Program Requirements for the Collection, Use, and Disclosure of Information from Children
Privo recognizes the importance of maintaining a safe and secure environment for children online. To help
facilitate this type of environment for children online, Privo offers these seven requirements as guidelines that
companies must follow when operating websites directed in whole or in part to children 12 years old and under that
collect information from children, or that have actual knowledge they collect information from children 12 years old
and under.
Specifically, companies that are participants in the Privacy Assurance Program ("Members") must comply
with the rules and regulations contained in the Children's Online Privacy Protection Rule (16 C.F.R. Part 312) ("Rule")
implementing the Children's Online Privacy Protection Act (15 U.S.C. 6501 et seq.) ("COPPA"). In
addition, Members must implement each of the seven requirements described below:
Requirement 1: Notice/Disclosure of Information
Members that collect personal information from children twelve years old or under must post a prominent link that is
clearly labeled Privacy Policy or such similar notice that links the children to a description of the Member's
information collection, use, and disclosure practices.
The privacy policy link must be plainly visible on the homepage and on each web page where personal information is
collected from children and in close proximity to the requests for information in each such area. For general audience
websites, the privacy policy link must be plainly visible on the first page of the children's section of the website.
Privacy Policies must be clear and understandable, and should not contain unrelated, contradictory, or confusing
material. Privacy Policies must describe the following information:
A. Member Contact Information : Members must include their complete contact information. Such information must include
the name, mailing address, telephone number, and email address. In cases where more than one company is responsible for
a website, the Member may choose to respond to all inquiries from parents concerning the Member's privacy policies;
provided that, the names of all persons or companies collecting personal information through the website are listed.
B. Types of Personal Information Collected : Members must describe the types of personal information collected
and whether the personal information is collected directly or passively.
C. Use of Personal Information: Members must describe how personal information is used.
D. Disclosure of Personal Information : Members must state whether personal information is disclosed to
third parties. If the Member does disclose personal information, the Member must: (1) describe the types of
business in which such third parties are engaged and the general purposes for which the information is used; (2)
whether the third parties have agreed to maintain the confidentiality, security, and integrity of the personal information
they obtain from the Member; and, (3) that the parent has the option to consent to the collection and use of their
child's personal information without consenting to the disclosure of that information to third parties.
E. Control Over Personal Information : Members must state in their privacy policies the choices available to the
parent and the child regarding how the child's personal information is collected and used.
F. Restrictions on Information Collection : Members must state that they are prohibited from conditioning a
child's participation in an activity on the child's disclosing more personal information than is reasonably
necessary to participate in such activity.
G. Access to Information : Members must state that parents can review the child's personal information, update
the child's information, have such information deleted, and refuse to permit further collection or use of the child's
information. Members must also indicate the procedures that the parent must follow to access their child's personal
information.
H. Questions/Complaints : Members must state in their privacy policies where the parent or child can address any
questions or complaints that they may have about the website's information practices.
Requirement 2: Direct Notice to Parents
Members must make reasonable efforts to ensure that a parent of a child receives notice of the Member's information
collection, use, and disclosure practices with regard to children, including notice of any material change in the
collection, use, or disclosure practices to which the parent had previously consented.
Direct Notices to Parents must contain the following information:
A. Privacy Policy Information : Members must include all of the information that is necessitated as part of
Requirement 1, above.
B. Purpose is to Collect Information : Members must state that they wish to collect personal information from the
child.
C. Parental Consent Required : Members must state that the parent's consent is required for the collection,
use, or disclosure of child's personal information. Members must also provide the method by which a parent may give
such consent.
Except for certain circumstances described under Requirement 3(C), Members must meet the requirements
described above and obtain prior verifiable parental consent before they are allowed to collect personal information
from children.
Requirement 3: Prior Verifiable Parental Consent
A. Generally : Members must obtain verifiable parental consent before any collection, use, or disclosure of
personal information from children. Members must also obtain such consent to any material change in the collection, use,
or disclosure practices to which the parent has previously consented.
