United States of America v. Prime Sites, Inc.
Filing
6
AMENDED ORDER (appendix attached) Granting 2 Stipulation for Permanent Injunction and Judgment. Judgment in the amount of $500,000 is entered in favor of Plaintiff against Defendant as a civil penalty. Defendant is ordered to pay to Plaintif f, by making payment to the Treasurer of the United States, $235,000. Such payment must be made within 90 days of entry of the Order. The Clerk of Court is directed to enter Judgment accordingly and close this case (see Order for additional details). Signed by Judge Jennifer A. Dorsey on 2/16/2018. (Copies have been distributed pursuant to the NEF - DC)
1
2
3
4
5
6
7
8
9
10
CHAD A. READLER
Acting Assistant Attorney General
Civil Division
U.S. Department of Justice
ETHAN DAVIS
Deputy Assistant Attorney General
GUSTAV W. EYLER
Acting Director, Consumer Protection Branch
KATHRYN A. SCHMIDT
Trial Attorney, Consumer Protection Branch
P.O. Box 386
Washington, DC 20044
Phone: (202) 598-8697
Email: Kathryn.A.Schmidt@usdoj.gov
Attorneys for Plaintiff United States of America
11
12
13
14
15
16
MATTHEW H. WERNZ
SAMUEL A.A. LEVINE
Federal Trade Commission
Midwest Region
230 South Dearborn Street, Suite 3030
Chicago, IL 60604
Tel.: (312) 960-5634
Email: MWernz@ftc.gov
Email: SLevine1@ftc.gov
17
Attorneys for the Federal Trade Commission
18
UNITED STATES DISTRICT COURT
DISTRICT OF NEVADA
19
20
21
UNITED STATES OF AMERICA,
22
Case No. 2:18-cv-199
Plaintiff,
23
v.
24
25
PRIME SITES, INC., a Nevada corporation,
also doing business as EXPLORE TALENT,
26
Defendant.
27
[PROPOSED] STIPULATION AND AMENDED
ORDER FOR PERMANENT
INJUNCTION AND CIVIL PENALTY
JUDGMENT
ECF No. 2
28
Page 1 of 17
1
Plaintiff, the United States of America, acting upon notification and authorization to the
2
Attorney General by the Federal Trade Commission (“Commission”), filed its Complaint for
3
Permanent Injunction, Civil Penalties, and Other Relief (“Complaint”) in this matter, pursuant to
4
Sections 13(b) and 16(a)(1) of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C.
5
§§ 53(b) and 56(a)(1), the Children’s Online Privacy Protection Act, 15 U.S.C. §§ 6502(c) and
6
7
6505(d), and the Commission’s Children’s Online Privacy Protection Rule (“COPPA Rule”), 16
8
C.F.R. Part 312. Defendant has waived service of the summons and the Complaint. Plaintiff and
9
Defendant stipulate to the entry of this Stipulated Order for Permanent Injunction and Civil
10
Penalty Judgment (“Order”) to resolve all matters in dispute in this action between them.
11
THEREFORE, IT IS ORDERED as follows:
12
FINDINGS
13
14
1.
This Court has jurisdiction over this matter.
15
2.
The Complaint charges that Defendant participated in deceptive acts or practices
16
in violation of Section 5 of the FTC Act, 15 U.S.C. § 45, by misrepresenting the benefits of paid
17
membership in, and Defendant’s practices relating to personal information collected from
18
19
20
21
22
children in connection with, Defendant’s online talent search network.
3.
The Complaint also charges that Defendant violated the COPPA Rule by failing
to provide notice to parents of its information practices, and to obtain verifiable parental consent
prior to collecting, using, or disclosing personal information from children.
23
4.
Defendant neither admits nor denies any of the allegations in the Complaint,
24
25
26
except as specifically stated in this Order. Only for purposes of this action, Defendant admits the
facts necessary to establish jurisdiction.
27
28
Page 2 of 17
1
5.
Defendant waives any claim that it may have under the Equal Access to Justice
2
Act, 28 U.S.C. § 2412, concerning the prosecution of this action through the date of this Order,
3
and agrees to bear its own costs and attorney fees.
4
6.
Defendant and Plaintiff waive all rights to appeal or otherwise challenge or
5
contest the validity of this Order.
6
DEFINITIONS
7
8
9
10
For the purpose of this Order, the following definitions apply:
1.
“Child” means an individual under the age of 13.
2.
“Collects” or “collection” means the gathering of any personal information from a
11
child by any means, including but not limited to:
12
a.
13
Requesting, prompting, or encouraging a child to submit personal
information online;
14
15
b.
16
Enabling a child to make personal information publicly available in
identifiable form; or
17
c.
Passive tracking of a child online.
18
19
20
21
22
3.
“Defendant” means Prime Sites, Inc., a corporation, also doing business as
Explore Talent, and its successors and assigns.
4.
“Disclose or disclosure” means, with respect to personal information:
a.
The release of personal information collected by an operator from a child
23
in identifiable form for any purpose, except where an operator provides
24
25
26
such information to a person who provides support for the internal
operations of the website or online service; and
27
28
Page 3 of 17
b.
1
Making personal information collected by an operator from a child
2
publicly available in identifiable form by any means, including but not
3
limited to a public posting through the Internet, or through a personal
4
home page or screen posted on a website or online service; a pen pal
5
service; an electronic mail service; a message board; or a chat room.
6
7
5.
“Internet” means collectively the myriad of computer and telecommunications
8
facilities, including equipment and operating software, which comprise the interconnected world-
9
wide network of networks that employ the Transmission Control Protocol/Internet Protocol, or
10
any predecessor or successor protocols to such protocol, to communicate information of all kinds
11
by wire, radio, or other methods of transmission.
12
13
6.
“Obtaining verifiable consent” means making any reasonable effort (taking into
14
consideration available technology) to ensure that before personal information is collected from a
15
child, a parent of the child:
16
a.
