATION: If you collected geolocation information (any geolocation info that provides information precise enough to identify the name of a street AND city/town) from a child prior to July 1, 2013 and have not obtained parental consent, you are required to obtain parental consent immediately. Operators are required to obtain parental consent prior to collecting geolocation information, regardless of when such data is collected.
  2. PHOTOS OR VIDEOS CONTAINING A CHILD'S IMAGE OR AUDIO FILES WITH A CHILD'S VOICE FROM A CHILD: If you collected photos or videos containing a child's image or audio files with a child's voice from a child prior to July 1, 2013 and have not obtained parental consent, you are not required, but encouraged by the FTC (as a best practice) to either obtain parental consent if possible or discontinue use or disclosure of such information after July 1, 2013.
  3. SCREEN OR USE NAME: If you collected any screen or user name that functions in the same manner as online contact information from a child prior to July 1, 2013 and have not obtained parental consent, you are not required, but encouraged by the FTC (as a best practice) to obtain parental consent if possible. However, if after July 1, 2013, an operator associates new information with a previously collected screen or user name, you are required to obtain parental consent.
  4. PERSISTENT IDENTIFIERS: If you collected any persistent identifiers that can be used to recognize a user over time and across different Web sites or online services from a child prior to July 1, 2013 and have not obtained parental consent, you are not required, but encouraged by the FTC (as a best practice) to obtain parental consent if possible. However, if after July 1, 2013, an operator continues to collect or associates new information with such persistent identifier (such as info about a child's activities on the operator's site or online services), this collection of information triggers COPPA and parental consent is required, unless collection falls under an exception such as support for the internal operations of the site or online service.
  5. BOTTOM LINE: Parental consent is NOT REQUIRED for the following categories of information that were collected from children under 13 before July 1, 2013:

    1. Photos, videos, and audio files containing a child's image or voice;
    2. Screen or user names that function as online contact information UNLESS the operator combines them with new information after July 1, 2013; and
    3. Persistent identifiers, UNLESS the operator continues to collect the persistent identifiers or combines them with new information after July 1, 2013.

What Information Must Operators Covered by COPPA Include in Their Online Privacy Policies?

Section 312.4(d) of the Amended Rule identifies the information that must be disclosed in an operator's online privacy policy:

  1. Name, address, telephone number, and email address of ALL operators collecting or maintaining PI through the Web site or service (or, after listing the names of all such operators, provide the contact information for just one that will handle all inquiries from parents;

    1. To keep your online privacy policy simple, you may include a clear and prominent link in the policy to the complete list of operators, as opposed to listing every operator in the policy itself. Must ensure that the privacy policy signals parents to, and enables them to easily access, this list of operators.
  2. A description of what information the operator collects from children, including whether the operator enables children to make their PI publicly available, how the operator uses such information, and the operator's disclosure practices for such information; AND

    Since persistent identifiers are included in the definition of PI under the Amended Rule, an operator must disclose in the privacy policy the collection, use or disclosure of such persistent identifiers unless (1) the operator collects no other PI, and (2) such persistent identifiers are collected on or through the site or service solely for the purpose of providing "support for the internal operations" of the site or service.

    1. "Support for internal operations of the Web site or online service," as defined in §312.2, means activities necessary for the site or service to:

      1. Maintain or analyze its functioning;
      2. Perform network communications;
      3. Authenticate users or personalize content; (NOT behavioral advertising!)
      4. Serve contextual advertising or cap the frequency of advertising;
      5. Protect the security or integrity of the user, Web site, or online service;
      6. Ensure legal or regulatory compliance; or
      7. Fulfill a request of a child as permitted by COPPA §312.5(c)(3) [Where the operator collects online contact information from a child to be used to respond directly more than once to a specific request from the child, and where such information is not used for any other purpose.] and (4) [Where the operator collects a child's name and online contact information to the extent reasonably necessary to protect the safety of a child participant on the website or online service, and the operator uses reasonable efforts to provide a parent notice as described in § 312.4(c), where such information is: (i) Used for the sole purpose of protecting the child's safety; (ii) Not used to re-contact the child or for any other purpose; and (iii) Not disclosed on the website or online service].
    2. Persistent identifiers collected for the sole purpose of providing support for the internal operations of the Web site or online service do not require parental consent, so long as no other PI is collected AND the persistent identifiers are not used or disclosed to contact a specific individual (including through behavioral advertising) or for any other purpose.
    3. Both a child-directed Web site and a third-party plug-in that collecting persistent identifiers from children under 13 can rely on the "support for internal operations" exception, if the only PI collected are persistent identifiers for purposes outlined in the "support for internal operations" definition above.
  3. A statement that the parent can review or have deleted the child's PI and refuse to permit its further collection or use, and state the procedures for doing so.

