INTERNET LAW INDEX  

The internet is full of opportunities for companies to treat consumers in a fair and respectable manner. And as I wish things always worked out that way – it is far from the reality of today's web. Millions of crimes take place online every year, and yet, each one receives very small national media coverage.

Each year things get a little worse. The criminal assaults are matched with the new laws designed to combat only the worse offenders. While any help is blessing, we must also educate the consumers about the people behind these attacks and the techniques used by them. We will continue to expand this page to reveal the worse malware pushers, along with some of the laws passed to help combat the attacks against us all!  

This page only has information from Court Documents and press releases from our Government.

For news based information and other important Internet resources, check out our Mica Magazine page.

                                      

 

COPPA Protects Children But Challenges Lie Ahead

Zango, Inc., formerly known as 180solutions

Odysseus

Advertising.com

Anti-Spyware

X-Rated Spam

SPY ACT

Internet Oversight

CAN-SPAM Act

COPPA

GeoCities

  

1) February 27 2007 ~ In a report to Congress, the Federal Trade Commission says the Children’s Online Privacy Protection Act (COPPA), and the Commission’s COPPA Rule, have been effective in protecting the privacy and security of young children online without unduly burdening Web site operators. The report does not recommend any changes to COPPA or to the Commission’s Rule, but does note that, because widespread age verification technology is not available, age falsification remains a risk on general audience Web sites not intended for children’s use. The report also identifies social networking sites and mobile Internet access as new and emerging issues in children’s online privacy.

According to Implementing the Children’s Online Privacy Protection Act: A Report to Congress, COPPA appears to have had a positive effect on Web site information practices, as children’s Web sites have developed innovative ways to offer children interactive online experiences while collecting little or no personal information from them. The report notes that there remains a wide range of child-directed Web sites for children to choose from, and that COPPA does not appear to have limited children’s ability to access information online.

The report also states that “there is concern that younger children are migrating to more general audience websites, such as social networking sites, that are not intended for their use but nonetheless attract their presence. . . . [T]here is potential for age falsification on general audience websites, as well as liability under COPPA, should these sites obtain actual knowledge that they are collecting, using, or disclosing personal information from children online.” The report also notes that these trends highlight the need for supplemental solutions, such as age verification technologies, that can provide additional security measures for children online. The report goes on to say that the challenges for both the FTC, as well as parents and others, will likely increase as the means by which children access the Internet increasingly move from stand-alone computers to mobile devices.

Congress enacted COPPA in 1998 to address privacy and security risks created when children under 13 years of age are online. COPPA imposes requirements on operators of Web sites and online services directed to children, as well as other operators with actual knowledge that they have collected personal information from children. The FTC Rule implementing COPPA’s requirements became effective in April 2000.

The FTC has brought 12 COPPA law enforcement actions, assessing more than $1.8 million in civil penalties for alleged violations. The report to Congress promised that the Commission will continue its law enforcement efforts by targeting significant violations and seeking increasing civil penalties to deter unlawful conduct. The FTC will also continue its substantial, ongoing commitment to both business education and education for parents and children about privacy and security risks, and actions that consumers can take to decrease them.

In connection with today’s release of its report to Congress, the FTC also is issuing a series of updated Frequently Asked Questions About the COPPA Rule. These FAQs, which are an important educational tool for business and consumers with specific COPPA questions, can be found at http://www.ftc.gov/privacy/coppafaqs.htm.

Copies of the report are available from the FTC’s Web site at http://www.ftc.gov and also from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint in English or Spanish or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1-877-382-4357), or use the complaint form at http://www.ftc.gov. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to more than 1,600 civil and criminal law enforcement agencies in the U.S. and abroad.

MEDIA CONTACT:

Jackie Dizdul,
Office of Public Affairs
202-326-2472

STAFF CONTACT:

Phyllis H. Marcus,
Bureau of Consumer Protection
202-326-2854

(http://www.ftc.gov/opa/2007/02/copparpt.htm)

 

To the Top

 

1) November 03 2006 ~ Zango, Inc., formerly known as 180solutions, Inc., one of the world’s largest distributors of adware, and two principals have agreed to settle Federal Trade Commission charges that they used unfair and deceptive methods to download adware and obstruct consumers from removing it, in violation of federal law. The settlement bars future downloads of Zango’s adware without consumers’ consent, requires Zango to provide a way for consumers to remove the adware, and requires them to give up $3 million in ill-gotten gains.

