FTC COPPA FAQs - I know that the amended Rule made some changes to the direct notice that must be sent to parents before I collect personal information from children. What are those changes?

Compliance > COPPA
Q:  I know that the amended Rule made some changes to the direct notice that must be sent to parents before I collect personal information from children.  What are those changes?
 
A:  The Rule requires operators to make reasonable efforts, taking into account available technology, to ensure that a parent of a child receives direct notice of the operator’s practices with regard to the collection, use, or disclosure of personal information from children, including notice of any material changes to practices to which the parent previously consented.  The amended Rule significantly changed the format and content of the information that must be included in an operator’s direct notice to parents.  The Rule now provides a very detailed roadmap of what information must be included in your direct notice depending upon what personal information is collected and for what purposes.
 
There are four instances where a direct notice is required or appropriate under the Rule:
 
Where an operator seeks to obtain a parent’s verifiable consent prior to the collection, use, or disclosure of a child’s personal information.  In this case, the direct notice must:
  • State that the operator has collected the parent’s online contact information from the child, and, if such is the case, the name of the child or the parent, in order to obtain the parent’s consent;
  • State that the parent’s consent is required for the collection, use, or disclosure of such information, and that the operator will not collect, use, or disclose any personal information from the child if the parent does not provide such consent;
  • Set forth the additional items of personal information the operator intends to collect from the child, or the potential opportunities for the disclosure of personal information, should the parent provide consent;
  • Contain a hyperlink to the operator’s online notice of its information practices (i.e., its privacy policy); 
  • Provide the means by which the parent can provide verifiable consent to the collection, use, and disclosure of the information; and
  • State that if the parent does not provide consent within a reasonable time from the date the direct notice was sent, the operator will delete the parent’s online contact information from its records.  See 16 C.F.R. § 312.4(c)(1).
     
Where an operator voluntarily seeks to provide notice to a parent of a child’s online activities that do not involve the collection, use or disclosure of personal information. In this case, the direct notice must:
  • State that the operator has collected the parent’s online contact information from the child in order to provide notice to, and subsequently update the parent about, a child’s participation in a website or online service that does not otherwise collect, use, or disclose children’s personal information;
  • State that the parent’s online contact information will not be used or disclosed for any other purpose;
  • State that the parent may refuse to permit the child’s participation in the website or online service and may require the deletion of the parent’s online contact information, and how the parent can do so; and
  • Provide a hyperlink to the operator’s online notice of its information practices.  See 16 C.F.R. § 312.4(c)(2).
     
Where an operator intends to communicate with the child multiple times via the child’s online contact information and collects no other information. In this case, the direct notice must:
  • State that the operator has collected the child’s online contact information from the child in order to provide multiple online communications to the child;
  • State that the operator has collected the parent’s online contact information from the child in order to notify the parent that the child has registered to receive multiple online communications from the operator;
  • State that the online contact information collected from the child will not be used for any other purpose, disclosed, or combined with any other information collected from the child;
  • State that the parent may refuse to permit further contact with the child and require the deletion of the parent’s and child’s online contact information, and how the parent can do so;
  • State that if the parent fails to respond to this direct notice, the operator may use the online contact information collected from the child for the purpose stated in the direct notice; and
  • Provide a hyperlink to the operator’s online notice of its information practices.  See 16 C.F.R. § 312.4(c)(3).
     
Where the operator’s purpose for collecting a child’s and a parent’s name and online contact information is to protect a child’s safety and the information is not used or disclosed for any other purpose. In this case, the direct notice must:
  • State that the operator has collected the name and the online contact information of the child and the parent in order to protect the safety of a child;
  • State that the information will not be used or disclosed for any purpose unrelated to the child’s safety;
  • State that the parent may refuse to permit the use, and require the deletion, of the information collected, and how the parent can do so;
  • State that if the parent fails to respond to this direct notice, the operator may use the information for the purpose stated in the direct notice; and
  • Provide a hyperlink to the operator’s online notice of its information practices. See 16 C.F.R. § 312.4(c)(4).
     
 
 ADDITIONAL INFORMATION:
This information was obtained from the FTC’s webpage on “Complying with COPPA:  Frequently Asked Questions.”   https://www.ftc.gov/tips-advice/business-center/guidance/complying-coppa-frequently-asked-questions

Add Feedback