United States: Guide To Compliance With The Amended COPPA Rule

What Is COPPA?

  • Children's Online Privacy Protection Act, enacted by Congress in 1998
  • Congress directed the Federal Trade Commission (FTC), the nation's consumer protection agency, to issue and enforce regulations concerning children's online privacy
  • The FTC issued the Children's Online Privacy Protection Rule, effective April 21, 2000
  • The FTC issued an amended COPPA Rule on December 12, 2012, with an effective date of July 1, 2013.

PURPOSE OF COPPA: To place parents in control over what information is collected online from their children under 13.

SCOPE OF COPPA: applies to the following three (3) categories of online operators:

  1. Operators of commercial Web sites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information (PI) from children under 13 (including personal information about themselves, their parents, friends or other persons);

    1. "Online service" is broadly defined to cover any service available over the Internet, or that connects to the Internet or a wide-area network. Examples: services that allow users to play network-connected games, engage in social networking activities, purchase goods or services online, receive online advertisements or interact with other online content or services, mobile applications that connect to the Internet, VoIP services, Internet-enabled location-based services, Internet-enabled gaming platforms.
    2. "Web site or online service directed to children" is defined in §312.2 of COPPA. The following factors should be considered when determining whether a Web site or online service or portion thereof is directed to children: (i) the subject matter, (ii) the visual content, (iii) use of animated characters or child-oriented activities and incentives, (iv) music or other audio content, (v) age of models, (vi) presence of child celebrities or celebrities who appeal to children, (vii) language or other characteristics of the Web site or online service, and (viii) whether advertising promoting or appearing on the Web site or online service is directed to children. The FTC will also consider "competent and reliable empirical evidence" regarding the audience composition or intended audience of the Web site or online service. Lastly, a Web Site or online service will be deemed "directed to children" if it has actual knowledge that it is collecting PI directly from users of another Web site or online service that is directed to children.

  2. Operators of general audience Web sites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13;

    The Rule does not define the term "actual knowledge," but the FTC said that an operator has "actual knowledge" of a user's age if the site or service asks for — and receives — information from the user that allows it to determine the user's age. From article titled "Children's Online Privacy Protection Rule: Not Just for Kids' Sites" published by the FTC in April 2013]. Examples: (a) an operator who asks for a date of birth on a site's registration page has "actual knowledge" as defined by COPPA if a user responds with a year that suggests the user is under 13, or (b) an operator may also have "actual knowledge" based on answers to "age-identifying" questions like the following: "What grade are you in?" or "What type of school do you go to? (a) elementary; (b) middle; (c) high school; (d) college."

  3. Web sites or online services with "actual knowledge" that they are collecting personal information directly from users of another Web site or online service directed to children under 13. Examples: providers of plug-ins, advertising networks, and other third-party service providers

    1. A plug-in is a piece of software that acts as an add-on to a web browser and gives the browser additional functionality. Plug-ins can allow a web browser to display additional content it was not originally designed to display. Well-known browser plug-ins include the Adobe Flash Player, Adobe Reader, the Macromedia Flash Player, the QuickTime Player, and the Java plug-in. Most plug-ins are available as free downloads. To install the plug-in, you visit the website of the plug-in's developer and click on a link that will download the installer for the plug-in you have selected. Once you have downloaded the installer, you can open it and follow the prompts to install the plug-in on your system.
    2. An online advertising network or ad network is a company that connects advertisers to Web sites that want to host advertisements. The key function of an ad network is aggregation of ad space supply from publishers and matching it with advertiser demand. Online ad networks use a central ad server (a computer server, specifically a web server, that stores advertisements used in online marketing and delivers them to website visitors) to deliver advertisements to consumers, which enables targeting, tracking and reporting of impressions.

Examples of a third party's actual knowledge under COPPA: (a) if the operator of a child-directed site directly communicates to an ad network or plug-in about the nature of its site, the ad network or plug-in will have "actual knowledge" under COPPA, or (b) a representative of the ad network or plug-in recognizes the child-directed nature of the site's content [according to the FTC FAQ 39, it is unlikely that the mere collection of a URL from a child-directed site or service will constitute "actual knowledge"], or (c) if a concerned parent or someone else informs a representative of the ad network or plug-in that it is collecting PI from children under 13.