Receives notice of the operator’s personal information collection, use, and
17
disclosure practices; and
18
b.
19
information.
20
21
22
Authorizes any collection, use, and/or disclosure of the personal
7.
“Online contact information” means an e-mail address or any other substantially
similar identifier that permits direct contact with a person online, including but not limited to, an
23
instant messaging user identifier, a voice over internet protocol (VOIP) identifier, or a video chat
24
25
26
27
user identifier.
8.
“Operator” means any person who operates a website located on the Internet or an
online service and who collects or maintains personal information from or about the users of or
28
Page 4 of 17
1
visitors to such website or online service, or on whose behalf such information is collected or
2
maintained, or offers products or services for sale through that website or online service, where
3
such website or online service is operated for commercial purposes involving commerce among
4
the several States or with one (1) or more foreign nations; in any territory of the United States or
5
in the District of Columbia, or between any such territory and another such territory or any State
6
7
or foreign nation; or between the District of Columbia and any State, territory, or foreign nation.
8
9.
“Parent” includes a legal guardian.
9
10.
“Person” means any individual, partnership, corporation, trust, estate, cooperative,
10
association, or other entity.
11
11.
“Personal information” means individually identifiable information about an
12
13
individual collected online, including:
14
a.
A first and last name;
15
b.
A home or other physical address including street name and name of a city
16
or town;
17
c.
Online contact information;
d.
A screen or user name where it functions in the same manner as online
18
19
contact information;
20
21
A telephone number;
f.
A Social Security number;
g.
22
e.
A persistent identifier that can be used to recognize a user over time and
23
24
25
26
across different websites or online services. Such persistent identifier
includes, but is not limited to, a customer number held in a cookie, an
27
28
Page 5 of 17
Internet Protocol (IP) address, a processor or device serial number, or
1
unique device identifier;
2
3
h.
4
A photograph, video, or audio file where such file contains a child’s image
or voice;
5
i.
Geolocation information sufficient to identify street name and name of a
6
city or town; or
7
j.
8
9
Information concerning the child or the parents of that child that the
operator collects online from the child and combines with an identifier
10
described in this definition.
11
12.
“Release of personal information” means the sharing, selling, renting, or transfer
12
13
14
15
16
of personal information to any third party.
13.
“Support for the internal operations of the website or online service” means
a.
Those activities necessary to:
i.
Maintain or analyze the functioning of the website or online
17
service;
18
19
20
ii.
Perform network communications;
iii.
Authenticate users of, or personalize the content on, the website or
21
22
online service;
iv.
Serve contextual advertising on the website or online service or
23
cap the frequency of advertising;
24
25
v.
service;
26
27
Protect the security or integrity of the user, website, or online
vi.
Ensure legal or regulatory compliance; or
28
Page 6 of 17
vii.
1
Fulfill a request of a child as permitted by Section 312.5(c)(3) and
(4) of COPPA;
2
3
b.
4
So long as the information collected for these activities listed in a(i) – (vii)
is not used or disclosed to contact a specific individual, including through
5
behavioral advertising, to amass a profile on a specific individual, or for
6
any other purpose.
7
8
14.
“Third party” means any person who is not:
9
10
a.
An operator with respect to the collection or maintenance of personal
information on the website or online service; or
11
b.
A person who provides support for the internal operations of the website
12
13
14
15
16
or online service and who does not use or disclose information protected under this part for any
other purpose.
15.
“Website or online service directed to children” means a commercial website or
online service, or portion thereof, that is targeted to children.
17
ORDER
18
19
20
I. INJUNCTION CONCERNING COLLECTION OF PERSONAL
INFORMATION FROM CHILDREN
IT IS ORDERED that Defendant and Defendant’s officers, agents, employees, and
21
22
attorneys, and all other persons in active concert or participation with any of them, who receive
23
actual notice of this Order, whether acting directly or indirectly, in connection with being an
24
operator of any website or online service directed to children or of any website or online service
25
with actual knowledge that it is collecting or maintaining personal information from a child, are
26
hereby permanently restrained and enjoined from:
27
28
Page 7 of 17
1
A.
failing to make reasonable efforts, taking into account available technology, to
2
ensure that a parent of a child receives direct notice of Defendants’ practices with regard to the
3
collection, use, or disclosure of personal information from children, including notice of any
4
material change in the collection, use, or disclosure practices to which the parent has previously
5
consented;
6
7
B.
failing to post a prominent and clearly labeled link to an online notice of its
8
information practices with regard to children on the home or landing page or screen of its
9
website or online service, and at each area of the website or online service where personal
10
information is collected from children;
11
C.
failing to obtain verifiable parental consent before any collection, use, or
12
13
14
15
16
disclosure of personal information from children, including consent to any material change in the
collection, use, or disclosure practices to which the parent has previously consented; and
D.
violating the Children’s Online Privacy Protection Rule, 16 C.F.R. Part 312, a
copy of which is attached hereto as Appendix A.
17
18
19
II. INJUNCTION CONCERNING DELETION OF CHILDREN’S PERSONAL
INFORMATION
IT IS FURTHER ORDERED that Defendant and Defendant’s officers, agents,
20
21
22
23
24
25
employees, and attorneys, and all other persons in active concert or participation with any of
them, who receive actual notice of this Order, are permanently restrained and enjoined from:
A.
disclosing, using, or benefiting from children’s personal information which
Defendant obtained prior to entry of this Order; and
B.
failing to destroy children’s personal information that is in their possession,
26
27
custody, or control within ten (10) days after entry of this Order. Provided, however, that such
28
Page 8 of 17
1
2
personal information need not be disposed of, and may be disclosed, to the extent requested by a
government agency or required by law, regulation, or court order.
3
4
III. MONETARY JUDGMENT FOR CIVIL PENALTY
IT IS FURTHER ORDERED that:
5
A.
Judgment in the amount of Five Hundred Thousand Dollars ($500,000) is entered
6
7
8
9
10
in favor of Plaintiff against Defendant as a civil penalty.