"Consumers' computers belong to them, and they shouldn't have to accept any content they don’t want," said Lydia Parnes, Director of the FTC's Bureau of Consumer Protection. "If consumers choose to receive pop-up ads, so be it. But it violates federal law to secretly install software that forces consumers to get pop-ups that disrupt their computer use."

According to the FTC, Zango often used third parties to install adware on consumers’ computers. The adware, including programs named Zango Search Assistant, 180Search Assistant, Seekmo, and n-CASE, monitors consumers’ Internet use in order to display targeted pop-up ads. It has been installed on U.S. consumers’ computers more than 70 million times and has displayed more than 6.9 billion pop-up ads. The FTC alleges that Zango’s distributors – third-party affiliates who often contracted with numerous sub-affiliates – frequently offered consumers free content and software, such as screensavers, peer-to-peer file sharing software, games, and utilities, without disclosing that downloading them would result in installation of the adware. In other instances, Zango’s third-party distributors exploited security vulnerabilities in Web browsers to install the adware via “drive-by” downloads. As a result, millions of consumers received pop-up ads without knowing why, and had their Internet use monitored without their knowledge.

In addition, the agency alleges that Zango deliberately made it difficult to identify, locate, and remove the adware once it was installed. For example, Zango failed to label its pop-up ads to identify their origin, named its adware files with names resembling those of core systems
software, provided uninstall tools that failed to uninstall the adware, gave confusing labels to those uninstall tools, and installed code on consumers’ computers that would enable the adware to be reinstalled secretly when consumers attempted to remove it.

The FTC charged that Zango’s failure to disclose that downloading the free content and software would result in installation of the adware was deceptive, and that its failure to provide
consumers with a reasonable and effective means to identify, locate, and remove the adware from their computers was unfair, in violation of the FTC Act.

The settlement bars Zango from using its adware to communicate with consumers’ computers – either by monitoring consumers’ Web surfing activities or delivering pop-up ads –
without verifying that consumers consented to installation of the adware. It bars Zango, directly or through others, from exploiting security vulnerabilities to download software, and requires that it give clear and prominent disclosures and obtain consumers’ express consent before downloading software onto consumers’ computers. It requires that Zango identify its ads and establish, implement, and maintain user-friendly mechanisms consumers can use to complain, stop its pop-ups, and uninstall its adware. It also requires that Zango monitor its third-party distributors to assure that its affiliates and their sub-affiliates comply with the FTC order. Finally, Zango will give up $3 million in ill-gotten gains to settle the charges. The settlement contains standard record keeping provisions to allow the FTC to monitor compliance.

The FTC complaint named Zango, Inc., formerly known as 180solutions, Inc., and its principals, Keith Smith and Daniel Todd. They are based in Bellevue, Washington.

The Commission vote to accept the proposed consent agreement was 5-0. The FTC will publish an announcement regarding the agreement in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through December 5, after which the Commission will decide whether to make it final. Comments should be addressed to the FTC, Office of the Secretary, Room H-135, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.

Copies of the complaint, consent order, and an analysis to aid public comment are available from the FTC’s Web site at http://www.ftc.gov and also from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint in English or Spanish (bilingual counselors are available to take complaints), or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1-877-382-4357), or use the complaint form at http://www.ftc.gov. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to thousands of civil and criminal law enforcement agencies in the U.S. and abroad.

MEDIA CONTACT:

Claudia Bourne Farrell,
Office of Public Affairs
202-326-2181

STAFF CONTACT:

David K. Koehler or Carl H. Settlemyer
Bureau of Consumer Protection
202-326-3627 or 202-326-2019

(FTC File No. 052 3130)

 

 

To the Top

 

 

2) October 2005 ~ The Federal Trade Commission has asked a U.S. District Court judge to halt an operation that secretly installed spyware and adware that could not be uninstalled by the consumers whose computers it infected. The defendants used the lure of free software they claimed would make peer-to-peer file sharing anonymous. The agency alleges the stealthy downloads violate federal law and asked the court to order a permanent halt to them.