In addition, if in the future, an industry standard or agreed-upon convention is developed under which sites or services signal their child-directed status (e.g. via explicit signaling from the embedding web page to the third party), this will be deemed "actual knowledge" [See FTC FAQ 39].

PLEASE NOTE:

COPPA applies to the online collection of PI from children under 13 by a covered operator, even if children volunteer the PI OR are not required by the operator to input the information to participate on the Web site or service. COPPA does not apply to information about children under 13 collected online from parents or other adults, although the FTC expects that operators will keep confidential any information obtained from parents in the course of obtaining parental consent or providing for parental access pursuant to COPPA.

COPPA also covers operators that allow children under 13 to publicly post PI, such as in chat boards or product reviews.

COPPA also covers the passive tracking of PI of children under 13 through a persistent identifier and not just active collection.

COPPA does not require operators to investigate the age of visitors. An operator of a general audience Web site or service that chooses to screen its users for age may rely on the age information its users enter, even if that age information is not accurate (in some circumstances, this may mean that the children are registering on a site or service in violation of the operator's Terms of Service). However, if the operator later determines that a particular user is a child under 13, COPPA's notice and parental consent requirements will be triggered.

SCREENING USERS FOR AGE: Web sites or online services (including apps) directed to children may NOT screen users for age, unless it falls under a narrow exception: the Website or online service does not target children under 13 as its primary audience (e.g., Disney.com is a child-directed site that targets children under 13 as well as parents and younger teens). An operator meeting these standards may age-screen its users if it: (i) does not collect PI from any visitor before collecting age information, and (ii) prevents the collection, use, or disclosure of PI from visitors who identify themselves as under the age 13 without first complying with the Amended Rule's notice and parental consent provisions. An operator of a Web site or online service directed to children may NOT block children from participating in the Web site or online service; you may decide to offer different activities or functions to your users depending on age, but you may NOT altogether prohibit children from participating in your child-directed site or online service.

However, operators of a general audience Web site or online service MAY block children under 13 from participating if they choose to do so, the FTC staff recommends using a cookie to prevent children from back-buttoning to enter a different age.

COPPA does not apply to nonprofit entities, unless they operate for the profit of their commercial members (essentially COPPA only applies to entities that are subject to Section 5 of the FTC Act, i.e. all persons engaged in commerce, including banks). However, the FTC encourages such entities to post privacy policies online and to provide COPPA's protections to their visitors who are children under 13.

Foreign-based Web sites and online services must comply with COPPA if they are directed to children under 13 in the U.S. OR if they knowingly collect personal information from children under 13 in the U.S. The definition of "operator" under COPPA includes foreign-based Web sites and online services that are involved in commerce in the U.S. or its territories. Also, U.S.-based sites that collect information from foreign children are also subject to COPPA.

What Is Personal Information (PI) Under COPPA?

One or more of the following elements:

  1. First and last name; OR
  2. A home or other physical address including street name and name of city/town; OR
  3. Online contact information; OR
  4. A screen or user name that functions as online contact information (includes not only an email address, but any other "substantially similar identifier that permits direct contact with a person online"); OR
  5. A telephone number; OR
  6. A social security number; OR
  7. A persistent identifier that can be used to recognize a user over time and across different Web sites or online services (such as a customer number held in a cookie, an IP address, a processor or device serial number, or a unique device identifier that can be used to recognize a user over time and across different sites, even where such identifier is NOT paired with other items of PI); OR
  8. A photo, video, or audio file, where such file contains a child's imagine or voice [but NOT if facial features are blurred by operator before posting on the site, provided that all other PI is removed, such as geolocation metadata]; OR
  9. Geolocation information sufficient to identify street name and name of a city/town (including where an app take the user's longitude and latitude coordinates and translates them into a precise location on a map); OR
  10. Information concerning the child or the parents of that child that an operator collects online from the child and combines with an identifier described above.

What Must Operators Covered by the Rule Do to Comply with COPPA?