B.
Defendant is ordered to pay to Plaintiff, by making payment to the Treasurer of
the United States, Two Hundred Thirty-Five Thousand Dollars ($235,000). Such payment must
be made within ninety (90) days of entry of the Order, unless otherwise agreed to by counsel for
11
the Commission, by electronic fund transfer in accordance with instructions previously provided
12
13
14
15
16
by a representative of Plaintiff. Upon such payment, the remainder of the judgment is
suspended, subject to the Subsections below.
C.
The Commission and Plaintiff’s agreement to the suspension of part of the
judgment is expressly premised upon the truthfulness, accuracy, and completeness of the
17
following sworn financial statements and related documents (collectively, “financial
18
19
representations”) submitted to the Commission, namely:
1.
20
21
the Financial Statement of Defendant Prime Sites, Inc. signed by Ami
Shafrir, President, on September 29, 2017, including the attachments; and
22
2.
the Financial Statement of Defendant’s President signed on September 30,
23
2017, and submitted to Commission counsel, including the attachments.
24
25
26
D.
The suspension of the judgment will be lifted if, upon motion by the Commission
or Plaintiff, the Court finds that Defendant or Defendant’s President failed to disclose any
27
28
Page 9 of 17
1
2
3
4
material asset, materially misstated the value of any asset, or made any other material
misstatement or omission in the financial representations identified above.
E.
If the suspension of the judgment is lifted, the judgment becomes immediately
due in the amount specified in Subsection A above (which the parties stipulate only for purposes
5
of this Section represents the amount of the civil penalty for the violations alleged in the
6
7
8
9
10
Complaint), less any payment previously made pursuant to this Section, plus interest computed
from the date of entry of this Order.
F.
Defendant relinquishes dominion and all legal and equitable right, title, and
interest in all assets transferred pursuant to this Order and may not seek the return of any assets.
11
G.
The facts alleged in the Complaint will be taken as true, without further proof, in
12
13
14
15
16
any subsequent civil litigation by or on behalf of the Commission, including in a proceeding to
enforce its rights to any payment or monetary judgment pursuant to this Order.
H.
Defendant agrees that the judgment represents a civil penalty owed to the
government of the United States and is not compensation for actual pecuniary loss.
17
I.
Defendant acknowledges that its Employer Identification Numbers, which
18
19
20
21
22
Defendant previously submitted to the Commission, may be used for collecting and reporting on
any delinquent amount arising out of this Order, in accordance with 31 U.S.C. §7701.
IV. PROHIBITION AGAINST MISREPRESENTATIONS
IT IS FURTHER ORDERED that Defendant and Defendant’s officers, agents,
23
employees, and attorneys, and all other persons in active concert or participation with any of
24
25
them, who receive actual notice of this Order, whether acting directly or indirectly, in connection
26
with promoting or offering for sale of any good or service, are permanently enjoined from
27
misrepresenting, or assisting others in misrepresenting, expressly or by implication:
28
Page 10 of 17
A.
1
2
that consumers have been specifically chosen for a role in an upcoming motion
picture;
3
B.
C.
4
that consumers have been the subject of interest from casting directors;
any fact material to Defendant’s practices with respect to personal information
5
collected from children, including Defendant’s collection, use, and disclosure practices; or
6
D.
7
any other fact material to consumers concerning any good or service, such as: the
8
total costs; any material restrictions, limitations, or conditions; or any material aspect of its
9
nature or central characteristics.
10
V. ORDER ACKNOWLEDGMENTS
11
IT IS FURTHER ORDERED that Defendant obtain acknowledgments of receipt of this
12
13
14
15
16
Order:
A.
Defendant, within 7 days of entry of this Order, must submit to the Commission
an acknowledgment of receipt of this Order sworn under penalty of perjury.
B.
For 5 years after entry of this Order, Defendant must deliver a copy of this Order
17
to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees,
18
19
agents, and representatives who participate in the collection, retention, storage, or security of
20
personal information from children, if any, or who have responsibilities related to the operation
21
of any website or online service through which Defendant collects personal information from
22
users; and (3) any business entity resulting from any change in structure as set forth in the
23
Section titled Compliance Reporting. Delivery must occur within 7 days of entry of this Order
24
25
26
for current personnel. For all others, delivery must occur before they assume their
responsibilities.
27
28
Page 11 of 17
1
C.
From each individual or entity to which a Defendant delivered a copy of this
2
Order, that Defendant must obtain, within 30 days, a signed and dated acknowledgment of
3
receipt of this Order.
4
VI. COMPLIANCE REPORTING
5
IT IS FURTHER ORDERED that Defendant make timely submissions to the
6
7
8
9
10
Commission:
A.
One year after entry of this Order, Defendant must submit a compliance report,
sworn under penalty of perjury. In such report, Defendant must:
1.
identify the primary physical, postal, and email address and telephone
11
number, as designated points of contact, which representatives of the Commission and Plaintiff
12
13
14
15
16
may use to communicate with Defendant;
2.
identify all of Defendant’s businesses by all of their names, telephone
numbers, and physical, postal, email, and Internet addresses;
3.
describe the activities of each business, including the goods and services
17
offered, the means of advertising, marketing, and sales;
18
19
20
21
22
4.
describe in detail whether and how Defendant is in compliance with each
Section of this Order;
5.
provide a copy of each different version of any privacy notice posted on
each website or online service operated by Defendants or sent to parents of children that register
23
on each website or online service;
24
25
6.
describe in detail the methods used to obtain verifiable parental consent
26
prior to any collection, use, and/or disclosure of personal information from children through any
27
website or online service;
28
Page 12 of 17
7.
1
describe in detail the means provided for parents to review the personal
2
information collected from their children and to refuse to permit its further use or maintenance;
3
and
4
8.
provide a copy of each Order Acknowledgment obtained pursuant to this
5
Order, unless previously submitted to the Commission.
6
7
B.