    1. "Delete" is defined as "to remove personal information such that it is not maintained in retrievable form and cannot be retrieved in the normal course of business."

Where Should an Operator Covered by COPPA Post Links to Its Online Privacy Policy?

Post a clearly and prominently labeled link to the online privacy policy on the home or landing page or screen of the Web site or online service, AND at each area of the site or service where PI is collected from children. The link must be in close proximity to the request for PI. In the 1999 Statement of Basis and Purpose, the FTC explained that "clear and prominent" means that the link must stand out and be noticeable to the site's visitors through use, i.e. use a larger font size in a different color on a contrasting background. Please note that the FTC does not consider "clear and prominent" a link that is in small print at the bottom of the home page, or a link that is indistinguishable from a number of other, adjacent links, but a link that is at the bottom of a page may be acceptable if the manner in which it is presented makes it "clear and prominent."

Operators of general audience Web sites that contain a specific children's section can combine the privacy policies into one document, as long as the link for the children's privacy policy takes visitors directly to the point where that policy is OR it is clearly disclosed at the top of the general privacy policy that there is a specific section discussing the operator's information practices with regard to children [See the 1999 Statement of Basis and Purpose].

How About Mobile Apps?

With respect to mobile apps, the Amended Rule does not require that a privacy policy is posted in the app store at the point of purchase or download, however, the FTC encourages doing so as a best practice. [See FTC Staff Report, Mobile Apps for Kids: Disclosures Still Not Making the Grade (Dec. 2012)]. In fact, if a child-directed app is designed to collect PI as soon as it is downloaded, it would be necessary to provide direct notice and obtain verifiable consent at the point of purchase OR to insert a landing page were a parent can receive notice and give consent before the download is complete.

When Is Direct Notice to Parents Required Under the Amended COPPA Rule and What Is the Format and Content of Such Notice?

There are four (4) instances where a direct notice is required or appropriate and operators must make reasonable efforts, taking into consideration available technology, to ensure that the parent receives such notice. An operator will not be deemed to have made reasonable efforts to ensure that a parent receives notice where the notice to the parent was unable to be delivered:

  1. Operator seeks to obtain a parent's verifiable consent prior to the collection, use, and/or disclosure of a child's PI. The notice must:

    1. State that the operator has collected the parent's online contact information from the child, and, if such is the case, the name of the child or the parent, in order to obtain the parent's consent;
    2. State that the parent's consent is required for the collection, use, or disclosure of such information, and that the operator will not collect, use, or disclose any personal information from the child if the parent does not provide such consent;
    3. Set forth the additional items of PI the operator intends to collect from the child, or the potential opportunities for the disclosure of PI, should the parent provide consent;
    4. Contain a hyperlink to the operator's privacy policy;
    5. Provide the means by which the parent can provide verifiable consent to the collection, use, and disclosure of the information; and
    6. State that if the parent does not provide consent within a reasonable time from the date the direct notice was sent, the operator will delete the parent's online contact information from its records.

  2. Operator voluntarily seeks to provide notice to a parent of a child's online activities that do not involve the collection, use or disclosure of PI. The notice must:

    1. State that the operator has collected the parent's online contact information from the child in order to provide notice to, and subsequently update the parent about, a child's participation in a Web site or online service that does not otherwise collect, use, or disclose children's PI;
    2. State that the parent's online contact information will not be used or disclosed for any other purpose;
    3. State that the parent may refuse to permit the child's participation in the Web site or online service and may require the deletion of the parent's online contact information, and how the parent can do so; and
    4. Provide a hyperlink to the operator's privacy policy.