B. Method for Obtaining Verifiable Parental Consent : To comply with Requirement 3 (Prior Verifiable Parental
Consent), Members must obtain prior verifiable parental consent. Any method to obtain prior verifiable parental consent
must be reasonably calculated, in light of the available technology, to ensure that the person providing consent is the
child's parent.
Methods to obtain prior verifiable parental consent include: (i) providing a consent form to be signed
by the parent and returned to the Member by postal mail or facsimile; (ii) requiring the parent to use a credit
card in connection with a transaction; (iii) having a parent call a toll–free telephone number staffed by
trained personnel; or (iv) using the PrivoLock™ system.
Members must give the parent the option to consent to the collection and use of the child's personal information
without consenting to disclosure of that information to third parties.
C. Exceptions to Verifiable Parental Consent : Even though verifiable parental consent is required under most
situations before a Member is permitted to collect, use, or disclose a child's personal information, there are a
few exceptions where a Member will be allowed to collect a child's first name or online contact information before
obtaining consent from the child's parent. The exceptions to prior verifiable parental consent are as follows:
• Required Parental Consent – Members may collect the first name or online contact information of a
child to be used for the sole purpose of obtaining the parental consent. If a Member has not obtained parental consent
after a reasonable time from the date of the information collection, the Member must delete such information from its
records. Members that collect the first name or online contact information from a child under this exception must provide
direct notice to the parent. The direct notice must include all privacy policy
information (See Requirement 2(A), above) and notify the parent that the Member has collected the child's
first name and email address to respond to and obtain consent from the parent. If the Member has not obtained parental
consent after a reasonable time from the date the information is collected, the Member must delete such information from
its records.
• One–Time Request – Members may collect the online contact information of a child for the sole
purpose of responding directly, on a one–time basis, to a specific request from the child. Members that collect the
online contact information from a child under this exception must not use the information to re–contact the child
after the initial response and must delete the child's personal information. Direct notice is not required under this
exception.
• Multiple Requests – Members may collect the online contact information from a child to be used to
respond directly more than once to a specific request from the child so long as the information is not used for any other
purpose. Members that obtain the online contact information from a child under this exception must provide direct notice
to the parent. The direct notice must: (1) include all privacy policy information (See Requirement 2(A),
above); (2) notify the parent that the
Member has collected the child's online contact information to respond to the child's request; (3) explain
the nature and
intended use of the information; (4) inform the parent that they may request that the Member make no further use
of the information
and that such information be deleted; (5) describe the procedures by which the parent can refuse to allow further
contact and
information collection from the child; and, (6) explain that if the parent does not opt–out, the Member may
use the information
for the purposes stated in the direct notice. The direct notice must be sent after the initial response and before making
any additional response to the child.
• Child Safety – Members may collect the child's first name or online contact information
to the
extent reasonably necessary to protect the safety of a child participant on the website where the Member used reasonable
efforts to
provide notice to the parent. The information collected by a Member under this exception must be used for the sole purpose
of protecting the child's safety, must not be used to re–contact the child or for any other purpose than for the
purpose stated in this exception, and must not be disclosed by a Member on its website. The direct notice
must: (1) include all privacy policy information (See Requirement 2(A), above); (2) notify
the parent that the Member has collected the child's online contact information to protect the safety of the child
participating on the website; (3) inform the parent that they may refuse to permit the use of the information and
may require its deletion, and inform them how they can have the informati–on deleted; and, (4) explain that
if the parent does not opt–out, the Member may use the information for the purposes stated in the direct notice.
• Additional Safety Concerns – Members may collect a child's first name or online contact
information to protect the security or integrity of its website, to take precautions against liability, to respond to
judicial process, or to provide information to law enforcement agencies or investigations on matters related to public
safety so long as the information is not used for any other purpose. Direct notice is not required under this exception.