For 20 years after entry of this Order, Defendant must submit a compliance
8
notice, sworn under penalty of perjury, within 14 days of any change in: (1) any designated
9
point of contact; or (2) the structure of Defendant or any entity that Defendant has any ownership
10
interest in or controls directly or indirectly that may affect compliance obligations arising under
11
this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary,
12
13
14
15
16
parent, or affiliate that engages in any acts or practices subject to this Order.
C.
Defendant must submit to the Commission notice of the filing of any bankruptcy
petition, insolvency proceeding, or similar proceeding by or against such Defendant within 14
days of its filing.
17
D.
Any submission to the Commission required by this Order to be sworn under
18
19
penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by
20
concluding: “I declare under penalty of perjury under the laws of the United States of America
21
that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s
22
full name, title (if applicable), and signature.
23
E.
Unless otherwise directed by a Commission representative in writing, all
24
25
26
submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or
sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement,
27
28
Page 13 of 17
1
2
Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW,
Washington, DC 20580. The subject line must begin: FTC v. Prime Sites, Inc., X______.
3
4
VII. RECORDKEEPING
IT IS FURTHER ORDERED that Defendant must create certain records for 20 years
5
after entry of the Order, and retain each such record for 5 years. Specifically, Defendant must
6
7
create and retain the following records:
8
A.
accounting records showing the revenues from all goods or services sold;
9
B.
personnel records showing, for each person providing services, whether as an
10
employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position;
11
dates of service; and (if applicable) the reason for termination;
12
13
14
15
16
C.
all records necessary to demonstrate full compliance with each provision of this
Order, including all submissions to the Commission;
D.
records of all consumer complaints and refund requests, whether received directly
or indirectly, such as through a third party, and any response;
17
E.
a copy of each materially different form, page, or screen created, maintained, or
18
19
otherwise provided by Defendant through which personal information is collected through any
20
website or online service, and a copy of each materially different document containing any
21
representation regarding collection, use, and disclosure practices pertaining to personal
22
information collected through such website or online service. Each webpage copy shall be
23
accompanied by the URL of the webpage where the material was posted online. Electronic
24
25
26
copies shall include all text and graphics files, audio scripts, and other computer files used in
presenting information on the Internet.
27
28
Page 14 of 17
1
F.
a copy of each unique advertisement, other marketing material, telemarketing
2
script, or other representation made in connection with promoting or offering for sale of any
3
good or service.
4
VIII. COMPLIANCE MONITORING
5
IT IS FURTHER ORDERED that, for the purpose of monitoring Defendant’s compliance
6
7
8
9
10
with this Order:
A.
Within fourteen (14) days of receipt of a written request from a representative of
the Commission or Plaintiff, Defendant must: submit additional compliance reports or other
requested information, which must be sworn under penalty of perjury; appear for depositions;
11
and produce documents for inspection and copying. The Commission and Plaintiff are also
12
13
authorized to obtain discovery, without further leave of court, using any of the procedures
14
prescribed by Federal Rules of Civil Procedure 29, 30 (including telephonic depositions), 31, 33,
15
34, 36, 45, and 69.
16
B.
For matters concerning this Order, the Commission and Plaintiff are authorized
17
to communicate directly with Defendant. Defendant must permit representatives of the
18
19
20
21
22
Commission and Plaintiff to interview any employee or other person affiliated with Defendant
who has agreed to such an interview. The person interviewed may have counsel present.
C.
The Commission and Plaintiff may use all other lawful means, including posing,
through its representatives as consumers, suppliers, or other individuals or entities, to Defendants
23
or any individual or entity affiliated with Defendants, without the necessity of identification or
24
25
26
prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process,
pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.
27
28
Page 15 of 17
2/16/2018
Appendix A:
Children’s Online Privacy
Protection Rule,
16 C.F.R. Part 312
Appendix A
Title 16: Commercial Practices
Part 312 – Children’s Online Privacy Protection Rule
AUTHORITY: 15 U.S.C. 6501-6508.
§312.1 Scope of Regulations in this part.
This part implements the Children’s Online Privacy Protection Act of 1998, (15 U.S.C. 6501, et
seq.,) which prohibits unfair or deceptive acts or practices in connection with the collection, use, and/or
disclosure of personal information from and about children on the Internet.
§312.2 Definitions.
Child means an individual under the age of 13.
Collects or collection means the gathering of any personal information from a child by any
means, including but not limited to:
(1) Requesting, prompting, or encouraging a child to submit personal information online;
(2) Enabling a child to make personal information publicly available in identifiable form. An
operator shall not be considered to have collected personal information under this paragraph
if it takes reasonable measures to delete all or virtually all personal information from a child’s
postings before they are made public and also to delete such information from its records; or
(3) Passive tracking of a child online.
Commission means the Federal Trade Commission.
Delete means to remove personal information such that it is not maintained in retrievable form
and cannot be retrieved in the normal course of business.
Disclose or disclosure means, with respect to personal information:
(1) The release of personal information collected by an operator from a child in identifiable form
for any purpose, except where an operator provides such information to a person who
provides support for the internal operations of the Web site or online service; and
(2) Making personal information collected by an operator from a child publicly available in
identifiable form by any means, including but not limited to a public posting through the
Internet, or through a personal home page or screen posted on a Web site or online service; an
electronic mail service; a message board; or a chat room.
Federal agency means an agency, as that term is defined in Section 551(1) of title 5, United
States Code.
Internet means collectively the myriad of computer and telecommunications facilities, including
equipment and operating software, which comprise the interconnected world-wide network of networks
that employ the Transmission Control Protocol/Internet Protocol, or any predecessor or successor
protocols to such protocol, to communicate information of all kinds by wire, radio, or other methods of
transmission.
Page 1 of 13
Obtaining verifiable consent means making any reasonable effort (taking into consideration
available technology) to ensure that before personal information is collected from a child, a parent of the
child:
(1) Receives notice of the operator’s personal information collection, use, and disclosure
practices; and
(2) Authorizes any collection, use, and/or disclosure of the personal information.