According to the complaint filed by the FTC, Odysseus Marketing and its principal, Walter Rines, advertised software they claimed would allow consumers to engage in peer-to-peer file sharing anonymously. With claims like “DOWNLOAD MUSIC WITHOUT FEAR,” and “DON’T LET THE RECORD COMPANIES WIN,” the defendants encouraged consumers to download their free software. The agency charges that the claims are bogus. First, the software does not make file-sharing anonymous. Second, the cost to consumers is considerable because the “free” software is bundled with spyware called Clientman that secretly downloads dozens of other software programs, degrading consumers’ computer performance and memory. Among other things, this accumulated software replaces or reformats search engine results. For example, consumers who downloaded the spyware may try to conduct a Google or Yahoo! search. Their screens will reveal a page that appears to be the Google or Yahoo! search engine result, but the page is a copy-cat site, and the order of the search results is rigged to place the defendants’ clients first. The bundled software programs also generate pop-up ads and capture and transmit information from the consumers’ computers to servers controlled by the defendants.

The FTC charged that the defendants have an obligation to disclose that their “free” software download caused spyware and adware to be installed on consumers’ computers. But instead, the FTC alleges, they hide their disclosure in the middle of a two-page end-user licensing agreement buried in the “Terms and Conditions” section of their Web site. In addition, the FTC alleges that the defendants deliberately make their software difficult to detect and impossible to remove using standard software utilities. Although the defendants purport to offer their own “uninstall” tool, it does not work. In fact, it installs additional software, according to the FTC’s complaint.

The FTC charges that the practices of Odysseus Marketing and Walter Rines are unfair and deceptive and violate the FTC Act. The agency will seek a permanent halt to the practices.

The defendants are based in Stratham, New Hampshire.

The Commission vote to authorize staff to file the complaint was 4-0. The complaint was filed in the U.S. District Court for the District of New Hampshire.

NOTE: The Commission files a complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. The complaint is not a finding or ruling that the defendant has actually violated the law. The case will be decided by the court.

Copies of the complaint are available from the FTC’s Web site at http://www.ftc.gov and also from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint in English or Spanish (bilingual counselors are available to take complaints), or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1-877-382-4357), or use the complaint form at http://www.ftc.gov. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.

 

To the Top

 

 

3) August 2005 ~ Advertising.com., Inc., now a subsidiary of America Online, Inc., has agreed to settle FTC charges that it violated federal law by offering free security software, but failing to disclose adequately that adware was bundled with that software. The settlement will require that the company clearly and prominently disclose adware bundled with software advertised to enhance security or privacy.

“This company offered SpyBlast, a free security program to protect against hackers,” said Lydia Parnes, Director of the FTC’s Bureau of Consumer Protection. “But consumers who downloaded SpyBlast also downloaded a form of software that followed their electronic comings and goings and force-fed them pop-up ads.”

The FTC complaint charged that Advertising.com, Inc., and its co-founder, John Ferber, distributed ads stating that because a consumer’s computer was broadcasting an Internet IP address, it was at risk from hackers. Consumers who clicked on one of the ads were shown an Active X “security warning” installation box, with a hyperlink describing SpyBlast as “Personal Computer Security and Protection Software from unauthorized users” and telling them, “once you agree to the License Terms and Privacy policy - click YES to continue.” The hyperlink did not indicate the nature and significance of the terms of the licensing agreement – namely that adware would be installed on their computers. Consumers were not required to read the agreement before installing the software. If consumers had read the agreement, they might have seen a statement saying that by accepting the software, they agreed to receive marketing messages, including pop-up ads, based on their Internet browsing habits.

According to the complaint, the SpyBlast software was bundled with a software program that collected information about consumers, including the URLs of pages they visited, that was used to send them advertisements.

The complaint charges that in representing that SpyBlast is an Internet security program, the respondents did not adequately disclose that SpyBlast included adware that caused consumers

to receive pop-up ads. It alleges that the presence of the bundled adware would be material to consumers deciding whether to install SpyBlast, and, therefore, that the failure to disclose it adequately was deceptive.

The proposed consent order prohibits the respondents from making any representations about the performance, benefits, efficacy, or features of SpyBlast or any of their other programs promoted as security or privacy software, unless they clearly and conspicuously disclose that consumers who install the program will receive advertisements, if that is the case. The settlement also requires that the respondents comply with standard record-keeping and other provisions to allow the Commission to monitor compliance with the order. The proposed consent order does not cover America Online, Inc., the parent company of respondent Advertising.com, Inc.

The accompanying analysis to aid public comment notes that this complaint, “applies general Commission law on deception. The application of this law in an online context was illustrated in a 2000 FTC staff guidance document, Dot Com Disclosures: Information About Online Advertising, which is available at: http://www.ftc.gov/bcp/conline/pubs/buspubs/dotcom/index.pdf."

