PRIA Logo
Take the PRIA Score
Title 15Commerce and TradeRelease 119-73

§6502 Regulation of unfair and deceptive acts and practices in connection with collection and use of personal information from and about children on the Internet

Title 15 › Chapter CHAPTER 91— - CHILDREN’S ONLINE PRIVACY PROTECTION › § 6502

Last updated Apr 6, 2026|Official source

Summary

Requires websites aimed at kids—or any site that knows it is collecting personal data from children—to follow rules the Federal Trade Commission had to write no later than 1 year after October 21, 1998. Those rules make sites tell parents what kid data they collect, how they use it, and who they share it with. Sites must get verifiable parental permission before collecting, using, or sharing a child’s personal information. Parents must be able to ask for a list of what was collected, stop the site from keeping or using the child’s data or from collecting more, and get the child’s data back. Sites must not make kids give more information than needed to play a game or join an activity, and they must keep children’s data safe. There are a few limited exceptions to the parental-permission rule, such as one-time replies to a child’s question that are not stored, using contact details only to get consent or to protect a child’s safety, and actions needed for site security, legal process, or public-safety investigations. A site may stop serving a child if a parent refuses further use or storage of the child’s data. If a site breaks these rules, it counts as an unfair or deceptive practice under federal law (subject to sections 6503 and 6505), and states may not impose conflicting liability for those same online activities.

Full Legal Text

Title 15, §6502

Commerce and Trade — Source: USLM XML via OLRC

(a)(1)It is unlawful for an operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child, to collect personal information from a child in a manner that violates the regulations prescribed under subsection (b).
(2)Notwithstanding paragraph (1), neither an operator of such a website or online service nor the operator’s agent shall be held to be liable under any Federal or State law for any disclosure made in good faith and following reasonable procedures in responding to a request for disclosure of personal information under subsection (b)(1)(B)(iii) to the parent of a child.
(b)(1)Not later than 1 year after October 21, 1998, the Commission shall promulgate under section 553 of title 5 regulations that—
(A)require the operator of any website or online service directed to children that collects personal information from children or the operator of a website or online service that has actual knowledge that it is collecting personal information from a child—
(i)to provide notice on the website of what information is collected from children by the operator, how the operator uses such information, and the operator’s disclosure practices for such information; and
(ii)to obtain verifiable parental consent for the collection, use, or disclosure of personal information from children;
(B)require the operator to provide, upon request of a parent under this subparagraph whose child has provided personal information to that website or online service, upon proper identification of that parent, to such parent—
(i)a description of the specific types of personal information collected from the child by that operator;
(ii)the opportunity at any time to refuse to permit the operator’s further use or maintenance in retrievable form, or future online collection, of personal information from that child; and
(iii)notwithstanding any other provision of law, a means that is reasonable under the circumstances for the parent to obtain any personal information collected from that child;
(C)prohibit conditioning a child’s participation in a game, the offering of a prize, or another activity on the child disclosing more personal information than is reasonably necessary to participate in such activity; and
(D)require the operator of such a website or online service to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.
(2)The regulations shall provide that verifiable parental consent under paragraph (1)(A)(ii) is not required in the case of—
(A)online contact information collected from a child that is used only to respond directly on a one-time basis to a specific request from the child and is not used to recontact the child and is not maintained in retrievable form by the operator;
(B)a request for the name or online contact information of a parent or child that is used for the sole purpose of obtaining parental consent or providing notice under this section and where such information is not maintained in retrievable form by the operator if parental consent is not obtained after a reasonable time;
(C)online contact information collected from a child that is used only to respond more than once directly to a specific request from the child and is not used to recontact the child beyond the scope of that request—
(i)if, before any additional response after the initial response to the child, the operator uses reasonable efforts to provide a parent notice of the online contact information collected from the child, the purposes for which it is to be used, and an opportunity for the parent to request that the operator make no further use of the information and that it not be maintained in retrievable form; or
(ii)without notice to the parent in such circumstances as the Commission may determine are appropriate, taking into consideration the benefits to the child of access to information and services, and risks to the security and privacy of the child, in regulations promulgated under this subsection;
(D)the name of the child and online contact information (to the extent reasonably necessary to protect the safety of a child participant on the site)—
(i)used only for the purpose of protecting such safety;
(ii)not used to recontact the child or for any other purpose; and
(iii)not disclosed on the site,
(E)the collection, use, or dissemination of such information by the operator of such a website or online service necessary—
(i)to protect the security or integrity of its website;
(ii)to take precautions against liability;
(iii)to respond to judicial process; or
(iv)to the extent permitted under other provisions of law, to provide information to law enforcement agencies or for an investigation on a matter related to public safety.
(3)The regulations shall permit the operator of a website or an online service to terminate service provided to a child whose parent has refused, under the regulations prescribed under paragraph (1)(B)(ii), to permit the operator’s further use or maintenance in retrievable form, or future online collection, of personal information from that child.
(c)Subject to section 6503 and 6505 of this title, a violation of a regulation prescribed under subsection (a) shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 57a(a)(1)(B) of this title.
(d)No State or local government may impose any liability for commercial activities or actions by operators in interstate or foreign commerce in connection with an activity or action described in this chapter that is inconsistent with the treatment of those activities or actions under this section.

Legislative History

Notes & Related Subsidiaries

Statutory Notes and Related Subsidiaries

Effective Date

For

Effective Date

of subsec. (a) of this section, see section 1308 of Pub. L. 105–277, set out as a note under section 6501 of this title.

Reference

Citations & Metadata

Citation

15 U.S.C. § 6502

Title 15Commerce and Trade

Last Updated

Apr 6, 2026

Release point: 119-73