  1. Post a clear and comprehensive online privacy policy describing their information practices for PI collected online from children under 13;
  2. Make reasonable efforts (taking into account available technology) to provide direct notice to parents of the operator's practices with regard to the collection, use, or disclosure of PI from children under 13, including notice of any material change to such practices to which the parents has previously consented;
  3. Obtain verifiable parental consent, with limited exceptions, prior to any collection, use, and/or disclosure of PI from children under 13;
  4. Provide a reasonable means for a parent to review the PI collected from their child and to refuse to permit its further use or maintenance;
  5. Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of the PI collected from children under 13, including by taking reasonable steps to disclose/release such PI only to parties capable of maintaining its confidentiality and security; and
  6. Retain PI collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use.
  7. Operators are prohibited from conditioning a child's participation in an online activity on the child providing more information than is reasonably necessary to participate in that activity.

Changes to Be Implemented By Operators to Comply with the Amended Rule

The Amended Rule applies to any PI that is collected after the effective date of July 1, 2013. However, since the Amended Rule added 4 new categories of PI, operators that collected and used such information before it was considered PI will have the following obligations regarding use and disclosure as of July 1, 2013:

  1. GEOLOCATION INFORMATION: If you collected geolocation information (any geolocation info that provides information precise enough to identify the name of a street AND city/town) from a child prior to July 1, 2013 and have not obtained parental consent, you are required to obtain parental consent immediately. Operators are required to obtain parental consent prior to collecting geolocation information, regardless of when such data is collected.
  2. PHOTOS OR VIDEOS CONTAINING A CHILD'S IMAGE OR AUDIO FILES WITH A CHILD'S VOICE FROM A CHILD: If you collected photos or videos containing a child's image or audio files with a child's voice from a child prior to July 1, 2013 and have not obtained parental consent, you are not required, but encouraged by the FTC (as a best practice) to either obtain parental consent if possible or discontinue use or disclosure of such information after July 1, 2013.
  3. SCREEN OR USE NAME: If you collected any screen or user name that functions in the same manner as online contact information from a child prior to July 1, 2013 and have not obtained parental consent, you are not required, but encouraged by the FTC (as a best practice) to obtain parental consent if possible. However, if after July 1, 2013, an operator associates new information with a previously collected screen or user name, you are required to obtain parental consent.
  4. PERSISTENT IDENTIFIERS: If you collected any persistent identifiers that can be used to recognize a user over time and across different Web sites or online services from a child prior to July 1, 2013 and have not obtained parental consent, you are not required, but encouraged by the FTC (as a best practice) to obtain parental consent if possible. However, if after July 1, 2013, an operator continues to collect or associates new information with such persistent identifier (such as info about a child's activities on the operator's site or online services), this collection of information triggers COPPA and parental consent is required, unless collection falls under an exception such as support for the internal operations of the site or online service.
  5. BOTTOM LINE: Parental consent is NOT REQUIRED for the following categories of information that were collected from children under 13 before July 1, 2013:

    1. Photos, videos, and audio files containing a child's image or voice;
    2. Screen or user names that function as online contact information UNLESS the operator combines them with new information after July 1, 2013; and
    3. Persistent identifiers, UNLESS the operator continues to collect the persistent identifiers or combines them with new information after July 1, 2013.

What Information Must Operators Covered by COPPA Include in Their Online Privacy Policies?

Section 312.4(d) of the Amended Rule identifies the information that must be disclosed in an operator's online privacy policy:

  1. Name, address, telephone number, and email address of ALL operators collecting or maintaining PI through the Web site or service (or, after listing the names of all such operators, provide the contact information for just one that will handle all inquiries from parents;

    1. To keep your online privacy policy simple, you may include a clear and prominent link in the policy to the complete list of operators, as opposed to listing every operator in the policy itself. Must ensure that the privacy policy signals parents to, and enables them to easily access, this list of operators.
  2. A description of what information the operator collects from children, including whether the operator enables children to make their PI publicly available, how the operator uses such information, and the operator's disclosure practices for such information; AND

    Since persistent identifiers are included in the definition of PI under the Amended Rule, an operator must disclose in the privacy policy the collection, use or disclosure of such persistent identifiers unless (1) the operator collects no other PI, and (2) such persistent identifiers are collected on or through the site or service solely for the purpose of providing "support for the internal operations" of the site or service.