  3. Operator intends to communicate with the child multiple times via the child's online contact information and collects no other information. The notice must:

    1. State that the operator has collected the child's online contact information from the child in order to provide multiple online communications to the child;
    2. State that the operator has collected the parent's online contact information from the child in order to notify the parent that the child has registered to receive multiple online communications from the operator;
    3. State that the online contact information collected from the child will not be used for any other purpose, disclosed, or combined with any other information collected from the child;
    4. State that the parent may refuse to permit further contact with the child and require the deletion of the parent's and child's online contact information, and how the parent can do so;
    5. State that if the parent fails to respond to this direct notice, the operator may use the online contact information collected from the child for the purpose stated in the direct notice; and
    6. Provide a hyperlink to the operator's privacy policy.

  4. Operator's purpose for collecting a child's and a parent's name and online contact info if to protect a child's safety and the information is not used or disclosed for any other purpose. The notice must:

    1. State that the operator has collected the name and the online contact information of the child and the parent in order to protect the safety of a child;
    2. State that the information will not be used or disclosed for any purpose unrelated to the child's safety;
    3. State that the parent may refuse to permit the use, and require the deletion, of the information collected, and how the parent can do so;
    4. State that if the parent fails to respond to this direct notice, the operator may use the information for the purpose stated in the direct notice; and
    5. Provide a hyperlink to the operator's privacy policy.

PLEASE NOTE that when sending a direct notice to parents, an operator MAY NOT send a simple email containing just a link to the operator's privacy policy, the notice MUST contain certain key information as described above in addition to the link to the privacy policy.

How Does a Covered Operator Obtain Verifiable Parental Consent?

The Rule enumerates several non-exhaustive options described below to obtain verifiable parental consent [See § 312.5(b)], any method must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent. Operator can also file a written request with the FTC for pre-approval of a new consent mechanism.

If the operator is going to disclose a child's PI to third parties, or allow children to make it publicly available (e.g., through a social networking service, online forums, or personal profiles), the operators must use of the methods below:

  1. Providing a consent form to be signed by the parent and returned via U.S. mail, fax, or electronic scan (the "print-and-send" method); OR
  2. Requiring the parent, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder; OR
  3. Having the parent call a toll-free telephone number staffed by trained personnel, or have the parent connect to trained personnel via video-conference; OR
  4. Verifying a parent's identity by checking a form of government-issued identification against databases of such information, provided that the operator promptly deletes the parent's identification after completing the verification.

If the operator is going to use the child's PI only for internal purposes and does not disclose the PI, the operators can use of the methods described above or the "email plus" method of parental consent. "Email plus" allows an operator to request, in the direct notice sent to the parent's online contact address that the parent indicate consent in a return message to the operator. To properly use this method, the operator must take an additional confirming step after receiving the parent's message — this is the "plus" factor and can be either:

  1. Requesting in the initial message to the parent that the parent include a phone or fax number or mailing address in the reply message so that the operator can follow up with a confirming phone call, fax or letter to the parent; OR
  2. After a reasonable time delay, sending another message via the parent's online contact information to confirm consent. In this confirmatory message, the operator should include all the original information contained in the direct notice, inform the parent that he or she can revoke the consent, and inform the parent how to do so.

PLEASE NOTE that with respect to mobile apps, the mere entry of an app store account number or password, without other indicia of reliability (e.g., knowledge-based authentication questions or verification of government id), does NOT provide sufficient assurance that the person entering the account or password info is the parent, and not the child [See FTC FAQs].

An operator can collect the parent's "online contact information" to obtain or confirm parental consent, defined as:

  1. An email address;
  2. An IM user identifier;
  3. A VoIP identifier;
  4. A video chat user identifier; or
  5. Other substantially similar identifier.