Online contact information means an email address or any other substantially similar identifier
that permits direct contact with a person online, including but not limited to, an instant messaging user
identifier, a voice over internet protocol (VOIP) identifier, or a video chat user identifier.
Operator means any person who operates a Web site located on the Internet or an online service
and who collects or maintains personal information from or about the users of or visitors to such Web site
or online service, or on whose behalf such information is collected or maintained, or offers products or
services for sale through that Web site or online service, where such Web site or online service is
operated for commercial purposes involving commerce among the several States or with 1 or more
foreign nations; in any territory of the United States or in the District of Columbia, or between any such
territory and another such territory or any State or foreign nation; or between the District of Columbia and
any State, territory, or foreign nation. This definition does not include any nonprofit entity that would
otherwise be exempt from coverage under Section 5 of the Federal Trade Commission Act (15 U.S.C.
45). Personal information is collected or maintained on behalf of an operator when:
(1) It is collected or maintained by an agent or service provider of the operator; or
(2) The operator benefits by allowing another person to collect personal information directly
from users of such Web site or online service.
Parent includes a legal guardian.
Person means any individual, partnership, corporation, trust, estate, cooperative, association, or
other entity.
Personal information means individually identifiable information about an individual collected
online, including:
(1) A first and last name;
(2) A home or other physical address including street name and name of a city or town;
(3) Online contact information as defined in this section;
(4) A screen or user name where it functions in the same manner as online contact information,
as defined in this section;
(5) A telephone number;
(6) A Social Security number;
Page 2 of 13
(7) A persistent identifier that can be used to recognize a user over time and across different Web
sites or online services. Such persistent identifier includes, but is not limited to, a customer
number held in a cookie, an Internet Protocol (IP) address, a processor or device serial
number, or unique device identifier;
(8) A photograph, video, or audio file where such file contains a child’s image or voice;
(9) Geolocation information sufficient to identify street name and name of a city or town; or
(10) Information concerning the child or the parents of that child that the operator collects online
from the child and combines with an identifier described in this definition.
Release of personal information means the sharing, selling, renting, or transfer of personal
information to any third party.
Support for the internal operations of the Web site or online service means:
(1) Those activities necessary to:
i.
Maintain or analyze the functioning of the Web site or online service;
ii.
Perform network communications;
iii.
Authenticate users of, or personalize the content on, the Web site or online service;
iv.
Serve contextual advertising on the Web site or online service or cap the frequency of
advertising;
v.
Protect the security or integrity of the user, Web site, or online service;
vi.
Ensure legal or regulatory compliance; or
vii.
Fulfill a request of a child as permitted by §312.5(c)(3) and (4);
(2) So long as the information collected for the activities listed in paragraphs (1)(i)-(vii) of this
definition is not used or disclosed to contact a specific individual, including through
behavioral advertising, to amass a profile on a specific individual, or for any other purpose.
Third party means any person who is not:
(1) An operator with respect to the collection or maintenance of personal information on the Web
site or online service; or
(2) A person who provides support for the internal operations of the Web site or online service
and who does not use or disclose information protected under this part for any other purpose.
Web site or online service directed to children means a commercial Web site or online service, or
portion thereof, that is targeted to children.
(1) In determining whether a Web site or online service, or portion thereof, is directed to
children, the Commission will consider its subject matter, visual content, use of animated
Page 3 of 13
characters or child-oriented activities and incentives, music or other audio content, age of
models, presence of child celebrities or celebrities who appeal to children, language or other
characteristics of the Web site or online service, as well as whether advertising promoting or
appearing on the Web site or online service is directed to children. The Commission will also
consider competent and reliable empirical evidence regarding audience composition, and
evidence regarding the intended audience.
(2) A Web site or online service shall be deemed directed to children when it has actual
knowledge that it is collecting personal information directly from users of another Web site
or online service directed to children.
(3) A Web site or online service that is directed to children under the criteria set forth in
paragraph (1) of this definition, but that does not target children as its primary audience, shall
not be deemed directed at children if it:
i.
Does not collect personal information from any visitor prior to collecting age
information; and
ii.
Prevents the collection, use, or disclosure of personal information from visitors who
identify themselves as under age 13 without first complying with the notice and
parental consent provisions of this part.
(4) A Web site or online service shall not be deemed directed to children solely because it refers
or links to a commercial Web site or online service directed to children by using information
location tools, including a directory, index, reference, pointer, or hypertext link.
§312.3 Regulation of unfair or deceptive acts or practices in connection with the collection, use,
and/or disclosure of personal information from and about children on the Internet.
General requirements. It shall be unlawful for any operator of a Web site or online service
directed to children, or any operator that has actual knowledge that it is collecting or maintaining personal
information from a child, to collect personal information from a child in a manner that violates the
regulations prescribed under this part. Generally, under this part, an operator must:
(a) Provide notice on the Web site or online service of what information it collects from children,
how it uses such information, and its disclosure practices for such information (§312.4(b));
(b) Obtain verifiable parental consent prior to any collection, use, and/or disclosure of personal
information from children (§312.5);
(c) Provide a reasonable means for a parent to review the personal information collected from a
child and to refuse to permit its further use or maintenance (§312.6);
(d) Not condition a child’s participation in a game, the offering of a prize, or another activity on
the child disclosing more personal information than is reasonably necessary to participate in
such activity (§312.7); and
(e) Establish and maintain reasonable procedures to protect the confidentiality, security, and
integrity of personal information collected from children (§312.8).
§312.4 Notice.
Page 4 of 13
(a) General principles of notice. It shall be the obligation of the operator to provide notice and
obtain verifiable parental consent prior to collecting, using, or disclosing personal
information from children. Such notice must be clearly and understandably written,
complete, and must contain no unrelated, confusing, or contradictory materials.
