Federal Internet Regulations: They're Not Just For Kids Anymore

Privacy is one of the hottest issues on the

Internet.† Until recently, there had been no federal regulations that

required any specific measures to protect privacy, apart from general

prohibitions against unfair and deceptive practices.† Online firms thus

had to abide by whatever privacy policy they published, or risk a class action

lawsuit or an enforcement proceeding by the Federal Trade Commission (FTC) for

deceptive practices.

The landscape changed this spring.† In

April, the FTC published privacy regulations to implement the Children's

Online Privacy Protection Act (COPPA), and in May it published proposed

regulations under the Financial Services Modernization Act of 1999.†

Although these two sets of regulations apply only to companies engaged in

certain specified activities, they both reflect four basic standards that the

FTC has described as ìwidely accepted fair information practices:î notice,

choice, access and security.† Consequently, any company that collects

personal information about consumers - essentially every company that does

business online - should take notice of the regulations, since they provide

useful guidelines for the kind of practices that are acceptable.

Privacy Regulation Under COPPA

An operator of an online service is subject to

COPPA if it meets two requirements.† First, the Act applies only to

operators of online services that are directed at or knowingly servicing

children under 13 years of age. The FTC has indicated that it will consider

several factors in determining whether a site is ìdirectedî at children,

including, but not limited to the site's: subject matter, content, age of

models, language, advertising, and the use of animated characters or other

ìchild-orientedî features.

Second, the Act applies only to sites that

collect personal information online.† Personal information is

individually identifiable information that would allow a child to be

identified and contacted, such as full name, address, email, telephone number,

or any information.†

The operator of a site that meets these two

requirements must: (1) provide notice as to how personal information is

collected, used and disclosed; (2) notify parents and obtain their consent

prior to collecting, using or disclosing information about a child; (3)

refrain from conditioning participation in activities on the provision of

personal information unnecessary for the activity; (4) allow parents to review

and amend their child's information as well as prohibit further collection;

and (5) establish procedures to protect the security of personal information

collected from children.†

Privacy Notice: Placement and Content

The FTC's Final...