October 23, 1998
The final rule [.pdf] as implemented by the Federal Trade Commision is also available.
TITLE XIII-CHILDREN’S ONLINE PRIVACY PROTECTION
SEC. 1301. SHORT TITLE.
This title may be cited as the «Children’s Online Privacy Protection Act of 1998».
SEC. 1302. DEFINITIONS.
In this title:
(1) CHILD.—The term «child» means an individual under the age of 13.
(2) OPERATOR.—The term «operator»—
(A) means any person who operates a website located on the Internet or an online service and who collects or maintains personal information from or about the users of or visitors to such website or online service, or on whose behalf such information is collected or maintained, where such website or online service is operated for commercial purposes, including any person offering products or services for sale through that website or online service, involving commerce—
(i) among the several States or with 1 or more foreign nations;
(ii) in any territory of the United States or in the District of Columbia, or between any such territory and—
(I) another such territory; or
(II) any State or foreign nation; or
(iii) between the District of Columbia and any State, territory, or foreign nation; but
(B) does not include any nonprofit entity that would otherwise be exempt from coverage under section 5 of the Federal Trade Commission Act (15 U.S.C. 45).
(3) COMMISSION.—The term «Commission» means the Federal Trade Commission.
(4) DISCLOSURE.—The term «disclosure» means, with respect to personal information—
(A) the release of personal information collected from a child in identifiable form by an operator for any purpose, except where such information is provided to a person other than the operator who provides support for the internal operations of the website and does not disclose or use that information for any other purpose; and
(B) making personal information collected from a child by a website or online service directed to children or with actual knowledge that such information was collected from a child, publicly available in identifiable form, by any means including by a public posting, through the Internet, or through—
(i) a home page of a website;
(ii) a pen pal service;
(iii) an electronic mail service;
(iv) a message board; or
(v) a chat room.
(5) FEDERAL AGENCY.—The term «Federal agency» means an agency, as that term is defined in section 551(1) of title 5, United States Code.
(6) INTERNET.—The term «Internet» means collectively the myriad of computer and telecommunications facilities, including equipment and operating software, which comprise the interconnected world-wide network of networks that employ the Transmission Control Protocol/ Internet Protocol, or any predecessor or successor protocols to such protocol, to communicate information of all kinds by wire or radio.
(7) PARENT.—The term «parent» includes a legal guardian.
(8) PERSONAL INFORMATION.—The term «personal information» means individually identifiable information about an individual collected online, including—
(A) a first and last name;
(B) a home or other physical address including street name and name of a city or town;
(C) an e-mail address;
(D) a telephone number;
(E) a Social Security number;
(F) any other identifier that the Commission determines permits the physical or online contacting of a specific individual; or
(G) information concerning the child or the parents of that child that the website collects online from the child and combines with an identifier described in this paragraph.
(9) VERIFIABLE PARENTAL CONSENT.—The term «verifiable parental consent» means any reasonable effort (taking into consideration available technology), including a request for authorization for future collection, use, and disclosure described in the notice, to ensure that a parent of a child receives notice of the operator’s personal information collection, use, and disclosure practices, and authorizes the collection, use, and disclosure, as applicable, of personal information and the subsequent use of that information before that information is collected from that child.
(10) WEBSITE OR ONLINE SERVICE DIRECTED TO CHILDREN.—
(A) IN GENERAL.—The term «website or online service directed to children» means—
(i) a commercial website or online service that is targeted to children; or
(ii) that portion of a commercial website or online service that is targeted to children.
(B) LIMITATION.—A commercial website or online service, or a portion of a commercial website or online service, shall not be deemed directed to children solely for referring or linking to a commercial website or online service directed to children by using information location tools, including a directory, index, reference, pointer, or hypertext link.
(11) PERSON.—The term «person» means any individual, partnership, corporation, trust, estate, cooperative, association, or other entity.
(12) ONLINE CONTACT INFORMATION.—The term «online contact information» means an e-mail address or an-other substantially similar identifier that permits direct contact with a person online.
