Protecting Children’s Privacy Under COPPA: A Survey on Compliance
A Survey on Compliance
i
Executive Summary
Since the passage of the Children’s Online Privacy Protection Act (COPPA), websites that
collect personal information from children under 13 have made significant progress in protecting
children’s safety and privacy on the Internet. However, a survey of children’s websites
conducted by the Federal Trade Commission (Commission) in April 2001 shows that the rest of
the story on children’s privacy protection remains to be written: While a majority of the sites
provided some key privacy protections for children’s personal information, they did not comply
with all the requirements of the Rule.
Congress enacted COPPA in 1998 to limit the collection of personally identifiable
information from youngsters without their parents’ consent. The Commission’s Rule
implementing COPPA, effective since April 2000, requires websites to post a complete privacy
policy, notify parents directly about their information collection practices, and get verifiable
parental consent before collecting personal information from their children – or sharing it with
others.
According to the Commission’s survey of the information collection practices of 144
children’s websites – conducted a year after the implementing rule took effect – at least 90
percent of the websites provided a privacy policy that said whether the site collected personal
information, how the information was used, and whether the information was shared with third
parties. The survey also indicates that the types and amounts of information collected by
websites are more limited than they used to be, suggesting a heightened awareness of the safety
and privacy concerns about collecting information from children.
At the same time, however, the survey shows that full compliance with the Rule has yet to be
attained. For example, only about half the websites complied with the provision that requires
sites to say they are prohibited from conditioning a child’s participation in an activity on the
child’s disclosing more personal information than is reasonably necessary for the activity.
Further, only about half the sites complied with the provision that requires them to inform
parents of their right to review, have deleted, and refuse the further collection and use of their
children’s personal information.
In the time since the Rule became effective, the Commission has sought to educate websites
about the Rule’s requirements through compliance guides, seminars and the media. In July
Protecting Children's Privacy Under COPPA
ii
2000, Commission staff also sent emails to scores of children’s websites to remind them of the
Rule’s provisions. In April 2001, the Commission announced its first round of settlements for
violations for the Rule, and since then has settled another two cases.
Although the advances made since the Rule's effective date are heartening, better compliance
is needed. To meet its goal of protecting the privacy and safety of children's personal
information, the Commission will continue to bring cases to enforce COPPA and to educate
businesses and consumers. As part of its educational effort, with the release of its survey report,
the Commission is publishing a privacy policy compliance guide for the operators of children's
websites.
A Survey on Compliance
1
I. Introduction
This report – assessing the information collection practices of children’s websites – provides
the Commission with a snapshot of websites’ compliance with the Rule one year after it went
into effect. While highlighting the general trend of increased compliance, the report also
identifies particular aspects of the Rule to which websites were not fully adhering. In addition,
the report establishes a benchmark for future analysis of Rule compliance and assists the
Commission in evaluating changes in websites’ information collection practices since the
Commission’s last formal survey of children’s websites in 1998. Part II of this report outlines
the requirements that website operators must follow to safeguard children’s privacy and security.
Part III details the findings of the review of websites that the Commission conducted in April
2001 to examine the information practices on 144 websites primarily directed to children 12 and
under. Part IV compares these findings with the results of the Commission’s 1998 review of
children’s websites. Finally, Part V sets forth general conclusions that may be drawn from the
Commission’s 2001 review.
II. Overview
The Children’s Online Privacy Protection Act and Rule
Congress enacted the Children’s Online Privacy Protection Act in October 1998.1
This Act
directed the Commission to set forth limited rules governing the online collection of personal
information from children 12 and under. The Commission accordingly promulgated the
Children’s Online Privacy Protection Rule (the “Rule”), which went into effect April 21, 2000.2
The Act and the Rule will be referenced interchangeably as “COPPA.”
Protecting Children's Privacy Under COPPA
2
COPPA Requirements
COPPA applies to operators of commercial websites directed to children 12 and under that collect or
maintain personal information, as well as other websites that have actual knowledge that they are
collecting or maintaining personal information from a child 12 and under.3 Principally, COPPA
requires website operators to:
Post a privacy policy on the website.
Websites directed to children that collect personal information and other websites that knowingly
collect personal information from children 12 and under must post a privacy policy. In the policy,
website operators must inform the visitor about the types of personal information they collect from
children; how the site will use the information; and whether such personal information is shared
with advertisers or other third parties. A link to the privacy policy must be located on the home
page of the website and at each area where personal information is collected.
Provide notice directly to parents.
In certain circumstances, websites must send direct notice to a parent of the site’s information
practices and give parents the opportunity to opt out on behalf of their child.
Get parental consent.
With limited exceptions,4 a site must obtain verifiable parental consent before collecting, using or
disclosing personal information about a child or before allowing children to open an email account
or post messages in a chatroom or on a bulletin board.5
Website operators need to notify parents and get consent again if they materially change the kinds of
information they collect, change how they use the information, or offer the information to new and
different third parties.
Websites must give parents the option of consenting to the website’s internal use of the child’s
personal information, without having to consent to the website’s disclosure of that personal
information to third parties.
Allow parents to review personal information collected from their children.
Before doing this, website operators must verify the identity of the requesting parent.
Allow parents to revoke their consent, and delete information collected from their
children at the parents’ request.
Parents can revoke their consent and ask that information about their children be deleted from the
site’s database. When a parent revokes consent, the website must stop collecting, using or disclosing
information from that child. The site may end a child’s participation in an activity on the website if
the information it collected was necessary for participation in that activity.
Establish and maintain reasonable procedures to protect the confidentiality, security,
and integrity of children’s personal information.
Not condition a child’s participation in certain activities on collection of more personal
information than is reasonably necessary.
