Preparing an FTC-Compliant Privacy Notice For Your Website
Charles Carreon
GENERAL WEBSITE REQUIREMENTS
Since the FTC is our privacy cop, to the extent we have one, you want to make sure that your website privacy policy complies with their concerns. The FTC has adopted the “OECD privacy guidelines” and recommends use of the “OECD privacy policy statement generator.” The privacy policy statement generator is basically a questionnaire that walks you through the process of creating a privacy statement for your website. Naturally, the FTC, which is careful about what it says, notes that just because the OECD generator creates your policy privacy doesn't mean that it complies with anything. I've used the generator to create a privacy policy, and it gives the average website user more information than they can use. Still, I think it works well as what OECD says it is — an educational device. And it generates a policy that, if you tell it the truth, and you do all the things the resulting policy says you do, would be very respectful of consumer privacy. Which we all should be.
COPPA COMPLIANCE — REQUIREMENTS FOR WEBSITES THAT COLLECT CUSTOMER DATA FROM KIDS UNDER 13
One place where the FTC has seen fit to charge ahead aggressively is in the area of protecting children from abusive information collection tactics. The FTC says that the Children's Online Privacy Protection Act, and the Rule adopted to enforce it, are intended “to place parents in control over when information is collected from their children online.” The rule applies to websites “directed to children.” The FTC applies the following factors to determine whether a website is directed to children: consideration of the subject matter of the site, the language used, the use of animated characters, and “empirical evidence” regarding the ages of website visitors. Although websites directed to children that do not collect personal data from website visitors are not required to provide the special COPPA notices subscribed below, the FTC suggests that the website disclose this fact up front in its general privacy policy in order to put parents at ease.
Before we discuss the notice requirements imposed by COPPA, however, let's consider what a children's website cannot do. The FTC has banned the use of activities like games or prize offers that condition a child's participation on the disclosure of more personal information “than is reasonably necessary to participate in the activity.” The FTC explains that although it would be reasonably necessary for a website to collect a child's mailing address in order to deliver a prize, the same could not be said if the “purpsoe” was to deliver only an email newsletter. The Rule requires that privacy policies state this prohibition explicitly.“ Thus, children's website operators must refrain from over-collecting data using fun activities as a lure, and must inform parents in the privacy policy of the ban, and of the website's compliance with the ban.
The required privacy policy must be linked to the website's home page, or on the home page of the children's area of a general audience site. Links to the privacy policy should also appear close to areas where personal information is collected from children. The main link must be clear and prominent, and labeled so visitors will understand that the link leads to the privacy policy. A simple link that says ”privacy policy“ is sufficient.
In order to comply with notice requirements of the rule, a COPPA-compliant privacy policy must have specific content. The policy must describe the site's information practices completely, and must not contain confusing or contradictory information. In order to allow parents to know who will see and use their children's personal information, the privacy policy must provide contact information for the ”operators collecting or maintaining personal information from children through the website.“ The policy must also state exactly what information is collected from children, using ”descriptors like name, address, telephone number, hobbies, gender, or age.“
The privacy policy must also disclose how the website will use the personal information internally, explaining for example ”that email addresses are used to send weekly newsletters, or that a mailing address is used to send a prize or magazine subscription or fulfill another request.“ If a website will provide children with an opportunity to disclose personal information publicly, in chat rooms, on message boards, or through email accounts, this must also be disclosed.
If a website shares personal information that it collects from children with third parties, the privacy policy must explain what type of business the third parties are engaged in and how they will use information obtained from children. The privacy policy must also state whether the third parties receiving this information have promised to keep it confidential and secure. The rule defines ”third parties“ as persons not operating the website or providing internal operations support. Even a corporate subsidiary, affiliate or partner will be considered a ”third party“ unless it is using the information solely to provide ”internal support.“
Finally, a privacy policy must inform parents of their rights under COPPA. You can consider them ”the three R's“ for ”Review, Refuse, and Require.“ Under COPPA, a parent must be informed in the privacy policy that it is their right to Review personal information that has been recorded by the website about their children, Refuse to allow further collection of the information, and to Require the deletion of any information that has been recorded. The privacy policy should also provide contact information, like an email address or toll-free telephone number,” so parents can easily exercise these rights.
The FTC has provided a clear workbook that you will find in the Legal Documents entitled “You, Your Privacy Policy and COPPA,” that includes a checklist consisting of 30 yes or no questions, which will help you whip up a COPPA compliant privacy policy for your website, if you need one.