The analysis also states: “The proposed order is designed specifically to address the facts of the case at hand. However, the limitation in the proposed order to respondents' software programs whose principal function is to enhance security or privacy should not be read more broadly to suggest that the requirement for clear and prominent disclosure is necessarily limited to those situations. Moreover, the problem here was not the security software that Advertising.com disseminated with its adware. Instead, it was the respondents’ practice of downloading software onto users’ computers, without adequate notice and consent, that generated repeated pop-up ads as the computer users surfed the Web.”

 

To the Top

 

4) July 2005 ~ Microsoft, McAfee, EarthLink and Hewlett-Packard have formed an Anti-Spyware Coalition (many more companies have now joined), under the direction of the Dept of Homeland Security, and their much anticipated draft agreement is available for public review for thirty days (expired august 12, 2005). Entitled Spyware Definitions and Supporting Documents, it proposes that all software vendors disclose the use of spyware in their “EULA” (End User License Agreement). Even if this much needed draft agreement is passed, the bigger problem will be getting users to read the fine print before downloading or installing new programs. You can read the complete document and learn more about the Coalition partners at their home page.

 

To the Top

 

5) July 2005 ~ In a crackdown on operations that illegally expose unwitting consumers to graphic sexual content, the Federal Trade Commission has charged seven companies with violating federal laws requiring warning labels on e-mail that contains sexually-explicit content. U.S. District Court suits filed against three operations seek civil penalties and a permanent bar on the illegal marketing. Settlements with four other operations have imposed $1.159 million in civil penalties. The settlements bar the illegal marketing practices in the future and require that the defendants monitor their affiliates to ensure they are not violating the law.

“This x-rated e-mail is electronic flashing,” said Lydia Parnes, Director of the Bureau of Consumer Protection. “It exposes kids and other unwary consumers to graphic sexual content, and it is unwanted, offensive, and illegal.”

“The Adult Labeling Rule was designed to protect consumers who don’t want to be exposed to random assaults of sexual material and others, like kids, for whom it is inappropriate. It’s the law, and we intend to enforce it,” Parnes said.

The FTC’s Adult Labeling Rule and the CAN-SPAM Act require commercial e-mailers of sexually-explicit material to use the phrase “SEXUALLY EXPLICIT: ” in the subject line of the e-mail message and to ensure that the initially viewable area of the message does not contain graphic sexual images. The Rule and the Act also require that unsolicited commercial e-mail contain an opportunity for consumers to opt out of receiving future e-mail and provide a postal address, among other things. The FTC charged that the companies sent sexually-explicit e-mail messages that:

1)violated the Adult Labeling Rule requirements;
2)violated the requirement to provide a clear and conspicuous opt-out mechanism; and
3)violated the requirement to provide a postal address.
 

While the defendants did not send e-mail directly to consumers, they operated “affiliate marketing” programs in which they paid others to send spam on their behalf. Under the CAN-SPAM Act, the defendants are liable for the illegal spam sent by their affiliates because the defendants “initiated” the e-mail by paying others to send it on their behalf.

The settlements bar future violations of the CAN-SPAM Act and the Adult Labeling Rule. They also require that the defendants closely monitor the practices of their affiliate marketers to insure that they are not violating the law. BangBros.com Inc., based in Florida, will pay $650,000 in civil penalties; MD Media, a Michigan corporation, will pay $238,743; APC Entertainment, Inc., a Florida corporation, will pay $220,000; and Pure Marketing Solutions, LLC, a Florida company, and Internet Matrix Technology, a corporation based in Louisiana, will together pay $50,000. The settlements contain record-keeping provisions to allow the FTC to monitor the defendants’ compliance with the orders.

In addition to the settlements, at the request of the FTC, the Department of Justice (DOJ) has filed suit in U.S. District Courts citing three other operations for violations of the CAN-SPAM Act and the Adult Labeling Rule: TJ Web Productions, LLC, a Nevada company; Cyberheat, Inc., an Arizona Corporation; and Impulse Media, a Washington corporation.

Microsoft Corporation provided valuable technical assistance in the investigation of these cases.

 

To the Top

 

 6) June 2005 ~ Recently, the U.S. House of Representatives passed H.R. 29, the "Securely Protect Yourself Against Cyber Trespass Act," dubbed the SPY ACT. The bill was introduced by Congresswoman Mary Bono (R-CA) and cosponsored by Congressman Greg Walden (R-OR). The SPY ACT prohibits practices such as hijacking a consumer's homepage and keystroke logging. Under the SPY ACT the Federal Trade Commission would have the authority to enforce financial penalties for those who knowingly violate the Act. Additionally, the House passed H.R. 744, the "Internet Spyware Protection Act," which would penalize, through fines or prison sentences, violators who use spyware to steal information, damage a computer or commit fraud.