3
4
5
A Survey on Compliance
3
III.Survey of Websites Primarily Directed to Children
The Commission conducted this survey (the “Survey”) to evaluate the impact of the Rule on
websites’ information practices one year after its effective date (April 21, 2000). The Survey
reviewed information practices on 144 websites primarily directed to children 12 and under.6
The websites included in the Survey were drawn from web traffic data purchased from
Nielsen//NetRatings. Surfers winnowed a list of 1253 sites meeting certain criteria to 144
unique, operable commercial sites that were considered “primarily directed to children.”7
The Survey started with two fundamental questions: whether the sites collected personal
information, and whether they posted a privacy policy. For those sites that collected personal
information, Commission staff catalogued the types of personal information collected and the
activities that the sites offered, as well as whether there was an indication that the site had a
parental notice and/or consent mechanism in place. Next, the staff examined whether each site
linked to its privacy policy from the home page and from at least one information collection
point. The staff then turned to the privacy policy itself, to review the sites’ practices for notice
and/or parental consent as set out in the policy. The staff also determined whether certain
information practice disclosures specifically required by COPPA were present in the sites’
privacy policies. The analysis set forth below tracks the issues addressed in the Survey.
Collection of Information by Websites Primarily Directed to Children
Commission staff surveyed the aforementioned 144 websites to determine whether they
collected personal information from children online, and, if so, to identify the types of
information that they collected.8
The survey showed that 104 of the sites (72%) collected
personal information online.9
Nearly two-thirds (63%) of these 104 sites collected the child’s
full name, while 85% collected the child’s email address. Seven percent collected the parent’s
full name, and 45% collected the parent’s email address. Over half (56%) collected another
person’s email address, often in connection with an electronic postcard activity. Only 9% of the
sites collected a telephone number, 14% collected a full home address or other mailing address,
and none collected a fax number or Social Security number.
Protecting Children's Privacy Under COPPA
4
Types of Personal Information Collected
0%
14%
9%
56%
45%
7%
85%
63%
0% 20% 40% 60% 80% 100%
Fax/SSN
Home/Mailing Address
Telephone Number
Another Person's Email Address
Parent's Email Address
Parent's Name
Child's Email Address
Child's Name
More than half (56%, or 58 of 104) of the sites that collected personal information limited
their collection to particular pieces of information – parent name, child/parent email address or
another person’s email address – which may be collected without prior parental consent if the
website uses the information for limited purposes and then deletes the information.10 In addition
to these 58 sites, another 29 sites (28%, or 29 of 104) would also fit within one of the exceptions
if they collected only the child’s first name rather than the child’s full name.11 To summarize,
the vast majority of sites that collected personal information (84%, or 87 sites) appear to have
collected this information to obtain consent or would otherwise fit under one of the Rule’s
exceptions — if minor adjustments were made to their information collection practices —
depending upon how the site used the information.
A Survey on Compliance
5
Activities Available to Children Online
83%
85%
65%
52%
48%
42%
29%
13%
10%
7%
0% 20% 40% 60% 80% 100%
Other Activities
Games, Quizzes
Contest, Poll, Survey
Electonic card, Postcard
Register for site, club
Receive Newsletter, Mailing List
Bulletin Boards, Message Boards
Chatrooms, Forums
Homework Help
Email Accounts
Activities Available on Children’s Websites
The Survey showed that websites directed to children provide a wide array of activities.12
Common activities offered by websites included offers, contests, and surveys; email accounts;
email newsletters; chat rooms; bulletin boards and message boards; electronic postcards; and
homework help. The most popular activities were games or quizzes, with about 85% of the sites
offering children this opportunity.
Every site that collected personal information offered at least one type of activity for
children. Two-thirds (65%) allowed children to take advantage of an offer or participate in a
contest, poll, or survey. Approximately half of the sites gave children the opportunity to send an
electronic card or postcard (52%), join or register for the site or a club (48%), or receive a
newsletter or be placed on a mailing list (42%). Less frequently, sites offered bulletin boards or
message boards (29%), chatrooms or forums (13%), email accounts (7%), or homework help
Protecting Children's Privacy Under COPPA
6
(10%). And 83% of the sites offered other activities, including screen savers and downloads,
music downloads or movie stills, printing and coloring, arts and crafts, etc.
Virtually all of the sites offering an activity (97%, 101 of 104) collected an email address in
connection with at least one activity. In many cases, this information was likely sought in order
to allow the operator to contact parents to obtain consent or to fulfill a one-time request of the
child, such as sending an electronic postcard to a friend. Two-thirds of the sites (68%, 71 of
104) collected some type of personal information other than an email address in connection with
an activity.
Consent
The surfers examined each site to determine whether the site had any parental consent or
notification mechanisms in place.13 In performing this review, surfers looked past
representations in the privacy policy about the sites’ practices, and focused on the websites’
actual practices.14 Surfers found evidence of one or more parental consent or notification
mechanisms on almost half of the sites that collected personal information (47%, or 49 sites). In
most cases (43 of 49, 88%), sites asked for the parent’s email address in order to email the parent
and to obtain consent. Fourteen sites (29%) provided a “print and send” form, and one provided
a toll-free number. Three (6%) provided some other mechanism such as credit card verification.
As discussed above, if a website collects personal information within one of the exceptions
set forth in the Rule, the site is not required to obtain prior parental consent. In addition to the
47% of sites (49 of 104) that had a parental consent or notification mechanism in place, another
18% (19 of 104 sites) collected information that may have come within one of the exceptions
and therefore would not necessarily have triggered the parental consent requirement. The
remaining 35% (36 of 104) collected too much information to fall within an exception to
obtaining prior parental consent: 8% (8 of 104) collected either a telephone number or a
mailing address and another 27% (28 of 104) collected either the child’s or parent’s full name in
cases where they should not have.
A Survey on Compliance
7
Consent Mechanisms In Place:
Number of Sites Providing Consent Mechanisms
43
14
1 3
0
5
10
15
20
25
30
35
40
45
50
Requested Parent's
Email Address
Provided "Print and
Send" Form
Provided Toll Free
Number
Provided Other Consent
Mechanism
Note: Sites may have employed more than one mechanism.
Presence of Privacy Policies
The vast majority of the sites that collected personal information had privacy policies – 93 of
104 sites (89%). COPPA requires that websites place a link to the privacy policy on the home
page (or home page of the children’s area, for general audience sites with a children’s area) and
on each page where personal information is collected. Eighty-two percent of the sites that
collected information (85 of 104) linked to the privacy policy from the home page, and 76% (79
of 104) had a link to the privacy policy on at least one page where personal information was
collected.15
Additionally, 27 of 40 (68%) sites that were not collecting personal information at the time
of the Survey also had privacy policies. Of these 27 sites, 24 (89%) indicated in their privacy
policies that the site did or might collect personal information, suggesting that most of the sites
that were not collecting personal information at the time of the Survey did collect personal
information at other times.