    1. "Support for internal operations of the Web site or online service," as defined in §312.2, means activities necessary for the site or service to:

      1. Maintain or analyze its functioning;
      2. Perform network communications;
      3. Authenticate users or personalize content; (NOT behavioral advertising!)
      4. Serve contextual advertising or cap the frequency of advertising;
      5. Protect the security or integrity of the user, Web site, or online service;
      6. Ensure legal or regulatory compliance; or
      7. Fulfill a request of a child as permitted by COPPA §312.5(c)(3) [Where the operator collects online contact information from a child to be used to respond directly more than once to a specific request from the child, and where such information is not used for any other purpose.] and (4) [Where the operator collects a child's name and online contact information to the extent reasonably necessary to protect the safety of a child participant on the website or online service, and the operator uses reasonable efforts to provide a parent notice as described in § 312.4(c), where such information is: (i) Used for the sole purpose of protecting the child's safety; (ii) Not used to re-contact the child or for any other purpose; and (iii) Not disclosed on the website or online service].
    2. Persistent identifiers collected for the sole purpose of providing support for the internal operations of the Web site or online service do not require parental consent, so long as no other PI is collected AND the persistent identifiers are not used or disclosed to contact a specific individual (including through behavioral advertising) or for any other purpose.
    3. Both a child-directed Web site and a third-party plug-in that collecting persistent identifiers from children under 13 can rely on the "support for internal operations" exception, if the only PI collected are persistent identifiers for purposes outlined in the "support for internal operations" definition above.
  3. A statement that the parent can review or have deleted the child's PI and refuse to permit its further collection or use, and state the procedures for doing so.

    1. "Delete" is defined as "to remove personal information such that it is not maintained in retrievable form and cannot be retrieved in the normal course of business."

Where Should an Operator Covered by COPPA Post Links to Its Online Privacy Policy?

Post a clearly and prominently labeled link to the online privacy policy on the home or landing page or screen of the Web site or online service, AND at each area of the site or service where PI is collected from children. The link must be in close proximity to the request for PI. In the 1999 Statement of Basis and Purpose, the FTC explained that "clear and prominent" means that the link must stand out and be noticeable to the site's visitors through use, i.e. use a larger font size in a different color on a contrasting background. Please note that the FTC does not consider "clear and prominent" a link that is in small print at the bottom of the home page, or a link that is indistinguishable from a number of other, adjacent links, but a link that is at the bottom of a page may be acceptable if the manner in which it is presented makes it "clear and prominent."

Operators of general audience Web sites that contain a specific children's section can combine the privacy policies into one document, as long as the link for the children's privacy policy takes visitors directly to the point where that policy is OR it is clearly disclosed at the top of the general privacy policy that there is a specific section discussing the operator's information practices with regard to children [See the 1999 Statement of Basis and Purpose].

How About Mobile Apps?

With respect to mobile apps, the Amended Rule does not require that a privacy policy is posted in the app store at the point of purchase or download, however, the FTC encourages doing so as a best practice. [See FTC Staff Report, Mobile Apps for Kids: Disclosures Still Not Making the Grade (Dec. 2012)]. In fact, if a child-directed app is designed to collect PI as soon as it is downloaded, it would be necessary to provide direct notice and obtain verifiable consent at the point of purchase OR to insert a landing page were a parent can receive notice and give consent before the download is complete.

When Is Direct Notice to Parents Required Under the Amended COPPA Rule and What Is the Format and Content of Such Notice?

There are four (4) instances where a direct notice is required or appropriate and operators must make reasonable efforts, taking into consideration available technology, to ensure that the parent receives such notice. An operator will not be deemed to have made reasonable efforts to ensure that a parent receives notice where the notice to the parent was unable to be delivered:

  1. Operator seeks to obtain a parent's verifiable consent prior to the collection, use, and/or disclosure of a child's PI. The notice must:

    1. State that the operator has collected the parent's online contact information from the child, and, if such is the case, the name of the child or the parent, in order to obtain the parent's consent;
    2. State that the parent's consent is required for the collection, use, or disclosure of such information, and that the operator will not collect, use, or disclose any personal information from the child if the parent does not provide such consent;
    3. Set forth the additional items of PI the operator intends to collect from the child, or the potential opportunities for the disclosure of PI, should the parent provide consent;
    4. Contain a hyperlink to the operator's privacy policy;
    5. Provide the means by which the parent can provide verifiable consent to the collection, use, and disclosure of the information; and
    6. State that if the parent does not provide consent within a reasonable time from the date the direct notice was sent, the operator will delete the parent's online contact information from its records.