(b) Direct notice to the parent. An operator must make reasonable efforts, taking into account
available technology, to ensure that a parent of a child receives direct notice of the operator’s
practices with regard to the collection, use, or disclosure of personal information from
children, including notice of any material change in the collection, use, or disclosure practices
to which the parent has previously consented.
(c) Content of the direct notice to the parent:
1.
Content of the direct notice to the parent under §312.5(c)(1) (Notice to Obtain Parent’s
Affirmative Consent to the Collection, Use, or Disclosure of a Child’s Personal
Information). This direct notice shall set forth:
i. That the operator has collected the parent’s online contact information from the
child, and, if such is the case, the name of the child or the parent, in order to
obtain the parent’s consent;
ii. That the parent’s consent is required for the collection, use, or disclosure of such
information, and that the operator will not collect, use, or disclose any personal
information from the child if the parent does not provide such consent;
iii. The additional items of personal information the operator intends to collect from
the child, or the potential opportunities for the disclosure of personal information,
should the parent provide consent;
iv. A hyperlink to the operator’s online notice of its information practices required
under paragraph (d) of this section;
v. The means by which the parent can provide verifiable consent to the collection,
use, and disclosure of the information; and
vi. That if the parent does not provide consent within a reasonable time from the
date the direct notice was sent, the operator will delete the parent’s online contact
information from its records.
2. Content of the direct notice to the parent under §312.5(c)(2) (Voluntary Notice to Parent
of a Child’s Online Activities Not Involving the Collection, Use or Disclosure of Personal
Information). Where an operator chooses to notify a parent of a child’s participation in a
Web site or online service, and where such site or service does not collect any personal
information other than the parent’s online contact information, the direct notice shall set
forth:
i. That the operator has collected the parent’s online contact information from the
child in order to provide notice to, and subsequently update the parent about, a
child’s participation in a Web site or online service that does not otherwise
collect, use, or disclose children’s personal information;
Page 5 of 13
ii. That the parent’s online contact information will not be used or disclosed for any
other purpose;
iii. That the parent may refuse to permit the child’s participation in the Web site or
online service and may require the deletion of the parent’s online contact
information, and how the parent can do so; and
iv. A hyperlink to the operator’s online notice of its information practices required
under paragraph (d) of this section.
3. Content of the direct notice to the parent under §312.5(c)(4) (Notice to a Parent of
Operator’s Intent to Communicate with the Child Multiple Times). This direct notice
shall set forth:
i. That the operator has collected the child’s online contact information from the
child in order to provide multiple online communications to the child;
ii. That the operator has collected the parent’s online contact information from the
child in order to notify the parent that the child has registered to receive multiple
online communications from the operator;
iii. That the online contact information collected from the child will not be used for
any other purpose, disclosed, or combined with any other information collected
from the child;
iv. That the parent may refuse to permit further contact with the child and require the
deletion of the parent’s and child’s online contact information, and how the
parent can do so;
v. That if the parent fails to response to this direct notice, the operator may use the
online contact information collected from the child for the purpose stated in the
direct notice; and
vi. A hyperlink to the operator’s online notice of its information practices required
under paragraph (d) of this section.
4. Content of the direct notice to the parent required under §312.5(c)(5) (Notice to a Parent
In Order to Protect a Child’s Safety). This direct notice shall set forth:
i. That the operator has collected the name and online contact information of the
child and the parent in order to protect the safety of a child;
ii. That the information will not be used or disclosed for any purpose unrelated to
the child’s safety;
iii. That the parent may refuse to permit the use, and require the deletion, of the
information collected, and how the parent can do so;
iv. That if the parent fails to respond to this direct notice, the operator may use the
information for the purpose stated in the direct notice; and
Page 6 of 13
v. A hyperlink to the operator’s online notice of its information practices required
under paragraph (d) of this section.
(d) Notice on the Web site or online service. In addition to the direct notice to the parent, an operator
must post a prominent and clearly labeled link to an online notice of its information practices with
regard to children on the home or landing page or screen of its Web site or online service, and, at
each area of the Web site or online service where personal information is collected from children.
The link must be in close proximity to the requests for information in each such area. An
operator of a general audience Web site or online serve that has a separate children’s area must
post a link to a notice of its information practices with regard to children on the home or landing
page or screen of the children’s area. To be complete, the online notice of the Web site or online
service’s information practices must state the following:
1. The name, address, telephone number, and email address of all operators collecting or
maintaining personal information from children through the Web site or online services.
Provided that: The operators of a Web site or online service may list the name, address,
phone number, and email address of one operator who will respond to all inquiries from
parents concerning the operators’ privacy policies and use of children’s information, as
long as the names of all the operators collecting or maintaining personal information
from children through the Web site or online service are also listed in the notice;
2. A description of what information the operator collects from children, including whether
the Web site or online service enables a child to make personal information publicly
available; how the operator uses such information; and, the operator’s disclosure
practices for such information; and
3. That the parent can review or have deleted the child’s personal information, and refuse to
permit further collection or use of the child’s information, and state the procedures for
doing so.
§312.5 Parental consent.
(a) General requirements.
1. An operator is required to obtain verifiable parental consent before any collection, use, or
disclosure of personal information from children, including consent to any material
change in the collection, use, or disclosure practices to which the parent had previously
consented.
2. An operator must give the parent the option to consent to the collection and use of the
child’s personal information without consenting to disclosure of his or her personal
information to third parties.
(b) Methods for verifiable parental consent.
1. An operator must make reasonable efforts to obtain verifiable parental consent, taking
into consideration available technology. Any method to obtain verifiable parental
consent must be reasonably calculated, in light of available technology, to ensure that the
person providing consent is the child’s parent.