 

To the Top

 

7) June 2005 ~ The U.S. government will indefinitely retain oversight of the main computers that control traffic on the internet, ignoring calls by some countries to turn the function over to an international body, a senior official said Thursday. The announcement marked a departure from previously stated U.S. policy.

Michael D. Gallagher, assistant secretary for communications and information at the U.S. Commerce Department, shied away from terming the declaration a reversal, calling it instead "the foundation of U.S. policy going forward."  "The signals and words and intentions and policies need to be clear so all of us benefiting in the world from the internet and in the U.S. economy can have confidence there will be continued stewardship," Gallagher said in an interview with The Associated Press.

 

To the Top

 

 

8) January 2004 ~ The CAN-SPAM Act of 2003 (Controlling the Assault of Non-
Solicited Pornography and Marketing Act) establishes requirements
for those who send commercial email, spells out penalties
for spammers and companies whose products are advertised in spam if they
violate the law, and gives consumers the right to ask emailers to stop
spamming them.

The law, which became effective January 1, 2004, covers email whose primary
purpose is advertising or promoting a commercial product or service, including
content on a Web site. A “transactional or relationship message” — email that
facilitates an agreed-upon transaction or updates a customer in an existing business
relationship — may not contain false or misleading routing information, but
otherwise is exempt from most provisions of the CAN-SPAM Act.
 

The Federal Trade Commission (FTC), the nation’s consumer protection agency, is authorized to enforce the CAN-SPAM Act. CANSPAM also gives the Department of Justice (DOJ) the authority to enforce its criminal sanctions. Other federal and state agencies can enforce the law against organizations under their jurisdiction, and companies that provide Internet access may sue violators, as well.
 

What the Law Requires
Here’s a rundown of the law’s main
provisions:
• It bans false or misleading header information.
Your email’s “From,” “To,” and
routing information – including the originating
domain name and email address – must
be accurate and identify the person who
initiated the email.

• It prohibits deceptive subject lines. The
subject line cannot mislead the recipient
about the contents or subject matter of the
message.

• It requires that your email give recipients
an opt-out method. You must provide a
return email address or another Internetbased
response mechanism that allows a
recipient to ask you not to send future email
messages to that email address, and you must
honor the requests. You may create a
“menu” of choices to allow a recipient to opt
out of certain types of messages, but you
must include the option to end any commercial
messages from the sender.
Any opt-out mechanism you offer must be
able to process opt-out requests for at least
30 days after you send your commercial
email. When you receive an opt-out request,
the law gives you 10 business days to stop
sending email to the requestor’s email
address. You cannot help another entity send
email to that address, or have another entity
send email on your behalf to that address.
Finally, it’s illegal for you to sell or transfer
the email addresses of people who choose
not to receive your email, even in the form of
a mailing list, unless you transfer the addresses
so another entity can comply with the
law.

• It requires that commercial email be
identified as an advertisement and include
the sender’s valid physical postal address.
Your message must contain clear and conspicuous
notice that the message is an
advertisement or solicitation and that the
recipient can opt out of receiving more
commercial email from you. It also must
include your valid physical postal address.
Penalties
Each violation of the above provisions is
subject to fines of up to $11,000. Deceptive
commercial email also is subject to laws banning
false or misleading advertising.
Additional fines are provided for commercial
emailers who not only violate the rules
described above, but also:

• “harvest” email addresses from Web sites or
Web services that have published a notice
prohibiting the transfer of email addresses
for the purpose of sending email

• generate email addresses using a “dictionary
attack” — combining names, letters, or
numbers into multiple permutations

• use scripts or other automated ways to
register for multiple email or user accounts
to send commercial email

• relay emails through a computer or network
without permission — for example, by
taking advantage of open relays or open
proxies without authorization.

Facts for Business
The law allows the DOJ to seek criminal
penalties, including imprisonment, for
commercial emailers who do — or
conspire to:

• use another computer without authorization
and send commercial email from or
through it

• use a computer to relay or retransmit multiple
commercial email messages to deceive
or mislead recipients or an Internet access
service about the origin of the message

• falsify header information in multiple email
messages and initiate the transmission of
such messages

• register for multiple email accounts or
domain names using information that falsifies
the identity of the actual registrant

• falsely represent themselves as owners of
multiple Internet Protocol addresses that are
used to send commercial email messages.