Requirement 4: Access and Review
Members must provide parents with the ability to access and review their child's personal
information. Parental review and access must consist of: (a) a description of the specific types of personal
information collected from the child; (b) the opportunity at any time to refuse to permit the Member's further
using or collecting the child's personal information; and, (c) the ability to direct the Member to delete the
child's personal information from the Member's records.
In addition to providing the ability for a parent to access and review their child's personal information, Members
must take reasonable steps to ensure that the individual requesting access is the child's parent.
Acceptable steps for authenticating the identity of the individual online include a username and password unique to the
individual or, if access is requested over the telephone, asking a series of questions that only a parent of the child
would have knowledge of (e.g., parent's name, mailing address, email address, child's name, child's email
address, etc..).
Requirement 5: Restrictions on Information Collection
Members are prohibited from conditioning a child's participation in an activity on the child's disclosing
more personal information than is reasonably necessary to participate in such activity.
Requirement 6: Confidentiality, Security and Integrity of Information
Members must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity
of personal information collected from children.
Requirement 7: Compliance/Enforcement
A. Program Representative : Members must appoint a program representative for the website(s). The program
representative shall be the individual responsible for overseeing the website's compliance with the Privacy Assurance
Program. The program representative shall be given the authority to investigate all inquiries concerning the website's
privacy policy and information practices and in a timely manner.
B. Initial and Annual Self–Evaluation : Members must conduct an evaluation of their website's information
collection, use, and disclosure practices. Each Member will be required to complete and attest to the accuracy of the
statements they make on a self–evaluation form about their information practices. Once Privo receives
the self–evaluation form, a Privo representative will independently review the website's posted privacy policy,
information practices, and the self–evaluation form for compliance with the Program Requirements. Once the Member's
website is determined to be in full compliance with the Program Requirements, it will then be listed as a Member
participating in the Privacy Assurance Program. Members are required to complete a self–evaluation form on an
annual basis to ensure that their website's information practices are consistent with their posted privacy
policies and the Program Requirements.
C. Compliance Monitoring : Members must submit to monitoring of their website's information practices.
The purpose of monitoring reviews is to ensure that a Member's privacy policy is consistent with its website's
information practices. Monitoring reviews also allow Privo to verify that the Member's website complies with the
Program Requirements at all times. The compliance monitoring will be conducted on a quarterly basis. In addition to
the quarterly monitoring, Members must also agree to submit to periodic, unannounced reviews of their website. These
unannounced reviews will be used to further verify that the Member remains in full compliance with the Program Requirements.
If Privo determines that a violation of the requirements has occurred, the Member is informed of such violation and
the corrective actions that must be taken to bring the Member's website into compliance. Failure to take the corrective
actions can result in a number of consequences including removal from the Privacy Assurance Program and referral to the
appropriate governmental agency.
D. Consumer Complaints/Monitoring : Members must provide the parent and the child with reasonable and effective means
to submit complaints that they may have about the Member's information practices. The Privacy Assurance Program also
offers the parent and the child with the opportunity to submit complaints about any Member directly to Privo. A Privo
representative responds to all complaints immediately. Members must agree to work with Privo representatives in their
efforts to resolve all complaints that are submitted to the Privacy Assurance Program.
Members must maintain records for a period of three (3) years of all complaints, concerns, or inquiries received
about its website and any responses to the consumer addressing such complaint or concern.
• Membership Agreement : Members must execute the Privacy Assurance Program membership agreement. As part
of this agreement, Members agree to comply with the Program Requirements at all times. In the event that a Member fails to meet
any of its obligations under the membership agreement, such actions would constitute a material breach of the agreement and its
membership in the Privacy Assurance Program would be terminated.
F. Investigations/Referral to Governmental Agencies : If Privo determines, after a thorough investigation into the Member's
information practices, that a Member has violated its posted privacy policy or any of the requirements described above, Privo
may refer such Member to the Federal Trade Commission for possible unfair and deceptive trade practices.
For more information, please contact Privo at info@privo.com |