BUT NOT the parent's mobile phone number. However, once an operator connects with the parent, it may request the mobile phone number for further communication.

Exceptions to Prior Parental Consent

  1. Where the sole purpose of collecting the name or online contact info of the parent or the child is to provide notice and obtain parental consent, if parental consent has not been obtained after a reasonable time from the date the info is collected, the info must be deleted.
  2. Where the purpose of collecting a parent's online contact information is to provide voluntary notice to, and subsequently update the parent about the child's participating in a Web site or online service that does not otherwise collect, use, or disclose the child's PI. Must make reasonable efforts to provide to the parent the notice required under §312.4(c)(2).
  3. Where the sole purpose of collecting online contact information from a child is to respond directly on a one-time basis to a specific request from the child, AND such information is not used to re-contact the child or for any other purpose, such information is not disclosed, AND is deleted by the operator from its records promptly after responding to the child's request (the "one-time contact" exception).
  4. Where the purpose of collecting a child's and a parent's online contact information is to respond directly more than once to the child's specific request, and not used for any other purpose, disclosed or combined with other info collected from the child. Must make reasonable efforts to provide to the parent the notice required under §312.4(c)(3).
  5. Where the purpose of collecting a child's and a parent's online contact information is to protect the safety of the child, and not used or disclosed for any purpose other than the child's safety. Must make reasonable efforts to provide to the parent the notice required under §312.4(c)(4).
  6. Where the purpose of collecting a child's name and online contact information is to: (i) protect the security or integrity of the Web site or online service, (ii) take precautions against liability, (iii) respond to judicial process; or (iv) to the extent permitted under other provisions of law, to provide info to law enforcement agencies for an investigation on a matter related to public safety; and where the child's info is not use for any other purpose.
  7. Where an operator collects a persistent identifier and no other PI and such identifier is used for the sole purpose of providing "support for internal operations" of the Web site or online service.
  8. Where a third party provider such as an ad network or plug-in integrated into a children-directed Web site or online service collects a persistent identifier and no other PI from a user who affirmatively interacts with the provider and whose previous registration with such provider indicates that the user is not a child under 13.

FTC Approved COPPA Safe Harbor Programs

Industry groups or other persons may apply to the FTC for approval of safe harbor programs. Several of the FTC-approved COPPA safe harbor programs offer parental notification and consent systems for operators who are members of their programs. Examples: TRUSTe COPPA Safe Harbor Program, Aristotle International, Inc. COPPA Safe Harbor Program [a copy of their application to the FTC can be found here], Entertainment Software Rating Board COPPA Safe Harbor Program, PRIVO COPPA Safe Harbor Program. The providers of these programs can carry out the notice and consent obligations for its members.

How Is COPPA Enforced?

COPPA is enforced by the FTC as well as by states (TX brought a COPPA action in 2007 and NJ in 2012) and other certain federal agencies (Dept. of Transportation, Office of the Comptroller of the Currency) with respect to entities over which they have jurisdiction.

What Are the Penalties for Violating COPPA?

A court can hold operators who violate the Rule liable for civil penalties of up to $16,000 per violation. The amount of civil penalties a court assesses may turn on a number of factors: (1) the egregiousness of the violations, (2) whether the operator has previously violated the Rule, (3) the number of children involved, (4) the amount and type of PI collected, (5) how the PI was used, (6) whether it was shared with third parties, and (7) the size of the company.

REMEMBER that the operator of a child-directed Web site or online service is held liable under COPPA for the collection of information that occurs on or through their site and services, even if the operator itself does not engage in such collection. The operator has a duty to conduct an inquiry into the info collection practices of every third party that can collect info via the operator's Web site or online service or app so that the operator can make an informed decision of whether it is required to give parents notice and obtain consent prior to such third party's collection of PI from children.

The Amended Rule mandates that operators take reasonable steps to release children's PI only to service providers and third parties who are capable of maintaining the confidentiality security and integrity of such information AND who provide assurances that they will maintain the information in such a manner.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Julia M. Siripurapu
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions