The federal Children’s Online Privacy Protection Act, approved in 1998, finally came into force across the USA by way of FTC rules introduced under the Act.
Topic: Data privacy
Who: Children's website operators
When: 21 April 2000
Where: USA
What happened:
The federal Children’s Online Privacy Protection Act, approved in 1998, finally came into force across the USA by way of FTC rules introduced under the Act. These require parental "notification" when websites knowingly collect and keep the full name, home address, e-mail address, phone number or other data that would allow the site or others to contact children who are 12 or younger. The type of parental notification needed depends on the sensitivity of the data collected and how the site intends to use it, with the strictest rules applying when children’s data will become available in chat rooms or bulletin boards. Many sites were expected to be non-compliant come April 21, while many others have sought the approval of self regulatory groups such as BBBOnLine, TrustE and the Children’s Advertising Review Unit of the Council of Better Business Bureaux, who have applied for FTC approval as certifying bodies.
Why this matters:
The UK has no special data privacy legislation targeted at collection and processing of children’s data on-line, and UK marketers aiming to collect personal data relating to minors should take advice. The 1998 Data Protection Act does require, however, that data be collected fairly and that data be collected only with "consent". Contrary to many opinions expressed, the Data Protection Commission themselves have made it clear that although under the new Act individuals have the right to object to their data being held or processed for marketing purposes, there is no blanket requirement that individuals, including parents or guardians of under 18’s, give prior express consent before their data can be processed or used for these purposes. So long as a site states clearly the uses to which personal data will be put, at the point of collection, in close physical proximity to the boxes where the personal data has to be keyed in, a clear opt-out tick box (probably stating that a child should get its parent or guardian to read and consider the whole section and key in the child’s data)may be best practice, but again, readers are urged to take advice.
[Please note here that Obsorne Clarke's own James Mullock is the author of the best-selling book to date on the new UK Data Protection Act]
It is also worth noting the self regulatory certifying bodies referred to above who are heavily involved in moves to conclude a "safe harbour" understanding which will facilitate legal transfer of personal data from the EU to the US. Clearly developing an understanding of their policies and maybe membership of at least one of them might be a prudent course of action for UK on-line data collectors to consider.
Finally, this legislation, together with the signing into law in the US in November 1999 of the Graham Leach Bliley Act, introducing, federally, strict data privacy controls on financial institutions, indicates a clear trend in the US from a data protection "wild west" towards what could in a short time be an even more heavily regulated data privacy landscape than in the EU.