Additional Rules
The FTC will issue additional rules under
the CAN-SPAM Act involving the required
labeling of sexually explicit commercial email
and the criteria for determining “the primary
purpose” of a commercial email. Look for the
rule covering the labeling of sexually explicit
material in April 2004; “the primary purpose”
rulemaking will be complete by the end of
2004. The Act also instructs the FTC to report
to Congress in summer 2004 on a National Do
Not E-Mail Registry, and issue reports in the
next two years on the labeling of all commercial
email, the creation of a “bounty system” to
promote enforcement of the law, and the
effectiveness and enforcement of the CANSPAM
Act.

See the FTC Web site at www.ftc.gov/spam
for updates on implementation of the CANSPAM
Act.

The FTC maintains a consumer complaint
database of violations of the laws that the FTC
enforces. Consumers can submit complaints
online at www.ftc.gov  and forward unwanted
commercial email to the FTC at spam@uce.gov.
 

Your Opportunity to Comment
The National Small Business Ombudsman
and 10 Regional Fairness Boards collect comments
from small businesses about federal
compliance and enforcement activities. Each
year, the Ombudsman evaluates the conduct of
these activities and rates each agency’s responsiveness
to small businesses. Small businesses
can comment to the Ombudsman without fear
of reprisal. To comment, call toll-free
1-888-REG-FAIR (1-888-734-3247) or go to
www.sba.gov/ombudsman.
 

For More Information
The FTC works for the consumer to prevent
fraudulent, deceptive, and unfair business
practices in the marketplace and to provide
information to help consumers spot, stop, and
avoid them. To file a complaint or to get free
information on consumer issues, visit
www.ftc.gov  or call toll-free, 1-877-FTCHELP
(1-877-382-4357); TTY: 1-866-653-
4261. The FTC enters Internet, telemarketing,
identity theft, and other fraud-related complaints
into Consumer Sentinel, a secure online
database available to hundreds of civil and
criminal law enforcement agencies in the U.S.
and abroad.

Federal Trade Commission
Bureau of Consumer Protection
Office of Consumer and Business Education
April 2004
www.ftc.gov
 

Federal Trade Commission
1-877-FTC-HELP
For The Consumer

 

To the Top

 9) April 2000 ~ The Children's Online Privacy Protection Act (COPPA), passed by Congress in October 1998, requires the Federal Trade Commission (FTC) to issue and enforce rules concerning children's online privacy. The FTC issued the Children's Online Privacy Protection Rule in November 1999; it has been in effect since April 21, 2000. The Rule's primary goal: to place parents in control over what information is collected from their children online.

The Rule applies to:

*Operators of commercial websites or online services directed to children under 13 that collect personal information from children;

*Operators of general audience sites that knowingly collect personal information from children under 13; and

*Operators of general audience sites that have a separate children's area and that collect personal information from children.

The Rule requires these operators to:

*Post a privacy policy on the homepage of the website and link to the privacy policy everywhere personal information is collected.

*Provide notice to parents about the site's information collection practices and, with some exceptions, get verifiable parental consent before collecting personal information from children.

*Give parents the choice to consent to the collection and use of a child's personal information for internal use by the website, and give them the chance to choose not to have that personal information disclosed to third parties.

*Provide parents with access to their child's information, and the opportunity to delete the information and opt out of the future collection or use of the information.

*Not condition a child's participation in an activity on the disclosure of more personal information than is reasonably necessary for the activity.

*Maintain the confidentiality, security and integrity of the personal information collected from children.

The FTC has prepared this guide to help website operators comply with the Rule. The guide explains each component of a COPPA-compliant privacy policy, answers questions that website operators have asked, and features a Compliance Checklist to help website operators identify areas where their privacy policies could be improved.

The Basic Requirements
A privacy policy tells the visitor about the information collection practices of the website. For sites that are covered by COPPA, the policy must explain what types of personal information are collected, how it is collected, and how the website will use the information. It also needs to tell the visitor whether the website gives the personal information to anyone else. If so, the policy must identify the third parties and tell the visitor how the third parties will in general use the information. The privacy policy must be placed where it can be found easily, and it must be written so that the average person can understand what it says.

