§6502 — Title 15 Commerce and Trade | U.S. Code

Summary

Websites or online services aimed at children, or any site that knows it is getting personal information from kids, must follow rules made by the Federal Trade Commission (FTC). The FTC had to write those rules within one year after October 21, 1998. The rules make sites tell what information they collect from children, how they use it, and who they share it with. Sites must get verifiable permission from a parent before collecting, using, or sharing a child’s personal information. Parents can ask a site what specific information was collected about their child, stop the site from keeping or collecting more of that information, and get a copy of the child’s information by reasonable means. The rules also say sites cannot make a child give more information than needed to play a game or win a prize. Sites must protect the security and privacy of children’s information. There are limited exceptions where parental permission is not needed, such as one-time replies that are not kept, getting a parent’s contact only to get consent, certain safety or security uses, legal requests, and some follow-up replies when parents are notified. A site may stop service to a child if a parent refuses permission. Breaking the FTC rules counts as an unfair or deceptive practice under federal law, and states cannot impose rules that conflict with this treatment.

Title 15, §6502

Commerce and Trade — Source: USLM XML via OLRC

(a)(1)It is unlawful for an operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child, to collect personal information from a child in a manner that violates the regulations prescribed under subsection (b).

(2)Notwithstanding paragraph (1), neither an operator of such a website or online service nor the operator’s agent shall be held to be liable under any Federal or State law for any disclosure made in good faith and following reasonable procedures in responding to a request for disclosure of personal information under subsection (b)(1)(B)(iii) to the parent of a child.

(b)(1)Not later than 1 year after October 21, 1998, the Commission shall promulgate under section 553 of title 5 regulations that—

(A)require the operator of any website or online service directed to children that collects personal information from children or the operator of a website or online service that has actual knowledge that it is collecting personal information from a child—

(i)to provide notice on the website of what information is collected from children by the operator, how the operator uses such information, and the operator’s disclosure practices for such information; and

(ii)to obtain verifiable parental consent for the collection, use, or disclosure of personal information from children;

(B)require the operator to provide, upon request of a parent under this subparagraph whose child has provided personal information to that website or online service, upon proper identification of that parent, to such parent—

(i)a description of the specific types of personal information collected from the child by that operator;

(ii)the opportunity at any time to refuse to permit the operator’s further use or maintenance in retrievable form, or future online collection, of personal information from that child; and

(iii)notwithstanding any other provision of law, a means that is reasonable under the circumstances for the parent to obtain any personal information collected from that child;

(C)prohibit conditioning a child’s participation in a game, the offering of a prize, or another activity on the child disclosing more personal information than is reasonably necessary to participate in such activity; and

(D)require the operator of such a website or online service to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.

(2)The regulations shall provide that verifiable parental consent under paragraph (1)(A)(ii) is not required in the case of—

(A)online contact information collected from a child that is used only to respond directly on a one-time basis to a specific request from the child and is not used to recontact the child and is not maintained in retrievable form by the operator;

(B)a request for the name or online contact information of a parent or child that is used for the sole purpose of obtaining parental consent or providing notice under this section and where such information is not maintained in retrievable form by the operator if parental consent is not obtained after a reasonable time;

(C)online contact information collected from a child that is used only to respond more than once directly to a specific request from the child and is not used to recontact the child beyond the scope of that request—

(i)if, before any additional response after the initial response to the child, the operator uses reasonable efforts to provide a parent notice of the online contact information collected from the child, the purposes for which it is to be used, and an opportunity for the parent to request that the operator make no further use of the information and that it not be maintained in retrievable form; or

(ii)without notice to the parent in such circumstances as the Commission may determine are appropriate, taking into consideration the benefits to the child of access to information and services, and risks to the security and privacy of the child, in regulations promulgated under this subsection;

(D)the name of the child and online contact information (to the extent reasonably necessary to protect the safety of a child participant on the site)—

(i)used only for the purpose of protecting such safety;

(ii)not used to recontact the child or for any other purpose; and

(iii)not disclosed on the site,

(E)the collection, use, or dissemination of such information by the operator of such a website or online service necessary—

(i)to protect the security or integrity of its website;

(ii)to take precautions against liability;

(iii)to respond to judicial process; or

(iv)to the extent permitted under other provisions of law, to provide information to law enforcement agencies or for an investigation on a matter related to public safety.

(3)The regulations shall permit the operator of a website or an online service to terminate service provided to a child whose parent has refused, under the regulations prescribed under paragraph (1)(B)(ii), to permit the operator’s further use or maintenance in retrievable form, or future online collection, of personal information from that child.

(c)Subject to section 6503 and 6505 of this title, a violation of a regulation prescribed under subsection (a) shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 57a(a)(1)(B) of this title.

(d)No State or local government may impose any liability for commercial activities or actions by operators in interstate or foreign commerce in connection with an activity or action described in this chapter that is inconsistent with the treatment of those activities or actions under this section.

Statutory Notes and Related Subsidiaries

Effective Date

For

Effective Date

of subsec. (a) of this section, see section 1308 of Pub. L. 105–277, set out as a note under section 6501 of this title.

§6502 Regulation of Unfair and Deceptive Acts and Practices in Connection with Collection and Use of Personal Information From and About Children on the Internet

Summary

Title 15, §6502

Notes & Related Subsidiaries

Statutory Notes and Related Subsidiaries

Effective Date

Effective Date

Citations & Metadata