New guidance will be helpful to both financial institutions and nonbank entities that need to protect the online privacy of children.

The Office of the Comptroller of the Currency (the "OCC"), which regulates national banks, has issued important guidance that can be used by financial institutions as well as nonbank entities seeking to comply with the Children’s Online Privacy Protection Act, better known as "COPPA." The July 16, 2002, OCC Bulletin outlining this guidance provides a workable framework within which to develop comprehensive policies and procedures to ensure COPPA compliance.

Background. COPPA, which was enacted in October 1998, regulates the collection, use or disclosure of personal information collected from children by any entity that operates an Internet site. Regulations implementing COPPA’s provisions were adopted by the Federal Trade Commission (the "FTC") in April 2000 (the "FTC Regulations") and apply to financial institutions that (i) operate an Internet site directed to children, or (ii) have actual knowledge that they are collecting or maintaining personal information from a child via the Internet. Penalties for COPPA violations can include fines in excess of $11,000 per violation, attorney’s fees and injunctive measures to halt non-compliant practices. Federally insured banks and thrifts also can be the subject of bank regulatory action for such violations.

FTC Enforcement Action. By the spring of 2002, the FTC had issued letters to more than 50 children’s Internet sites warning them of possible enforcement action for COPPA violations. It also had settled six COPPA enforcement cases involving charges that the defendants had illegally collected personally identifying information from children younger than 13 without parental consent. Some also were charged with a failure to post their privacy policies. In each case, the defendant was assessed a civil money penalty and agreed to delete all personally identifying information collected online from children since the implementation of the FTC Rules. To date, there have been no reported enforcement actions taken against financial institutions for failure to adhere to the COPPA provisions.

Framework for Developing COPPA Policies and Procedures

National Bank Web Sites. National banks that do not operate Internet sites directed to children or have actual knowledge they are collecting or maintaining a child’s personal information via the Internet, are not subject to examination for COPPA compliance. In a cautionary statement, however, the OCC has warned that "financial institutions . . . [should] review their Web sites and their online information collection practices to ensure that they do not inadvertently trigger the provisions" of COPPA.

Provision and Placement of Required Notice. If an institution is subject to the FTC Regulations, its Internet site must post a link to its information practices on its home page and at each area on the site where it collects children’s information. If the site operator has a general audience site with a separate children’s area, the operator must post a link to its notice on the home page of the children’s area as well. Required links appearing on home pages must be placed in a "clear and prominent location." The OCC Bulletin states that an institution could satisfy this requirement if it used "a larger font size in a different color on a contrasting background." Likely, a link that appears in small print on a page or is indistinguishable from other links on the site would not be deemed to be clear and conspicuous.

Content of Information Practices Notice. The required information practices notice must include the following:

- The name, address, telephone number, and e-mail address of all operators collecting or maintaining personal information from any child through the Internet site

- The types of personal information collected from any child and how the information is collected

- The way the operator uses, or may use, the information

- A statement of whether the institution discloses information collected to third parties. If it does disclose to third parties, the institution’s notice must state (i) the types of businesses engaged in by third parties; (ii) the purposes for which the information is used; (iii) whether the third parties have agreed to maintain the confidentiality, security, and integrity of the information; and (iv) that the parent has the option to consent to the collection and use of the information without consenting to the disclosure of such information to third parties

- A statement about the prohibition against requiring, as a condition of participation in an activity, that a child disclose more information than is reasonably necessary to participate in such activity

- A statement that a parent has a right to review his child’s personal information, have it deleted, and refuse to allow any further collection or use of the child’s information, as well as the procedures for doing so.

Parental Notice. Except as noted below, an institution subject to COPPA must obtain verifiable parental consent before the collection, use or disclosure of personal information from any child may be made. An institution also must make reasonable efforts to provide a parent with notice of the institution’s information practices with regard to children, and in the case of a notice seeking consent, the following: (i) the institution’s wishes to collect personal information from the parent’s child; (ii) the requirement of the parent’s consent for the collection, use and disclosure of information; and (iii) the methods by which the parent may provide consent. The parental notice must be clear and understandable.