Protecting Children's Privacy Under COPPA
8
Contents of Privacy Policy:
Information Collection and Use
99% 97%
91%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Site Stated It Does or May
Collect Personal
Information
Site Disclosed Type of
Information Collected
Site Disclosed Intended
Use of Child's Information
Content of Privacy Policies
As part of the Survey, surfers reviewed the privacy policies of sites that collected personal
information to determine whether sites were making COPPA-required disclosures about their
information practices.
Information Collection and Use
Virtually all (99%, 92 of 93) of the sites that collected personal information and that had
privacy policies disclosed in their policies that the site did, or might, collect personal
information. Ninety-seven percent of those (89 of 92), in turn, disclosed the types of personal
information that the site collected.16 Moreover, 91% (84 of 92 sites, or 81% of the 104 total sites
that collected information) disclosed how the child’s personal information, once collected, was
used or might be used.
A Survey on Compliance
9
Sites Providing Operator Contact Information
82% 79%
67%
53%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Name Email Address Physical Address Telephone Number
Operator Information
COPPA requires that the website operator’s contact information – name, address, telephone
number, and email address – must all be set forth in the privacy policy. Of those sites with
privacy policies that indicated that they collected personal information (92 sites), the significant
majority disclosed the website operator’s name (82%) and email address (79%). Sixty-seven
percent gave the operator’s address, and 53% provided the operator’s telephone number.
Operators did not universally provide all four types of contact information – only 47 of 92 sites
(51%) provided all four pieces of contact information.17 On the positive side, these figures show
that most sites now provide parents with the ability to contact the sites to ask questions and
resolve problems about their information practices: 75 of 92 sites provided either an email
address or a telephone number so that parents could easily reach the site.
Protecting Children's Privacy Under COPPA
10
Disclosure of Parental Rights:
Percentage of Sites that Disclosed…
52% 51%
57%
41%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Operator Prohibited from
Conditioning
Participation in Activity
on Unnecessary
Disclosure
Parent's Right to Review
Personal Information
Parent's Right to Delete
Personal Information
Parent's Right to Refuse
Further Collection or Use
of Personal Information
Note: Percentage is based on the 92 sites that disclosed that they collected personal information.
Informing Parents of their Rights
COPPA prohibits a website from conditioning a child’s participation in an activity on
disclosure of more personal information than is reasonably necessary to participate in that
activity.18 COPPA also requires that the website disclose to parents, in its privacy policy, that it
is bound by this requirement.19 The purpose of this disclosure requirement is to ensure that
parents know about this limitation so that they are able to monitor a site’s information collection
practices and, if warranted, object to collection of more information than is reasonably
necessary. Little more than half of the sites (52%, 48 of 92), however, made this disclosure. It is
not clear whether these sites were not complying with the substantive requirement prohibiting
them from collecting more personal information than needed, or whether they were complying
with that requirement but simply not saying so in the privacy policy.
COPPA also imposes obligations on websites to inform parents about their rights with
respect to information that is collected about their children. For example, websites must disclose
A Survey on Compliance
11
that: 1) parents can review personal information that the site has collected from the child; 2)
parents can have the child’s personal information deleted; and 3) parents can refuse to permit
further collection or use of the child’s personal information.20 Slightly more than half the sites
disclosed that parents may review (51%) or have the personal information deleted (57%), and
41% disclosed that a parent can refuse to permit further collection or use of the information. It is
important to note, however, that sites that did not make these disclosures may nevertheless have
been in compliance with COPPA, because such a disclosure would not be necessary in cases
where the website had no information to be reviewed or deleted – for example, if the website
collected personal information under an email exception and did not retain the information, but
rather deleted it immediately after its use.21
Is the Sharing of Information Disclosed?
Where a website collects personal information that is in turn disclosed to third parties, the
site operator has additional duties under COPPA. The privacy policy must disclose the types of
business in which the third parties are engaged; the general purposes for which the information is
used; whether the third parties have agreed to maintain the confidentiality, security and integrity
of the personal information; and that the parent has the option to consent to the operator’s
collection and use of personal information, without also consenting to its disclosure to third
parties.22
The Survey first identified sites whose privacy policy indicated that the site did or might
share personal information with third parties. Of the 32 sites (35%) that indicated the site did or
might disclose personal information to third parties,23 41% disclosed the types of businesses in
which the third parties were engaged. About a third of the sites (31%) disclosed that the parent
has the option to consent to the operator’s collection and use of personal information, without
consenting to disclosure to third parties. Note, however, that some of these sites may not have
actually disclosed personal information to third parties: they simply may have been reserving
the right to do so in the future, in which case the site would not be required to make these types
of disclosures. Thus, those sites’ failure to provide the additional disclosures does not
necessarily mean that their privacy policies fail to meet COPPA requirements. However, if a site
decided to begin disclosing personal information to third parties, it would need to provide direct
Protecting Children's Privacy Under COPPA
12
notice to parents and obtain affirmative parental consent before making this material change to
its practices.
Parental Consent Mechanisms
Although COPPA does not require that privacy policies disclose the particular method(s) by
which parents can provide notice or consent,24 the Survey assessed whether privacy policies
addressed those concepts in order to gather as much information about websites’ information
practices as possible. Almost three quarters of sites (73%, 67 of 92) discussed notice or consent
in connection with the collection of children’s personal information, and more than half of those
(54%, 36 of 67) indicated the specific method or methods that the site used to obtain consent.25
According to the privacy policies, just over half of the sites (53%, 19 of 36) used a “print and
send” form that could be faxed or mailed in, and the same number (53%, 19 of 36)
communicated with parents via email. Thirty-one percent (11 of 36) of the sites employed some
other mechanism, such as a credit card verification method, and 17% (6 of 36) provided a
telephone number for parents to call.