SEC. 1303. REGULATION OF UNFAIR AND DECEPTIVE ACTS AND PRACTICES IN CONNECTION WITH THE COLLECTION AND USE OF PERSONAL INFORMATION FROM AND ABOUT CHILDREN ON THE INTERNET.
(a) ACTS PROHIBITED.—
(1) IN GENERAL.—It is unlawful for an operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child, to collect personal information from a child in a manner that violates the regulations prescribed under subsection (b).
(2) DISCLOSURE TO PARENT PROTECTED.—Notwithstanding paragraph (1), neither an operator of such a website or online service nor the operator’s agent shall be held to be liable under any Federal or State law for any disclosure made in good faith and following reasonable procedures in responding to a request for disclosure of per-sonal information under subsection (b)(1)(B)(iii) to the parent of a child.
(b) REGULATIONS.—
(1) IN GENERAL.—Not later than 1 year after the date of the enactment of this Act, the Commission shall promulgate under section 553 of title 5, United States Code, regulations that—
(A) require the operator of any website or online service directed to children that collects personal information from children or the operator of a website or online service that has actual knowledge that it is collecting personal information from a child—
(i) to provide notice on the website of what information is collected from children by the operator, how the operator uses such information, and the operator’s disclosure practices for such information; and
(ii) to obtain verifiable parental consent for the collection, use, or disclosure of personal information from children;
(B) require the operator to provide, upon request of a parent under this subparagraph whose child has provided personal information to that website or online service, upon proper identification of that parent, to such par-ent—
(i) a description of the specific types of personal information collected from the child by that operator;
(ii) the opportunity at any time to refuse to permit the operator’s further use or maintenance in retrievable form, or future online collection, of personal information from that child; and
(iii) notwithstanding any other provision of law, a means that is reasonable under the circumstances for the parent to obtain any personal information collected from that child;
(C) prohibit conditioning a child’s participation in a game, the offering of a prize, or another activity on the child disclosing more personal information than is reasonably necessary to participate in such activity; and
(D) require the operator of such a website or online service to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.
(2) WHEN CONSENT NOT REQUIRED.—The regulations shall provide that verifiable parental consent under paragraph (1)(A)(ii) is not required in the case of—
(A) online contact information collected from a child that is used only to respond directly on a one-time basis to a specific request from the child and is not used to recontact the child and is not maintained in retrievable form by the operator;
(B) a request for the name or online contact information of a parent or child that is used for the sole purpose of obtaining parental consent or providing notice under this section and where such information is not maintained in retrievable form by the operator if parental consent is not obtained after a reasonable time;
(C) online contact information collected from a child that is used only to respond more than once directly to a specific request from the child and is not used to recontact the child beyond the scope of that request—
(i) if, before any additional response after the initial response to the child, the operator uses reasonable efforts to provide a parent notice of the online contact information collected from the child, the purposes for which it is to be used, and an opportunity for the parent to request that the operator make no further use of the information and that it not be maintained in retrievable form; or
(ii) without notice to the parent in such circumstances as the Commission may determine are appropriate, taking into consideration the benefits to the child of access to information and services, and risks to the security and privacy of the child, in regulations promulgated under this subsection;
(D) the name of the child and online contact information (to the extent reasonably necessary to protect the safety of a child participant on the site)—
(i) used only for the purpose of protecting such safety;
(ii) not used to recontact the child or for any other purpose; and
(iii) not disclosed on the site, if the operator uses reasonable efforts to provide a parent notice of the name and online contact information collected from the child, the purposes for which it is to be used, and an opportunity for the parent to request that the operator make no further use of the information and that it not be maintained in retrievable form; or
(E) the collection, use, or dissemination of such information by the operator of such a website or online service necessary—
(i) to protect the security or integrity of its website;
(ii) to take precautions against liability;
(iii) to respond to judicial process; or
(iv) to the extent permitted under other provisions of law, to provide information to law enforcement agencies or for an investigation on a matter related to public safety. 1815
(3) TERMINATION OF SERVICE.—The regulations shall permit the operator of a website or an online service to terminate service provided to a child whose parent has refused, under the regulations prescribed under paragraph (1)(B)(ii), to permit the operator’s further use or maintenance in retrievable form, or future online collection, of personal information from that child.