  2. Operator voluntarily seeks to provide notice to a parent of a child's online activities that do not involve the collection, use or disclosure of PI. The notice must:

    1. State that the operator has collected the parent's online contact information from the child in order to provide notice to, and subsequently update the parent about, a child's participation in a Web site or online service that does not otherwise collect, use, or disclose children's PI;
    2. State that the parent's online contact information will not be used or disclosed for any other purpose;
    3. State that the parent may refuse to permit the child's participation in the Web site or online service and may require the deletion of the parent's online contact information, and how the parent can do so; and
    4. Provide a hyperlink to the operator's privacy policy.

  3. Operator intends to communicate with the child multiple times via the child's online contact information and collects no other information. The notice must:

    1. State that the operator has collected the child's online contact information from the child in order to provide multiple online communications to the child;
    2. State that the operator has collected the parent's online contact information from the child in order to notify the parent that the child has registered to receive multiple online communications from the operator;
    3. State that the online contact information collected from the child will not be used for any other purpose, disclosed, or combined with any other information collected from the child;
    4. State that the parent may refuse to permit further contact with the child and require the deletion of the parent's and child's online contact information, and how the parent can do so;
    5. State that if the parent fails to respond to this direct notice, the operator may use the online contact information collected from the child for the purpose stated in the direct notice; and
    6. Provide a hyperlink to the operator's privacy policy.

  4. Operator's purpose for collecting a child's and a parent's name and online contact info if to protect a child's safety and the information is not used or disclosed for any other purpose. The notice must:

    1. State that the operator has collected the name and the online contact information of the child and the parent in order to protect the safety of a child;
    2. State that the information will not be used or disclosed for any purpose unrelated to the child's safety;
    3. State that the parent may refuse to permit the use, and require the deletion, of the information collected, and how the parent can do so;
    4. State that if the parent fails to respond to this direct notice, the operator may use the information for the purpose stated in the direct notice; and
    5. Provide a hyperlink to the operator's privacy policy.

PLEASE NOTE that when sending a direct notice to parents, an operator MAY NOT send a simple email containing just a link to the operator's privacy policy, the notice MUST contain certain key information as described above in addition to the link to the privacy policy.

How Does a Covered Operator Obtain Verifiable Parental Consent?

The Rule enumerates several non-exhaustive options described below to obtain verifiable parental consent [See § 312.5(b)], any method must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent. Operator can also file a written request with the FTC for pre-approval of a new consent mechanism.

If the operator is going to disclose a child's PI to third parties, or allow children to make it publicly available (e.g., through a social networking service, online forums, or personal profiles), the operators must use of the methods below:

  1. Providing a consent form to be signed by the parent and returned via U.S. mail, fax, or electronic scan (the "print-and-send" method); OR
  2. Requiring the parent, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder; OR
  3. Having the parent call a toll-free telephone number staffed by trained personnel, or have the parent connect to trained personnel via video-conference; OR
  4. Verifying a parent's identity by checking a form of government-issued identification against databases of such information, provided that the operator promptly deletes the parent's identification after completing the verification.

If the operator is going to use the child's PI only for internal purposes and does not disclose the PI, the operators can use of the methods described above or the "email plus" method of parental consent. "Email plus" allows an operator to request, in the direct notice sent to the parent's online contact address that the parent indicate consent in a return message to the operator. To properly use this method, the operator must take an additional confirming step after receiving the parent's message — this is the "plus" factor and can be either:

  1. Requesting in the initial message to the parent that the parent include a phone or fax number or mailing address in the reply message so that the operator can follow up with a confirming phone call, fax or letter to the parent; OR
  2. After a reasonable time delay, sending another message via the parent's online contact information to confirm consent. In this confirmatory message, the operator should include all the original information contained in the direct notice, inform the parent that he or she can revoke the consent, and inform the parent how to do so.

PLEASE NOTE that with respect to mobile apps, the mere entry of an app store account number or password, without other indicia of reliability (e.g., knowledge-based authentication questions or verification of government id), does NOT provide sufficient assurance that the person entering the account or password info is the parent, and not the child [See FTC FAQs].

An operator can collect the parent's "online contact information" to obtain or confirm parental consent, defined as:

  1. An email address;
  2. An IM user identifier;
  3. A VoIP identifier;
  4. A video chat user identifier; or
  5. Other substantially similar identifier.