Location
To comply with the Rule, a website directed to children must put the link to its privacy policy in a clear and prominent place on the home page and at every area on the website where children are asked to provide personal information. The links to the privacy policy also must be close to the requests for information.
General audience websites with separate children's areas must post a clear and prominent link on the home page of the children's area, as well as at every area where personal information is collected from children. A general audience website is not required to have a separate privacy policy for its children's area, and may combine its general audience and children's privacy policies into one document. However, a website without a separate privacy policy for its children's area should clearly disclose at the top of its privacy policy that a specific section discusses the site's information practices with respect to children. A general audience site also can link from the children's area directly to the part of its privacy policy that pertains to children.1

Clear and Prominent Links
The Rule requires that the link to the privacy policy be placed in a clear and prominent place on the home page and everywhere that children provide - or are asked to provide - personal information.2 "Clear and prominent" means that the link stands out and is noticeable to visitors through the use of different type sizes, different fonts, different colors, or contrasting backgrounds. A link that is in tiny print at the bottom of the home page - or one that is indistinguishable from adjacent links - is not considered clear and prominent.3

Clear Labels
The link must be labeled clearly, which allows the visitor to know the link goes to the site's privacy policy and a description of its information collection practices. For example, a link that says Privacy Policy, Privacy Statement or Information Collection Practices Statement is considered to be labeled clearly. Links labeled Important Information, Legal Notice or Note to Parents would not be as effective in letting the visitor know that a click would take him or her to the site's privacy policy.

Location: The Basics
*Place a link to the privacy policy on the website's homepage - or on the homepage of the children's area of a general audience site.
*Place a link to the privacy policy close to all areas where personal information is collected from children.
*Make the link to the privacy policy "clear and prominent."
*Label the link clearly so visitors know it goes to the website's privacy policy.

Content
A privacy policy tells visitors about the types of information the website collects, how the site handles the information, and whether the site gives the information to anyone else. The Rule requires that the privacy policy be clear and understandable. The policy must give a complete description of the site's information practices; it must not contain confusing or contradictory information.
The privacy policy plays a very important role in a parent's decision to agree to a website's request for information from their children. One that is clearly written, easy-to-understand, and full of relevant information helps parents make an informed decision.

To be COPPA-compliant, a privacy policy must contain the following information:

*Contact information, including the name, mailing address, telephone number, and email address of all operators collecting or maintaining personal information from children through the website. This requirement lets parents know who will see and use their children's personal information; it gives them the information they need to get in touch with the operators who collect or maintain their children's personal information.
According to the Rule, if several operators are collecting information through the website, the site operator may list the name, address, phone number, and email address of one operator who will respond to all inquiries from parents about the operators' privacy policies and uses of children's information - but only if it makes the names of all the operators available, either by listing them in the policy or linking to them from the policy.4
*What types of personal information are collected, and how. Website operators should be specific enough about the types of personal information they collect from children to allow parents to make an informed decision about whether to agree to the collection and use of the information. A policy that uses descriptors like name, address, telephone number, hobbies, gender, and age tells parents exactly the types of personal information that the website collects from children. A privacy policy that notes it collects "contact information" gives parents no idea whether the website is collecting an email address or a home telephone number.
In addition, the privacy policy must state whether personal information is collected actively or passively. Active collection includes registration forms and email newsletter sign-up boxes. Passive collection includes the use of cookies or other identifiers when the information is combined with "personal information." 5
*How the website will use the personal information. The privacy policy should state if the personal information is to be used to fulfill a requested transaction, keep records or market back to the child. For example, it should explain that email addresses are used to send weekly newsletters, or that a mailing address is used to send a prize or magazine subscription or fulfill another request.
In addition, the privacy policy must state whether the website offers activities that allow the child or the site to disclose the child's personal information publicly - for example, through chat rooms, message boards or email accounts.
*Whether the website operator gives or discloses the personal information it has collected from children to third parties.6 The website also must give parents the option of consenting to its collection and internal use of their child's personal information while refusing to permit the site to share the information with third parties.

If the website shares personal information with third parties, the privacy policy must explain the types of businesses the third parties are in and the general purposes for which they will use the information. The privacy policy also must tell the visitor whether the third parties have agreed to maintain the confidentiality, security and integrity of the personal information they obtain from the website operator.