Limitations of the Survey
Despite the value of surveys such as this as an information-gathering tool, it is important to
note that this Survey was based solely on a review of publicly available information provided on
websites primarily directed to children. As such, the Survey’s value as an instrument to measure
actual overall “compliance” with COPPA is inherently limited. The Survey can provide at best a
rough measure of the degree to which children’s sites apparently comply.
The Survey could be said to understate compliance in some respects. Take, for example, a
site that asks the child to enter the child’s and another person’s email address to send an
electronic postcard. Assume that the Survey results showed that the site did not allow the parent
an opportunity to review that information and did not state in its privacy policy that parents have
that right. These omissions would on their face appear to violate COPPA. It could, however, be
the case that the site does not retain any personal information from children; rather, it may
operate within an email exception and may simply process and transmit the electronic postcard
and immediately delete all email addresses. Accordingly, the website’s privacy policy may not
A Survey on Compliance
13
offer the parents a right to review the child’s personal information because there is no personal
information to review.
On the other hand, the Survey could be said to overstate compliance with COPPA in other
respects. For example, a site may not actually adhere to the COPPA-compliant practices stated
in its privacy policy – for example, a site could represent that information will only be used for
internal purposes, but it may actually share that information with third parties despite this
representation. Although some clear violations of COPPA can be discerned from these data –
such as, whether a site posts a link to the privacy policy on the home page – others can only be
established by investigation of each site’s actual practices. Moreover, the Survey did not
examine the practices of those sites that, while not directed to children, have actual knowledge
that they are collecting personal information from visitors age 12 and under. Therefore, one
must be cautious in drawing conclusions about overall compliance with COPPA based simply on
facial observations of websites’ practices.
IV. Comparisons of Survey Data
Some of the questions about children’s sites’ practices addressed in this Survey were also
examined in the Commission’s previous survey of children’s sites conducted in 1998 (the “1998
Survey”).26 For illustration purposes, the results of the two surveys are compared in this section.
It is important to recognize, however, that differences between the survey methodologies, such
as the composition of the survey sample, lead to expected variation in the results.27
The data suggest that fewer sites were collecting personal information online. In the 1998
Survey, 89% of the children’s sites surveyed collected personal information, as opposed to 72%
of the sites in this survey.28 Sites directed to children were apparently collecting fewer types of
personal information as well.29 The 1998 Survey results showed that 74% of the sites that
collected personal information collected a name, 49% collected postal address, 24% collected a
phone number, 6% collected a fax number, and 1% collected a Social Security number.30 This
Survey reported a substantial decrease in the number of sites that collected a home postal
address, telephone number or name as compared to the 1998 Survey.31
Protecting Children's Privacy Under COPPA
14
Comparison of Survey Data
Sites Collecting Personal Information According to …
89%
72%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
1998 FTC Survey 2001 FTC Survey
Note: Survey comparison is for illustration purposes only.
Nearly all of the sites surveyed in April 2001 that collected personal information (93 of 104,
89%) had privacy policies, whereas only 24% of the children’s sites surveyed in 1998 had posted
a privacy policy.
Finally, 49 of 104 sites (47%) in this Survey provided a way for parents to consent or give
permission for information collection from their child, and 73% (67 of 92) of the sites with
privacy policies stating that they collect personal information (or 67 (64%) of the 104 total sites
that collected personal information) discussed parental notice or consent in their privacy policies.
By comparison, in the 1998 Survey, less than 10% of the sites either notified parents of their
information practices, or gave parents the option to ask that their child’s personal information be
deleted or not used in the future.32
Although differences in the surveys’ methodologies caution against placing great weight on
these changes, in each case the data appear to reflect less collection of personal information from
children and improvement in sites’ notice and consent practices.
A Survey on Compliance
15
V. Conclusions
These data suggest two general conclusions. First, websites are now substantially complying
with the requirement that they inform parents and other visitors of their information collection
practices with respect to children’s personal information. The lion’s share of children’s sites, in
the 90% range, provided a privacy policy and declared in that privacy policy whether the site
collected personal information, how that personal information was used, and whether the site
provided that information to third parties. This level of protection for children’s personal
information represents a major step forward compared to the privacy practices in place before
COPPA was enacted. Information collection is apparently more limited now, in ways that
suggest that sites are also complying with COPPA by availing themselves of exceptions to the
notice and consent provisions. As those exceptions were designed to apply to situations where
the risk of privacy and security breaches are less likely, this change, if actual, is a positive one.
Second, the Survey suggests that other key COPPA provisions, such as the requirements
about COPPA-specific disclosures that must be made in privacy policies, have been followed
less consistently. In addition, depending upon how sites use certain personal information that
they have collected, such as a child’s email address, compliance with the direct notice and
consent requirements of the Rule also may be uneven. Although it is difficult to ascertain
precisely how many sites might not be providing these types of protections, it is possible that as
many as half of the sites have not fully implemented these aspects of the Rule. Undoubtedly,
substantially more sites are providing these protections than were doing so before the enactment
of COPPA, but there is room for improvement.
A Survey on Compliance
17
1. See Children’s Online Privacy Protection Act of 1998, 15 U.S.C. §§ 6501-6506 (2001).
2. See 16 C.F.R. § 312 (2001).
3. This summary highlights only certain provisions of COPPA. For a complete explanation of
the Rule’s applicability and requirements please see 16 C.F.R. § 312, available at
http://www.ftc.gov/os/1999/9910/64fr59888.htm.
4. Consent is not required when a site collects an email address to respond to a one-time
request from the child, to provide notice to the parent, to ensure the safety of the child or the
site, or to send a newsletter or other information on a regular basis. If the website is going
to use the email address to contact the child on a regular basis, a notice must be sent to the
parent, letting the parent know about the regular contact and giving the parent a chance to
say no to the arrangement.
5. Acceptable methods for obtaining consent include a “print and send” form to be completed
and returned by the parent, a toll-free number for parents to call, or an email with password
or PIN number. For sites that use the child’s personal information only for internal
purposes, and do not disclose it to the public or third parties or allow the child to do so
through an email account or chatroom, an “email plus” format can be used to obtain
consent. “Email plus” allows the parent to consent by email, as long as the site confirms the
parent’s consent through another contact, such as a second email, a telephone call, or postal
mail notice.