(c) ENFORCEMENT.—Subject to sections 1304 and 1306, a violation of a regulation prescribed under subsection (a) shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
(d) INCONSISTENT STATE LAW.—No State or local government may impose any liability for commercial activities or actions by operators in interstate or foreign commerce in connection with an activity or action described in this title that is inconsistent with the treatment of those activities or actions under this section.
SEC. 1304. SAFE HARBORS.
(a) GUIDELINES.—An operator may satisfy the requirements of regulations issued under section 1303(b) by following a set of self-regulatory guidelines, issued by representatives of the marketing or online industries, or by other persons, approved under subsection (b).
(b) INCENTIVES.—
(1) SELF-REGULATORY INCENTIVES.—In prescribing regulations under section 1303, the Commission shall provide incentives for self-regulation by operators to implement the protections afforded children under the regulatory requirements described in subsection (b) of that section.
(2) DEEMED COMPLIANCE.—Such incentives shall include provisions for ensuring that a person will be deemed to be in compliance with the requirements of the regulations under section 1303 if that person complies with guidelines that, after notice and comment, are approved by the Commission upon making a determination that the guidelines meet the requirements of the regulations issued under section 1303.
(3) EXPEDITED RESPONSE TO REQUESTS.—The Commission shall act upon requests for safe harbor treatment within 180 days of the filing of the request, and shall set forth in writing its conclusions with regard to such requests.
(c) APPEALS.—Final action by the Commission on a request for approval of guidelines, or the failure to act within 180 days on a request for approval of guidelines, submitted under subsection (b) may be appealed to a district court of the United States of appropriate jurisdiction as provided for in section 706 of title 5, United States Code.
SEC. 1305. ACTIONS BY STATES.
(a) IN GENERAL.—
(1) CIVIL ACTIONS.—In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by the engagement of any person in a practice that violates any regulation of the Commission prescribed under section 1303(b), the State, as parens patriae, may bring a civil action on behalf of the residents of the State in a district court of the United States of appropriate jurisdiction to—
(A) enjoin that practice;
(B) enforce compliance with the regulation;
(C) obtain damage, restitution, or other compensation on behalf of residents of the State; or
(D) obtain such other relief as the court may consider to be appropriate.
(2) NOTICE.—
(A) IN GENERAL.—Before filing an action under paragraph (1), the attorney general of the State involved shall provide to the Commission—
(i) written notice of that action; and
(ii) a copy of the complaint for that action.
(B) EXEMPTION.—
(i) IN GENERAL.—Subparagraph (A) shall not apply with respect to the filing of an action by an attorney general of a State under this subsection, if the attorney general determines that it is not feasible to provide the notice described in that subparagraph before the filing of the action.
(ii) NOTIFICATION.—In an action described in clause (i), the attorney general of a State shall provide notice and a copy of the complaint to the Commission at the same time as the attorney general files the action.
(b) INTERVENTION.—
(1) IN GENERAL.—On receiving notice under subsection (a)(2), the Commission shall have the right to intervene in the action that is the subject of the notice.
(2) EFFECT OF INTERVENTION.—If the Commission intervenes in an action under subsection (a), it shall have the right—
(A) to be heard with respect to any matter that arises in that action; and
(B) to file a petition for appeal.
(3) AMICUS CURIAE.—Upon application to the court, a person whose self-regulatory guidelines have been approved by the Commission and are relied upon as a defense by any defendant to a proceeding under this section may file amicus curiae in that proceeding.
(c) CONSTRUCTION.—For purposes of bringing any civil action under subsection (a), nothing in this title shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to—
(1) conduct investigations;
(2) administer oaths or affirmations; or
(3) compel the attendance of witnesses or the production of documentary and other evidence.
(d) ACTIONS BY THE COMMISSION.—In any case in which an action is instituted by or on behalf of the Commission for violation of any regulation prescribed under section 1303, no State may, during the pendency of that action, institute an action under subsection (a) against any defendant named in the complaint in that action for violation of that regulation.