Page 7 of 13
2. Existing methods to obtain verifiable parental consent that satisfy the requirements of this
paragraph include:
i. Providing a consent form to be signed by the parent and returned to the operator
by postal mail, facsimile, or electronic scan;
ii. Requiring a parent, in connection with a monetary transaction, to use a credit
card, debit card, or other online payment system that provides notification of
each discrete transaction to the primary account holder;
iii. Having a parent call a toll-free telephone number staffed by trained personnel;
iv. Having a parent connect to trained personnel via video-conference;
v. Verifying a parent’s identity by checking a form of government-issued
identification against databases of such information, where the parent’s
identification is deleted by the operator from its records promptly after such
verification is complete; or
vi. Provided that, an operator that does not “disclose” (as defined by §312.2)
children’s personal information, may use an email coupled with additional steps
to provide assurances that the person providing the consent is the parent. Such
additional steps include: Sending a confirmatory email to the parent following
receipt of consent, or obtaining a postal address or telephone number from the
parent and confirming the parent’s consent by letter or telephone call. An
operator that uses this method must provide notice that the parent can revoke any
consent given in response to the earlier email.
3. Safe harbor approval of parental consent methods. A safe harbor program approved by
the Commission under §312.11 may approve its member operators’ use of a parental
consent method not currently enumerated in paragraph (b)(2) of this section where the
safe harbor program determines that such parental consent method meets the
requirements of paragraph (b)(1) of this section.
(c) Exceptions to prior parental consent. Verifiable parental consent is required prior to any
collection, use, or disclosure of personal information from a child except as set forth in this
paragraph:
1. Where the sole purpose of collecting the name or online contact information of the parent
or child is to provide notice and obtain parental consent under §312.4(c)(1). If the
operator has not obtained parental consent after a reasonable time from the date of the
information collection, the operator must delete such information from its records;
2. Where the purpose of collecting a parent’s online contact information is to provide
voluntary notice to, and subsequently update the parent about, the child’s participation in
a Web site or online service that does not otherwise collect, use, or disclose children’s
personal information. In such cases, the parent’s online contact information may not be
used or disclosed for any other purpose. In such cases, the operator must make
reasonable efforts, taking into consideration available technology, to ensure that the
parent receives notice as described in §312.4(c)(2);
Page 8 of 13
3. Where the sole purpose of collecting online contact information from a child is to
respond directly on a one-time basis to a specific request from the child, and where such
information is not used to re-contact the child or for any other purpose, is not disclosed,
and is deleted by the operator from its records promptly after responding to the child’s
request;
4. Where the purpose of collecting a child’s and a parent’s online contact information is to
respond directly more than once to the child’s specific request, and where such
information is not used for any other purpose, disclosed, or combined with any other
information collected from the child. In such cases, the operator must make reasonable
efforts, taking into consideration available technology, to ensure that the parent receives
notice as described in §312.4(c)(3). An operator will not be deemed to have made
reasonable efforts to ensure that a parent receives notice where the notice to the parent
was unable to be delivered;
5. Where the purpose of collecting a child’s and a parent’s name and online contact
information, is to protect the safety of a child, and where such information is not used or
disclosed for any purpose unrelated to the child’s safety. In such cases, the operator must
make reasonable efforts, taking into consideration available technology, to provide a
parent with notice as described in §312.4(c)(4);
6. Where the purpose of collecting a child’s name and online contact information is to:
i. Protect the security or integrity of its Web site or online service;
ii. Take precautions against liability;
iii. Respond to judicial process; or
iv. To the extent permitted under other provisions of law, to provide information to
law enforcement agencies or for an investigation on a matter related to public
safety; and where such information is not be used for any other purposes;
7. Where an operator collects a persistent identified and no other personal information and
such identifier is used for the sole purpose of providing support for the internal operations
of the Web site or online service. In such cases, there also shall be no obligation to
provide notice under §312.4; or
8. Where an operator covered under paragraph (2) of the definition of Web site or online
service directed to children in §312.2 collects a persistent identifier and no other personal
information from a user who affirmatively interacts with the operator and whose previous
registration with that operator indicates that such user is not a child. In such case, there
also shall be no obligation to provide notice under §312.4.
§312.6 Right of parent to review personal information provided by a child.
(a) Upon request from a parent whose child has provided personal information to a Web site or
online service, the operator of that Web site or online service is required to provide to that parent
the following:
Page 9 of 13
1. A description of the specific types of categories of personal information collected from
children by the operator, such as name, address, telephone number, email address,
hobbies, and extracurricular activities;
2. The opportunity at any time to refuse to permit the operator’s further use or future online
collection of personal information from that child, and to direct the operator to delete the
child’s personal information; and
3. Notwithstanding any other provision of law, a means of reviewing any personal
information collected from the child. The means employed by the operator to carry out
this provision must:
i. Ensure that the requester is a parent of that child, taking into account available
technology; and
ii. Not be unduly burdensome to the parent.
(b) Neither an operator nor the operator’s agent shall be held liable under any Federal or State law for
any disclosure made in good faith and following reasonable procedures in responding to a request
for disclosure of personal information under this section.
(c) Subject to the limitations set forth in §312.7, an operator may terminate any service provided to a
child whose parent has refused, under paragraph (a)(2) of this section, to permit the operator’s
further use or collection of personal information from his or her child or has directed the operator
to delete the child’s personal information.
§312.7 Prohibition against conditioning a child’s participation on collection of personal
information.
An operator is prohibited from conditioning a child’s participation in a game, the offering of a
prize, or another activity on the child’s disclosing more personal information than is reasonably necessary
to participate in such activity.
§312.8 Confidentiality, security, and integrity of personal information collected from children.
The operator must establish and maintain reasonable procedures to protect the confidentiality,
security, and integrity of personal information collected from children. The operator must also take
reasonable steps to release children’s personal information only to service providers and third parties who
are capable of maintaining the confidentiality, security and integrity of such information, and who provide
assurances that they will maintain the information in such a manner.
§312.9 Enforcement
Subject to sections 6503 and 6505 of the Children’s Online Privacy Protection Act of 1998, a
violation of a regulation prescribed under section 6502(a) of this Act shall be treated as a violation of a
rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal
Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
§312.10 Data Retention and deletion requirements.