6. These sites included general audience sites with a designated children’s area “primarily
directed to children 12 and under” within the same URL.
7. The selection procedure is spelled out in detail in Appendix A (“Methodology”).
8. The staff surveyed only certain types of “personal information” as defined in the Rule:
child’s full name; child’s email address; parent’s full name; parent’s email address; home
address or other mailing address; telephone number; fax number; Social Security number; or
another person’s email address. The Survey thus did not determine whether other types of
“personal information” as defined in the Rule, such as an instant messaging user identifier
or a persistent identifier held in a cookie where such identifier is associated with
individually identifiable information, were requested. The Survey also did not include other
types of information that are not considered “personal information” for purposes of the Rule
unless combined with an identifier, such as anonymous or demographic information.
The Survey called for surfers to note only those types of personal information that the
websites attempted to collect from children before obtaining verifiable parental consent.
For example, if a website collected personal information in conjunction with a credit card
number, such submission was assumed to be by the parent because it involved a credit card
transaction.
Endnotes
Protecting Children's Privacy Under COPPA
18
9. Review of the sites’ privacy policies indicates that some of the 40 sites that were not
collecting personal information at the time of the Survey do collect personal information
periodically. For example, some sites run occasional contests for which information is
collected, but were not doing so at the time of the Survey.
10. Verifiable parental consent is not required when a site collects an email address to respond
to a one-time request from the child; to provide notice to the parent; to ensure the safety of
the child or the site; or to send a newsletter or other information on a regular basis. 16
C.F.R. § 312.5(c). These so-called “email exceptions” require that the operator limit its use
of the email address. For example, an operator may respond to a child’s question via email
on a one-time basis, provided that the information is not used to recontact the child and is
deleted from the operator’s records. 16 C.F.R. § 312.5(c)(2). Note that in the case of two of
these exceptions – collecting an email address to respond more than once to a child’s
request or to protect the safety of the child on the website – the website must provide the
parent with direct notice. 16 C.F.R. § 312.4(c)(1).
The child’s or parent’s name may also be collected along with an email address for the sole
purpose of obtaining parental consent or providing direct notice. 16 C.F.R. § 312.5(c)(1).
Collection of the child’s or parent’s name alone, however, does not fall within an exception
to consent or notice.
11. For example, a site would qualify for the one-time use email exception if it collected only
the child’s first name and the recipient’s email address to send an electronic postcard.
12. For purposes of the Survey, an “activity” was defined as anything that the site allows one to
do or participate in, such as a chatroom or game. The survey instrument also asked whether
the site provided any “amenities.” An “amenity” included any service or benefit offered by
the site, such as an opportunity to establish an email account. For ease of reference, the
term “activity” is used to represent both of these concepts.
13. However, actual verification of operators’ information practices to assess compliance with
the exceptions would, in some cases, have required an investigation of website operators’
internal practices, e.g., whether the website operator immediately deletes email addresses
after sending an electronic postcard, and thus was outside of the scope of this Survey and
report.
14. The Survey separately examined sites’ representations in their privacy policies about the
consent and notice procedures that they follow. See infra, Section III.E.5.
15. For purposes of the Survey, the Commission counted the link to the privacy policy if there
was a link on any page where personal information was collected.
16. Out of the 104 total sites that collected personal information, 86% disclosed the types of
personal information collected.
17. The Survey did not examine the entirety of the website to see if the required contact
information appeared anywhere else on the website.
A Survey on Compliance
19
18. 16 C.F.R. § 312.7.
19. 16 C.F.R. § 312.4(2)(v).
20. 16 C.F.R. § 312.4(b)(2)(vi).
21. Sites that retain any personal information – for example, those that collect an email address
to respond to a child on a regular basis – would still need to provide the parent with access
and the opportunity to delete personal information.
22. 16 C.F.R. § 312.4(b)(2)(iv).
23. Of the 60 sites that did not state specifically that they pass along personal information to
third parties, 51 (85%) affirmatively indicated that they do not provide personal information
to others.
24. By contrast, the operator must disclose this information in the direct notice to parents
referenced in 16 C.F.R. §§ 312.4(c) and 312.5.
25. Some sites used more than one method.
26. Other entities examining the state of children’s privacy online in the last three years include
the Annenberg Public Policy Center of the University of Pennsylvania and the Center for
Media Education. See Joseph Turow, Annenberg Public Policy Center of the University of
Pennsylvania, “Privacy Policies on Children’s Websites: Do They Play by the Rules?,”
March 2001, and Center for Media Education, “COPPA: The First Year – A Survey of
Sites,” April 2001.
27. For example, the 1998 Survey examined 212 sites drawn from a list compiled by Yahoo! for
the Yahooligans! online directory of sites for children. See Privacy Online: A Report to
Congress, Appendix A at 3. The April 2001 Survey reviewed 144 sites drawn from web
traffic data purchased from Nielsen//NetRatings.
The Commission’s 1998 Survey defined children’s sites to include sites “primarily directed
to children 15 and under,” thus including some teen sites, whereas this Survey looked at
sites “primarily directed to children 12 and under.” Also, in determining whether a site
collected personal information, the 1998 Survey defined personal information to include
such information as occupation, income, hobbies, interests, and hardware/software,
categories of information that are not defined as personal information under COPPA, unless
tied to other personal information, and were thus not catalogued in this Survey.
28. In comparing the number of sites that recently collected personal information with the
number that did so in the past, one must recognize that COPPA does not prohibit website
operators from collecting personal information from children as long as the operators take
the appropriate steps to comply with the Rule.
29. One exception is that almost all of the sites in the 1998 Survey (96%) collected an email
address, a figure that remained consistent in this Survey (97%). In many cases, when a site
Protecting Children's Privacy Under COPPA
20
collects a parent’s email address, that information is collected so that the site can obtain
verifiable parental consent or provide notice. Sites may also be taking advantage of the
email exceptions that allow collection of this type of personal information for limited
purposes.