GENERAL WEBSITE REQUIREMENTS
Since the FTC is our privacy cop, to the extent we have one, you want to make sure that your website privacy policy complies with their concerns. The FTC has adopted the “OECD privacy guidelines” and recommends use of the “OECD privacy policy statement generator.” The privacy policy statement generator is basically a questionnaire that walks you through the process of creating a privacy statement for your website. Naturally, the FTC, which is careful about what it says, notes that just because the OECD generator creates your policy privacy doesn't mean that it complies with anything. I've used the generator to create a privacy policy, and it gives the average website user more information than they can use. Still, I think it works well as what OECD says it is — an educational device. And it generates a policy that, if you tell it the truth, and you do all the things the resulting policy says you do, would be very respectful of consumer privacy. Which we all should be.
COPPA COMPLIANCE — REQUIREMENTS FOR WEBSITES THAT COLLECT CUSTOMER DATA FROM KIDS UNDER 13
One place where the FTC has seen fit to charge ahead aggressively is in the area of protecting children from abusive information collection tactics. The FTC says that the Children's Online Privacy Protection Act, and the Rule adopted to enforce it, are intended “to place parents in control over when information is collected from their children online.” The rule applies to websites “directed to children.” The FTC applies the following factors to determine whether a website is directed to children: consideration of the subject matter of the site, the language used, the use of animated characters, and “empirical evidence” regarding the ages of website visitors. Although websites directed to children that do not collect personal data from website visitors are not required to provide the special COPPA notices subscribed below, the FTC suggests that the website disclose this fact up front in its general privacy policy in order to put parents at ease.
Before we discuss the notice requirements imposed by COPPA, however, let's consider what a children's website cannot do. The FTC has banned the use of activities like games or prize offers that condition a child's participation on the disclosure of more personal information “than is reasonably necessary to participate in the activity.” The FTC explains that although it would be reasonably necessary for a website to collect a child's mailing address in order to deliver a prize, the same could not be said if the “purpsoe” was to deliver only an email newsletter. The Rule requires that privacy policies state this prohibition explicitly.“ Thus, children's website operators must refrain from over-collecting data using fun activities as a lure, and must inform parents in the privacy policy of the ban, and of the website's compliance with the ban.
The required privacy policy must be linked to the website's home page, or on the home page of the children's area of a general audience site. Links to the privacy policy should also appear close to areas where personal information is collected from children. The main link must be clear and prominent, and labeled so visitors will understand that the link leads to the privacy policy. A simple link that says ”privacy policy“ is sufficient.
In order to comply with notice requirements of the rule, a COPPA-compliant privacy policy must have specific content. The policy must describe the site's information practices completely, and must not contain confusing or contradictory information. In order to allow parents to know who will see and use their children's personal information, the privacy policy must provide contact information for the ”operators collecting or maintaining personal information from children through the website.“ The policy must also state exactly what information is collected from children, using ”descriptors like name, address, telephone number, hobbies, gender, or age.“
The privacy policy must also disclose how the website will use the personal information internally, explaining for example ”that email addresses are used to send weekly newsletters, or that a mailing address is used to send a prize or magazine subscription or fulfill another request.“ If a website will provide children with an opportunity to disclose personal information publicly, in chat rooms, on message boards, or through email accounts, this must also be disclosed.
If a website shares personal information that it collects from children with third parties, the privacy policy must explain what type of business the third parties are engaged in and how they will use information obtained from children. The privacy policy must also state whether the third parties receiving this information have promised to keep it confidential and secure. The rule defines ”third parties“ as persons not operating the website or providing internal operations support. Even a corporate subsidiary, affiliate or partner will be considered a ”third party“ unless it is using the information solely to provide ”internal support.“
Finally, a privacy policy must inform parents of their rights under COPPA. You can consider them ”the three R's“ for ”Review, Refuse, and Require.“ Under COPPA, a parent must be informed in the privacy policy that it is their right to Review personal information that has been recorded by the website about their children, Refuse to allow further collection of the information, and to Require the deletion of any information that has been recorded. The privacy policy should also provide contact information, like an email address or toll-free telephone number,” so parents can easily exercise these rights.
The FTC has provided a clear workbook that you will find in the Legal Documents entitled “You, Your Privacy Policy and COPPA,” that includes a checklist consisting of 30 yes or no questions, which will help you whip up a COPPA compliant privacy policy for your website, if you need one.