Disclosure of Information to Others. Given the risks to a child’s privacy associated with the disclosure of their personal information to third parties, the method used to obtain verifiable parental consent when children’s personal information will be provided to others must be reasonably calculated to ensure that consent has truly been provided by the parent. The OCC Bulletin suggests the following methods for obtaining this consent:

- Obtaining a signed consent form from a parent via postal mail or facsimile

- Accepting and verifying a parent’s credit card number

- Taking a parent’s call, through a toll-free telephone number staffed by trained personnel

- Receiving a parent’s e-mail, accompanied by a digital signature, or

- Receiving an e-mail from a parent that is accompanied by a personal identification number or password obtained through one of the methods mentioned above.

Disclosures to Third Parties. Institutions must provide parents with the option to permit the institution to collect and use information about a child while prohibiting the operator from disclosing the child’s information to third parties. Effectively, this permits a parent to require a site operator to allow his or her child to participate in activities on the site while preventing the site operators from disclosing their child’s information to third parties.

Material Changes in Institution’s Use of Collected Information. If an institution subject to COPPA materially changes the collection, use or disclosure practices to which a parent has previously agreed, the institution must send a new notice and request for consent to the parent.

Exceptions to Prior Parental Consent Requirement. A financial institution does not need prior parental consent when it collects:

- A parent’s or child’s name or online contact information solely to obtain consent or to provide notice. If the institution has not received parental consent within a reasonable time, it must delete the information it possesses from its records

- A child’s online contact information solely to respond to, on a one-time basis, a specific request from the child, if the information is (i) not reused by the institution to recontact the child, and (ii) such information is deleted by the operator

- A child’s online contact information to respond more than once to a specific request from the child, when the institution does not use the information to contact the child beyond the scope of the request, and a parent is notified and allowed to request that the information not be used further

- The name and on-line contact information of the child to be used solely to protect the child’s safety, or

- The name and online contact information of the child solely to protect the security of the site, to take precautions against liability, or to respond to judicial process, law enforcement agencies, or an investigation related to public safety.

Right to Review Information. An institution subject to COPPA must provide a parent with a means by which he or she can obtain any personal information collected from his or her child by that operator. This requires that the institution provide the parent with a description of the types of personal information it has collected from the child and an opportunity to review the information collected from the child. If a parent instructs an institution to delete the child’s information, or revokes permission for its continued use or collection, the institution must follow these instructions.

An institution must, however, take reasonable steps to ensure that the person making the request is the child’s parent. The institution will not be held liable under any law for "disclosures made in good faith and following reasonable procedures to verify a requester’s identity in responding to a request for disclosure of personal information." To this end, the OCC Bulletin suggests procedures (i) requiring a parent to use a credit card in connection with a transaction; (ii) having a parent call a toll-free number staffed by trained personnel; (iii) using a digital certificate that uses public key technology; or (iv) using e-mail accompanied by a PIN or password.

Confidentiality, Security, and Integrity of Personal Information Collected from a Child. An institution subject to COPPA is required to establish and maintain reasonable procedures to protect the confidentiality, security and integrity of personal information collected from any child. According to the OCC’s examination procedures related to COPPA, the banking agency will determine compliance with this provision through discussions with management and a review of the institution’s policies and procedures.

Safe Harbors. Industry groups, financial institutions or other companies may establish, with the FTC’s approval, a self-regulatory program. If the institution complies with such FTC-approved guidelines, it will receive a "safe harbor" in any enforcement action related to violations of COPPA or the FTC Regulations. At least three groups have received approval from the FTC under this safe harbor program: the Children’s Advertising Review Unit of the Council of Better Business Bureaus; the Entertainment Software Rating Board’s ESRB Privacy Online unit; and TRUSTe, which operates the Children’s Seal program.

Conclusion

The FTC’s recent actions regarding COPPA enforcement actions coupled with guidance from the OCC regarding compliance activities by national banks clearly illustrates federal regulators’ concern about appropriate compliance with the COPPA and FTC regulations. Like other entities with web pages offering services to and collecting information from children, COPPA-related developments will affect financial institutions, and violations of the statute, or regulations could result not only in FTC enforcement action, but also in enforcement action by bank regulators.