Page 10 of 13
An operator of a Web site or online service shall retain personal information collected online
from a child for only as long as is reasonably necessary to fulfill the purpose for which the information
was collected. The operator must delete such information using reasonable measures to protect against
unauthorized access to, or use of, the information in connection with its deletion.
§312.11 Safe harbor programs.
(a) In general. Industry groups or other persons may apply to the Commission for approval of selfregulatory program guidelines (“safe harbor programs”). The application shall be filed with the
Commission’s Office of the Secretary. The Commission will publish in the FEDERAL REGISTER a
document seeking public comment on the application. The Commission shall issue a written
determination within 180 days of the filing of the application.
(b) Criteria for approval of self-regulatory program guidelines. Proposed safe harbor programs must
demonstrate that they meet the following performance standards:
1. Program requirements that ensure operators subject to the self-regulatory program
guidelines (“subject operators”) provide substantially the same or greater protections for
children as those contained in §§312.2 through 312.8, and 312.10.
2. An effective, mandatory mechanism for the independent assessment of subject operators’
compliance with the self-regulatory program guidelines. At a minimum, this mechanism
must include a comprehensive review by the safe harbor program, to be conducted not
less than annually, of each subject operator’s information policies, practices, and
representations. The assessment mechanism required under this paragraph can be
provided by an independent enforcement program, such as a seal program.
3. Disciplinary actions for subject operators’ non-compliance with self-regulatory program
guidelines. This performance standard may be satisfied by:
i. Mandatory, public reporting of any action taken against subject operators by the
industry group issuing the self-regulatory guidelines;
ii. Consumer redress;
iii. Voluntary payments to the United States Treasury in connection with an
industry-directed program for violators of the self-regulatory guidelines;
iv. Referral to the Commission of operators who engage in a pattern or practice of
violating the self-regulatory guidelines; or
v. Any other equally effective action.
(c) Request for Commission approval of self-regulatory program guidelines. A proposed safe harbor
program’s request for approval shall be accompanied by the following:
1. A detailed explanation of the applicant’s business model, and the technological
capabilities and mechanisms that will be used for initial and continuing assessment of
subject operators’ fitness for membership in the safe harbor program;
Page 11 of 13
2. A copy of the full text of the guidelines for which approval is sought and any
accompanying commentary;
3. A comparison of each provision of §§312.2 through 312.8, and 312.10 with the
corresponding provisions of the guidelines; and
4. A statement explaining:
i. How the self-regulatory program guidelines, including the applicable assessment
mechanisms, meet the requirements of this part; and
ii. How the assessment mechanisms and compliance consequences under
paragraphs (b)(2) and (b)(3) provide effective enforcement of the requirements of
this part.
(d) Reporting and recordkeeping requirements. Approved safe harbor programs shall:
1. By July 1, 2014, and annually thereafter, submit a report to the Commission containing,
at a minimum, an aggregated summary of the results of the independent assessments
conducted under paragraph (b)(2) of this section, a description of any disciplinary action
taken against any subject operator under paragraph (b)(3) of this section, and a
description of any approvals of member operators’ use of a parental consent mechanism,
pursuant to §312.5(b)(3).
2. Promptly respond to Commission requests for additional information; and
3. Maintain for a period of not less than three years, and upon request make available to the
Commission for inspection and copying:
i. Consumer complaints alleging violations of the guidelines by subject operators;
ii. Records of disciplinary actions taken against subject operators; and
iii. Results of the independent assessments of the subject operators’ compliance
required under paragraph (b)(2) of this section.
(e) Post-approval modifications to self-regulatory program guidelines. Approved safe harbor
programs must submit proposed changes to their guidelines for review and approval by the
Commission in the manner required for initial approval of guidelines under paragraph (c)(2) of
this section. The statement required under paragraph (c)(4) of this section must describe how the
proposed changes affect existing provisions of the guidelines.
(f) Revocation of approval of self-regulatory program guidelines. The Commission reserves the
right to revoke any approval granted under this section if at any time it determines that the
approved self-regulatory program guidelines or their implementation do not meet the
requirements of this part. Safe harbor programs that were approved prior to the publication of the
Final Rule amendments must, by March 1, 2013, submit proposed modifications to their
guidelines that would bring them into compliance with such amendments, or their approval shall
be revoked.
Page 12 of 13
(g) Operators’ participation in safe harbor program. An operator will be deemed to be in
compliance with the requirements of §§312.2 through 312.8, and 312.10 if that operator complies
with Commission-approved safe harbor program guidelines. In considering whether to initiate an
investigation or bring an enforcement action against a subject operator for violations of this part,
the Commission will take into account the history of the subject operator’s participation in the
safe harbor program, whether the subject operator has taken action to remedy such noncompliance, and whether the operator’s non-compliance resulted in any one of the disciplinary
actions set forth in paragraph (b)(3).
§312.12 Voluntary Commission Approval Processes.
(a) Parental consent methods. An interested party may file a written request for Commission
approval of parental consent methods not currently enumerated in §312.5(b). To be considered
for approval, a party must provide a detailed description of the proposed parental consent
methods, together with an analysis of how the methods meet §312.5(b)(1). The request shall be
filed with the Commission’s Office of the Secretary. The Commission will publish in the
FEDERAL REGISTER a document seeking public comment on the request. The Commission shall
issue a written determination within 120 days of the filing of the request; and
(b) Support for internal operations of the Web site or online service. An interested party may file a
written request for Commission approval of additional activities to be included within the
definition of support for internal operations. To be considered for approval, a party must provide
a detailed justification why such activities should be deemed support for internal operations, and
an analysis of their potential effects on children’s online privacy. The request shall be filed with
the Commission’s Office of the Secretary. The Commission will publish in the FEDERAL
REGISTER a document seeking public comment on the request. The Commission shall issues a
written determination within 120 days of the filing of the request.
§312.13 Severability.
The provisions of this part are separate and severable from one another. If any provision is stayed
or determined to be invalid, it is the Commission’s intention that the remaining provisions shall continue
in effect.
Page 13 of 13
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?