30. Privacy Online: A Report to Congress, Figure 7 at 32.
31. As noted above, this Survey showed that, of those sites that collected personal information
online:
64% collected the child’s full name
85% collected the child’s email address
8% collected the parent’s full name
44% collected the parent’s email address
56% collected another person’s email address
9% collected a telephone number
14% collected a full home address or other mailing address
0% collected a fax number or Social Security number.
This Survey did not include any additional information that a site might collect after
obtaining verifiable parental consent.
32. Only 1% of the sites in the 1998 Survey required parental consent to the information
collection and use prior to collection, and 8% indicated that parents could request that
information be deleted or not used in the future.
A Survey on Compliance
1
The composition index is based on the ratio of the composition percentage with the
percentage of the Internet population made up of 2 to 12-year-olds. For example, if the
composition percentage for a particular website is equal to the percentage of the Internet
population made up of 2 to 12-year-olds, then the composition index for that website is 100.
Websites that are primarily directed to children are likely to have a composition percentage that
is significantly larger than the percentage of the Internet population made up of 2 to 12-yearolds, and thus would have a composition index significantly larger than 100.
2
The projected national audience for these sites of 5,000 children is imprecise as it is
based on observations of a very small number of panel members.
A-1
Appendix A: Methodology
The websites included in the survey were drawn from a larger list of sites purchased from
Nielsen//NetRatings (“Nielsen”). Nielsen provided a list of all sites (with the exception of
pornographic or “adult” sites) with domain names ending in “.com” that had been visited during
the month of June 2000 by at least one child age 2 to 12 in Nielsen’s panel of 9,686 children.
For each of these 11,154 sites, Nielsen provided demographic information including the
projected 2 to 12 audience, composition percentage (percentage of the site’s visitors age 2 to 12),
and the composition index.1
In order to identify sites that would most likely be primarily directed to children 12 and
under, Commission staff applied two criteria to generate a final list from the initial list of 11,154
Nielsen sites. First, the staff examined only those sites with a composition index equal to or
greater than 100. In other words, only sites whose audience was composed of at least as many 2
to 12-year-old children as there are 2 to 12-year-old children in the population of active Internet
users were included. Because current data suggest that approximately 8.5% of the Internet
population is made up of 2 to 12-year-olds, a composition index of 100 or higher translates to
sites whose audience was composed of at least 8.5% 2 to 12-year-old children. Second, only
sites visited by approximately 5,000 children or more based on a nationwide projected audience
were examined.2
A total of 1253 sites met both selection criteria described above. These sites
were reviewed by a group of five surfers during March 21-29, 2001. The surfers completed Part
1 of the Survey Questionnaire (see Appendix B) to assess whether the site was a commercial site
Protecting Children's Privacy Under COPPA
3
If a site was not “primarily directed to children age 12 or under,” the surfers went on to
assess whether the site was either “devoted to electronic games and of interest to children 12 and
under” or “of primary interest to teens but of interest to children 12 and under.” Sites falling into
either one of these two classifications were so marked for possible reexamination in the future.
However, they were not included in the present survey.
A-2
that was “primarily directed to children 12 or under.” 3
Those URLs that could not be accessed
for technical reasons or were marked as “closed” or “under construction” were removed from the
sample. Duplicate sites (sites with different URLs but identical content) were also removed.
After Part 1 of the survey was completed, nine surfers completed Part 2 of the Survey
Questionnaire (see Appendix B) between April 3, 2001 and April 17, 2001 for each of the sites
that had been determined to be “primarily directed to children 12 and under.” After final
reconciliation, a sample of 144 sites was achieved.
None of the surfers for Parts 1 or 2 were involved in designing the survey, or in the
subsequent data analysis or drafting of this report. Every surfer underwent training in the use of
the survey form before reviewing any site. Surfer instructions are in Appendix B.
Numerous measures were taken to ensure the quality and accuracy of the data collected by
the surfers. Each site was independently surveyed by two surfers. The surfers then compared
their completed survey forms, noted any differences, and reconciled these differences after
discussion. The pairs were rotated so that the same two surfers were not always reconciling with
each other. The reconciliation process was completed by May 1, 2001.
Once the survey forms had undergone the multiple levels of review described above, the
same data were entered into two separate databases by separate data entry personnel. The two
databases were electronically compared, survey forms of those sites with discrepancies were
reviewed again, and appropriate corrections made, to ensure the accuracy of the data. A set of
queries was then run on the data to ensure that the data were internally consistent, i.e., that all
conditional questions were answered or left blank, as appropriate. Any errors in data entry were
corrected, based on the questionnaires, prior to the substantive analysis of the data.
A Survey on Compliance
B-1
Appendix B: Surfer Instructions and Surveys
Survey Instructions – Part I
General Instructions Regarding the Survey Form
This survey involves the identification of Web sites that are primarily directed to children 12 and
under. We on the Surf Team appreciate your willingness to help with this project. If at any time
you have a question as you participate in the Surf, please don’t hesitate to ask one of us.
The instructions below take you through the survey question by question. Before you begin to
answer the questions, though, you will be asked to fill out the top section (Surfer/Site
Information). Please fill out this information LEGIBLY and COMPLETELY.
The Survey
Q1. Determine whether a site is primarily directed to children 12 and under.
A Web site that is primarily directed to children should have AT LEAST TWO of the following
three factors present: Subject Matter, Presentation, and Interactivity. If a site is directed to a
mixed audience, adults and children, but has a designated children’s area that is “primarily
directed to children 12 and under” within the same URL, you should examine the children’s area
to determine whether the site is “primarily directed to children 12 and under.”
Many times, you should be able to tell from the home page whether the site is primarily directed
to children. (The term home page refers to the main web page for a business, organization,
person and is often labeled as such on the screen.) But you may need to view other pages,
indexes, or a site map if one is provided.