BUT NOT the parent's mobile phone number. However, once an operator connects with the parent, it may request the mobile phone number for further communication.

Exceptions to Prior Parental Consent

  1. Where the sole purpose of collecting the name or online contact info of the parent or the child is to provide notice and obtain parental consent, if parental consent has not been obtained after a reasonable time from the date the info is collected, the info must be deleted.
  2. Where the purpose of collecting a parent's online contact information is to provide voluntary notice to, and subsequently update the parent about the child's participating in a Web site or online service that does not otherwise collect, use, or disclose the child's PI. Must make reasonable efforts to provide to the parent the notice required under §312.4(c)(2).
  3. Where the sole purpose of collecting online contact information from a child is to respond directly on a one-time basis to a specific request from the child, AND such information is not used to re-contact the child or for any other purpose, such information is not disclosed, AND is deleted by the operator from its records promptly after responding to the child's request (the "one-time contact" exception).
  4. Where the purpose of collecting a child's and a parent's online contact information is to respond directly more than once to the child's specific request, and not used for any other purpose, disclosed or combined with other info collected from the child. Must make reasonable efforts to provide to the parent the notice required under §312.4(c)(3).
  5. Where the purpose of collecting a child's and a parent's online contact information is to protect the safety of the child, and not used or disclosed for any purpose other than the child's safety. Must make reasonable efforts to provide to the parent the notice required under §312.4(c)(4).
  6. Where the purpose of collecting a child's name and online contact information is to: (i) protect the security or integrity of the Web site or online service, (ii) take precautions against liability, (iii) respond to judicial process; or (iv) to the extent permitted under other provisions of law, to provide info to law enforcement agencies for an investigation on a matter related to public safety; and where the child's info is not use for any other purpose.
  7. Where an operator collects a persistent identifier and no other PI and such identifier is used for the sole purpose of providing "support for internal operations" of the Web site or online service.
  8. Where a third party provider such as an ad network or plug-in integrated into a children-directed Web site or online service collects a persistent identifier and no other PI from a user who affirmatively interacts with the provider and whose previous registration with such provider indicates that the user is not a child under 13.

FTC Approved COPPA Safe Harbor Programs

Industry groups or other persons may apply to the FTC for approval of safe harbor programs. Several of the FTC-approved COPPA safe harbor programs offer parental notification and consent systems for operators who are members of their programs. Examples: TRUSTe COPPA Safe Harbor Program, Aristotle International, Inc. COPPA Safe Harbor Program [a copy of their application to the FTC can be found here], Entertainment Software Rating Board COPPA Safe Harbor Program, PRIVO COPPA Safe Harbor Program. The providers of these programs can carry out the notice and consent obligations for its members.

How Is COPPA Enforced?

COPPA is enforced by the FTC as well as by states (TX brought a COPPA action in 2007 and NJ in 2012) and other certain federal agencies (Dept. of Transportation, Office of the Comptroller of the Currency) with respect to entities over which they have jurisdiction.

What Are the Penalties for Violating COPPA?

A court can hold operators who violate the Rule liable for civil penalties of up to $16,000 per violation. The amount of civil penalties a court assesses may turn on a number of factors: (1) the egregiousness of the violations, (2) whether the operator has previously violated the Rule, (3) the number of children involved, (4) the amount and type of PI collected, (5) how the PI was used, (6) whether it was shared with third parties, and (7) the size of the company.

REMEMBER that the operator of a child-directed Web site or online service is held liable under COPPA for the collection of information that occurs on or through their site and services, even if the operator itself does not engage in such collection. The operator has a duty to conduct an inquiry into the info collection practices of every third party that can collect info via the operator's Web site or online service or app so that the operator can make an informed decision of whether it is required to give parents notice and obtain consent prior to such third party's collection of PI from children.

The Amended Rule mandates that operators take reasonable steps to release children's PI only to service providers and third parties who are capable of maintaining the confidentiality security and integrity of such information AND who provide assurances that they will maintain the information in such a manner.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Julia M. Siripurapu
 
In association with
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Emails

From time to time Mondaq may send you emails promoting Mondaq services including new services. You may opt out of receiving such emails by clicking below.

*** If you do not wish to receive any future announcements of services offered by Mondaq you may opt out by clicking here .

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.