(e) VENUE; SERVICE OF PROCESS.—
(1) VENUE.—Any action brought under subsection (a) may be brought in the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code.
(2) SERVICE OF PROCESS.—In an action brought under subsection (a), process may be served in any district in which the defendant—
(A) is an inhabitant; or
(B) may be found.
SEC. 1306. ADMINISTRATION AND APPLICABILITY OF ACT.
(a) IN GENERAL.—Except as otherwise provided, this title shall be enforced by the Commission under the Federal Trade Commission Act (15 U.S.C. 41 et seq.).
(b) PROVISIONS.—Compliance with the requirements imposed under this title shall be enforced under—(1) section 8 of the Federal Deposit Insurance Act (12 U.S.C. 1818), in the case of—
(A) national banks, and Federal branches and Federal agencies of foreign banks, by the Office of the Comptroller of the Currency;
(B) member banks of the Federal Reserve System (other than national banks), branches and agencies of foreign banks (other than Federal branches, Federal agencies, and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, and organizations operating under section 25 or 25(a) of the Federal Reserve Act (12 U.S.C. 601 et seq. and 611 et seq.), by the Board; and
(C) banks insured by the Federal Deposit Insurance Corporation (other than members of the Federal Reserve System) and insured State branches of foreign banks, by the Board of Direc- tors of the Federal Deposit Insurance Corporation;
(2) section 8 of the Federal Deposit Insurance Act (12 U.S.C. 1818), by the Director of the Office of Thrift Supervision, in the case of a savings association the deposits of which are insured by the Federal Deposit Insurance Corporation;
(3) the Federal Credit Union Act (12 U.S.C. 1751 et seq.) by the National Credit Union Administration Board with respect to any Federal credit union;
(4) part A of subtitle VII of title 49, United States Code, by the Secretary of Transportation with respect to any air carrier or foreign air carrier subject to that part;
(5) the Packers and Stockyards Act, 1921 (7 U.S.C. 181 et seq.) (except as provided in section 406 of that Act (7 U.S.C. 226, 227)), by the Secretary of Agriculture with respect to any activities subject to that Act; and
(6) the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.) by the Farm Credit Administration with respect to any Federal land bank, Federal land bank association, Federal intermediate credit bank, or production credit association.
(c) EXERCISE OF CERTAIN POWERS.—For the purpose of the exercise by any agency referred to in subsection (a) of its powers under any Act referred to in that subsection, a violation of any requirement imposed under this title shall be deemed to be a violation of a requirement imposed under that Act. In addition to its powers under any provision of law specifically referred to in subsection (a), each of the agencies referred to in that subsection may exercise, for the purpose of enforcing compliance with any requirement imposed under this title, any other authority conferred on it by law.
(d) ACTIONS BY THE COMMISSION.—The Commission shall prevent any person from violating a rule of the Commission under section 1303 in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this title. Any entity that violates such rule shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act in the same manner, by the same means, and with the same jurisdiction, power, and duties as though all applicable terms and provisions of the Federal Trade Commission Act were incorporated into and made a part of this title.
(e) EFFECT ON OTHER LAWS.—Nothing contained in the Act shall be construed to limit the authority of the Commission under any other provisions of law.
SEC. 1307. REVIEW.
Not later than 5 years after the effective date of the regulations initially issued under section 1303, the Commission shall—
(1) review the implementation of this title, including the effect of the implementation of this title on practices relating to the collection and disclosure of information relating to children, children’s ability to obtain access to information of their choice online, and on the availability of websites directed to children; and
(2) prepare and submit to Congress a report on the results of the review under paragraph (1).
SEC. 1308. EFFECTIVE DATE. Sections 1303(a), 1305, and 1306 of this title take effect on the later of—
(1) the date that is 18 months after the date of enactment of this Act; or
(2) the date on which the Commission rules on the first application filed for safe harbor treatment under section 1304 if the Commission does not rule on the first such application within one year after the date of enactment of this Act, but in no case later than the date that is 30 months after the date of enactment of this Act.
http://www.cdt.org/legislation/105th/privacy/coppa.html