Subject Matter:
subject matter that is appealing to children (e.g., kids’ jokes, music, kids’ games,
video/computer games, children’s tv shows or stars, cartoon characters, sports, stories,
toys, children’s books, fantasy, children’s arts and crafts, pets, products primarily
purchased or consumed by kids like snack food or cereal)
Presentation:
a. language of the Web site such as language that is simple enough to be
understandable to children 12 and under; short, colorful descriptions; slang and pop
culture phrases (e.g., a kids’ site may be identified by such language as “kids only,”
“fun,” “free stuff,” “whatever,” “cool,” “duh,” “games,” “Ask your parents....” etc.)
b. whether the Web site uses visual content appealing to children (animated
characters, bold or fast-moving graphics, or bright and vibrant colors)
Protecting Children's Privacy Under COPPA
B-2
c. use of host characters (often a character property used offline, on television, in
movies, or comics or books)
d. the age of the models portrayed on the Web site (using children as models)
e. whether advertising appearing on the Web site is directed to children under 13 (e.g.,
ads for products primarily purchased or consumed by kids, or ads that are presented
in such a way that they appear to be directed to children)
f. audio content appealing to children (e.g., simple or popular tunes or songs, cartoon
voices, child-like noises and sound effects)
Interactivity:
whether the Web site hosts interactive child-oriented activities and incentives
(surveys/polls; clubs; prizes/premiums; homework help; contests/games; penpals;
chatrooms; posting winners’ home pages, stories or art work; guestbooks; downloads or
screen-savers; electronic postcards or e-cards)
The following information will help you deal with special situations that may arise:
# Non-Commercial sites. Sites that belong to individuals who are using the site simply as
a personal Web site (despite its “.com” domain name) should be excluded, even if the site
is primarily directed to children 12 and under.
However, sites that contain advertising (such as banner ads), or that link to commercial
sites or show other evidence of commercial intent, should be considered commercial,
even if it appears the site was created by an individual.
# Foreign sites. When the home page is served up in a language other than English, that
site should not be included in the sample even if it is primarily directed to children 12
and under.
If the assigned site is either a non-commercial site or a foreign site, call a proctor.
If you have a question about whether a site is primarily directed to children, ask a
proctor for assistance.
If the site is primarily directed to children, circle YES. Then, please print out the
site’s home page. Click on the “STOP” button on the Web site toolbar before printing out
any screens. Please gather the print-out right away as many people will be using the same
printer as you. Then, go on to the next site – this survey is complete. If the site is not
primarily directed to children, circle NO and proceed to Q2.
A Survey on Compliance
B-3
Q2. If the site is one devoted to electronic games – one that has game reviews, tips, cheats,
game characters, or chat rooms for gamers who play games on any type of computer
equipment – and is of interest to children 12 and under, you should circle YES here.
If YES, Then, go on to the next site – this survey is complete. If NO, go to Q3.
Q3. If the site appears to be of primary interest to teens, but of interest to children 12 and
under, you should circle YES here. These are sites that are aiming at children (under age
18), but are not primarily directed to children 12 and under. Sites that are of primary
interest to teens may use the word “Teen,” use teen-age models, or be focused on subject
matter that is popular with teens such as music, sexuality, dating, makeup, clothing, etc.
The survey is complete.
Reconciling Your Results
Each surfer will be given a set of URLs (approximately 74 websites). Two surfers will
independently review each site and complete a survey form. After reviewing each round of 74
Web sites, each surfer will reconcile their responses with the surfer who reviewed those same
URLs. You need only reconcile answers for question 1.
On a clean copy of the sheet listing the URLs you both examined, keep track of how many
disagreements you have regarding question 1 -- whether a site is primarily directed to children.
Once you have reconciled your set of URLs, create a folder for each site. Place the survey forms
(and printouts, if applicable) for the site in the folder, and write the URL for the site and its ID
Number on the folder.
If you answered YES to Q1 write “kids” on the top of the folder next to the URL.
If you answered YES to Q2, write “games” on the top of the folder next to the URL.
If you answered YES to Q3, write “teens” on the top of the folder next to the URL.
If you answered NO to all three questions, write “NO” on the top of the folder next to the URL.
If the URL was excluded, would not load, or was under construction, write “OUT” on the top of
the folder next to the URL.
Then, turn in the completed folders.
Protecting Children's Privacy Under COPPA
B-4
SPECIAL INSTRUCTIONS FOR THE SURVEY
Surfing Rules
1. Begin surfing at the top of your URL list and continue through the list in the order that
the URLs appear. Complete the form, to the extent you can, for every URL on your list.
2. If the site forwards you to a new URL, record the new URL on the designated line on the
top of the Survey Form and proceed with your survey of this site.
3. If you receive an error message (“the site is not available” or “404 error”) or when the
site will not load, call a proctor. Due to certain technical limitations, it may become
necessary to eliminate some URLs. Only a proctor can make the final determination
that a site is “Eliminated.”
4. If the entire site is “under construction,” complete the top (“Surfer Information”) part
of the survey and record “Under Construction” to the right of the ID Code. However, if
only a small area of the site is “under construction,” view the remaining areas of the site
and complete the survey form.
If the site is “closed” or otherwise inactive, complete the top (“Surfer Information”) part
of the survey and record “Closed” or “Inactive” to the right of the ID Code.
5. If a site will not load, it may be only temporarily out of commission. Try to load the site
at least twice. If it still will not load, please note the status of the site on the survey form
to the right of the ID code (“Won’t Load”) and we will go back and check it later.
6. Do not pursue links to other sites. As you move through the site, be sure to stay within
the URL you are assigned. Check the URL at the top of the screen to be sure you have
not left the site. If you have any questions about whether you are within the same URL,
please call the proctor.
A Survey on Compliance
B-5
Printing Tips
1. After the screen has stopped loading and the bottom tool bar states “Document Done,”
click the “Stop” button at the top of the screen and then print the home page. (Animated
banners may appear to be loading/refreshing even though the document is done.)
2. If you have difficulty printing, try the following:
a. Save the Web page, then Open the saved file, and Print. (In some cases, Saving a
Web page strips out the graphics - both static and moving - from the saved version.
In other cases, Saving strips out some graphics, but doesn’t remove or suppress a
graphic, so that it still may not print.)
b. If you cannot print the entire screen and the text you want to print appears in a
“Frame,” print just the frame by clicking on the frame and then clicking File on the
tool bar and “Print Frame.” You may also need to block the frame text as described
above. If the page still will not print, try displaying and printing in “no frames” mode,
assuming the site or page offers a “no frames” option.
c. Printing may be easier with one browser than another, so try to print with both
Netscape and Internet Explorer.
d. Try to first click on “Print Preview” and then Print from the Preview window.
e. Print using the color printer instead of the black and white default printer.
f. Try to print the home page in landscape by licking File on the tool bar, then Print.
Then click on Properties, then on Orientation, to change from portrait to landscape.
3. If you are unable to print the home page, contact a proctor.
Protecting Children's Privacy Under COPPA
B-6
Survey Questionnaire – Part I
SURVEY FORM
Surfer Name: ___________________________________ Date: _____________
ID No.:____________
Assigned URL:______________________________________________________
If you are automatically rerouted to another URL, provide that URL:
___________________________________________________________________
Company Name (if given)___________________________
CIRCLE 0 FOR NO AND 1 FOR YES FOR EACH QUESTION BELOW.
NO YES
1. Is the site primarily directed to children 12 and under? 0 1
If YES, PRINT THE SITE’S HOME PAGE. Then go on to the next site.
If NO, proceed to Q2.
2. Is the site devoted to electronic games and NO YES
of interest to children 12 and under? 0 1
If YES, go on to the next site.
If NO, proceed to Q3.
3. Is the site of primary interest to teens but of interest to NO YES
children 12 and under? 0 1
(Stop here and go on to the next site.)
A Survey on Compliance
B-7
Survey Instructions – Part II
General Instructions Regarding the Survey Form
This survey will examine issues relating to information collection practices and privacy on Web
sites that are primarily directed to children 12 and under. We on the Surf Team appreciate your
willingness to help with this project. If at any time you have a question as you participate in the
Surf, please don’t hesitate to ask one of us.
The instructions below take you through the survey question by question. Before you begin to
answer the questions, though, you will be asked to fill out the top section (Surfer/Site
Information). Please fill out this information LEGIBLY and COMPLETELY.
Please CIRCLE either YES or NO for every question on the survey.
As you navigate through each site, be sure to stay within the URL you are assigned. Do not
pursue links to other sites. Check the URL in the window at the top of the screen when you click
on hyperlinks to be sure you have not left the site.
The Survey
Q1. Review the site to see whether it collects Personal Information.
“Personal information” (or “PI”) includes personal identifying information such as full
name, home or other mailing address, email address, telephone number, and social
security number. Email address includes not only the child’s or parent’s email address
but also any other email address collected.
Keep the following in mind when determining whether a site collects PI:
1. If the site asks only for a FIRST name, that information is not personal information.
A request that a visitor provide a “Name” should be treated as a request for a full name.
2. If the site asks only for a Zip code, or only for City and State, that information is not
personal information. A visitor’s street address, by contrast, is personal information.
3. A fictitious screen name is not personal information. However, if the site asks that
you use your real name or email address as a screen name, that is personal information.
4. If the site provides a credit card payment form where a person’s name, credit card
number, or other information is collected, you should IGNORE THAT FORM when
determining whether the site collects personal information. If the site asks for the
visitor’s information elsewhere on the site, you should circle YES to indicate that the site
collects that information, even if the information is also collected on the credit card
payment form.
Protecting Children's Privacy Under COPPA
B-8
5. Some sites may provide a “print and send” form for a parent to complete to provide
consent relating to the site’s use of personal information. For purposes of determining
whether personal information is collected, IGNORE information requests on a “print and
send” form.
6. For purposes of this survey, an e-mail link to the Webmaster is not information
collection.
Where should you look for personal information collection?
1. Look at the home page, any registration form, survey form, membership page, terms
of agreement, legal notice, guestbook, FAQs, or HELP.
2. If the site offers an email account or message board or chat room, check there.
3. If the site offers a newsletter or contest that you can register for, or a product or
freebie that you can send away for, check there.
4. The site’s privacy policy is a good place to check, as sites that collect information
should disclose that in the policy. When reviewing the privacy policy, note that some
large companies have privacy policies that have a different section applying to privacy
practices on their children’s area (as opposed to other areas intended for a general
audience). In that case you should review the part of the privacy policy that applies to
the children’s area.
Note that you may have to REGISTER or LOG IN just to access the site. In that case,
you should provide the information needed to register or log in. You should type in, but
not submit, the following information as requested:
Name: [Your initials] Doyle (e.g., EMD Doyle)
Screen Name: [Your initials]Spotty2590 (e.g., EMDSpotty2590)
Age: 11
Birth Date: February 5, 1990
School Grade: 5th grade (elementary school)
Street Address: [Your street number] Connecticut Avenue
Somerville, MA 02138
Telephone No.: 703-528-5298
Email Address: [email protected]
Password: [your initials]spottydo
(if you had to select a different password for any reason, write the different
password you selected on the survey form)
A Survey on Compliance
B-9
Then, BEFORE you submit this information, print the completed form showing the
information you have typed in. Make sure that the screen printed properly before you
move to the next step, which is to submit the information. AFTER you submit the
information, print any acknowledgement screen. If you encounter a problem with the
submission, attempt to resubmit the data. If you continue to have problems, call a
proctor.
Q2. For each type of personal information collected on the site, circle YES. Include all
information collected whether it is “mandatory” or “optional.” Note that “home address
or other mailing address” does not include an email address.
Keep in mind:
1. You should not circle YES when the personal information request is made only on a
credit card payment form.
2. You should not circle YES when the personal information request is for a first name
only, or only for a city and state or Zip code.
3. You should not circle YES when the personal information request is only requested on
a “print and send” form for parents to complete to provide consent.
4. You should not circle YES when the personal information request is an e-mail link to
the Webmaster.
For types of personal information collection that are not listed, circle YES by “Other”
and describe the personal information collected in the blank space provided.
When a site states, “Give us your email address” or “Give us your name,” you should
count that request as a request for the child’s email address or name.
Q3. Some sites ask that you type in this information, while others say, for example: “Click
here if you are under 13,” or “click here if you are between 7 and 10.” Some sites
provide a dropdown menu of age ra