Third Parties
The Rule defines a third party as a person who is not an operator of the website or who does not provide support for the internal operations of the website.7
If the website is sharing the personal information with a company or person whose only role is to provide support for the internal operations of the website - like a fulfillment house or a shipping company - the disclosure of the personal information is not to a "third party" and does not have to be spelled out in the privacy policy. The Rule specifically defines "third party" to exclude people who provide internal support. These providers are obligated to use the personal information only to carry out their specific obligations. They cannot use the information for any other purpose.
Whether an "affiliated or related company" is considered a third party and triggers the third-party disclosure requirements, depends on the affiliated or related company's relationship to the personal information. If the affiliated or related company is an operator of the website because it collects personal information on the site, or because personal information is being collected on its behalf, it is not considered a third party. Rather, it is considered an operator - and subject to the Rule. If the affiliated or related company is not an operator and isn't providing internal support services, it is considered a third party. The privacy policy must tell parents about the sharing of personal information with this affiliated or related company and must give parents the choice to allow the disclosure of information - or not.

The Ban on Conditioning Participation on Information Collection
The Rule prohibits website operators from conditioning a child's participation in an activity - like a game or prize offer - on the child's disclosure of more personal information than is reasonably necessary to participate in the activity. This provision prevents tying personal information from children to popular and persuasive incentives like games and prizes, and preserves a child's access to such activities. For example, to send a child a prize, it is reasonably necessary for a website to collect the child's mailing address. Asking the child for a postal or mailing address when offering an email newsletter would not be reasonably necessary. The Rule requires that privacy policies state this prohibition explicitly.

Parental Rights
The privacy policy must state that a parent can review the child's personal information, have it deleted, and refuse to allow the further collection or use of the child's information - and explain the procedures for doing so. For example, the privacy policy could provide contact information, like an email address or toll-free telephone number, for the parent to use.

Content: The Basics

The privacy policy must:

*Be written clearly and understandably. It should not contain any confusing or contradictory information.
*Describe the site's information practices completely and accurately.
*Include contact information (name, mailing address, telephone number, and email address) for all operators collecting or maintaining personal information through the website.
*Explain what types of personal information the site collects, whether it collects the information actively or passively, and how it will use the information.
*Provide all the required information about the disclosure of personal information to third parties.
*Tell parents they can consent to the collection and use of their child's personal information without consenting to the disclosure of the information to third parties.
*Explain that website operators cannot condition a child's participation in an activity on the child providing more personal information than is reasonably necessary for the activity.
*Tell parents that they can review their child's personal information, have it deleted and refuse to permit any further collection - and how to do it.
 

Endnotes
2 64 Fed. Reg. 59,888, 59,894 at n.98 (Nov. 3, 1999).
3 See 16 C.F.R. 312.4(b)(1)(ii) and (iii).
4 64 Fed. Reg. at 59,894.
5 See 16 C.F.R. 312.4(b)(2)(i).
6 The Rule defines personal information as including information collected through the use of cookies or other identifiers when tied to personal information, such as an email address. 16 C.F.R. ÿ312.2.
If your site uses cookies and links the information stored in the cookie with other individually identifiable information, such collection must be disclosed in the privacy policy.
7 Because the Rule regulates operators and not "third parties," the Rule requires operators to tell parents about the third party and what the third party plans to do with the information given to it by the operator.
8 16 C.F.R. ÿ312.2.
9  Visit here for more info.

 

To the Top

 

10) August 1998  ~  GeoCities, one of the most popular sites on the World Wide Web, has agreed to settle Federal Trade Commission charges that it misrepresented the purposes for which it was collecting personal identifying information from children and adults. This is the first FTC case involving Internet privacy. Under the settlement, GeoCities has agreed to post on its site a clear and prominent Privacy Notice, telling consumers what information is being collected and for what purpose, to whom it will be disclosed, and how consumers can access and remove the information. To ensure parental control, GeoCities also would have to obtain parental consent before collecting information from children 12 and under.

"GeoCities misled its customers, both children and adults, by not telling the truth about how it was using their personal information," said Jodie Bernstein, Director of the FTC's Bureau of Consumer Protection. "This case is a message to all Internet marketers that statements about their information collection practices must be accurate and complete. The FTC will continue to monitor these Internet sites and bring enforcement actions when it's appropriate. GeoCities should be commended for stepping forward and agreeing to undertake important privacy protections for consumers. I hope that other Web sites will follow GeoCities' lead in implementing these protections."

GeoCities, headquartered in Santa Monica, California, operates the GeoCities Web site, a "virtual community" consisting of members' personal home pages organized into themed areas, called neighborhoods. GeoCities has over 2 million members, and industry reports have identified it as the third most frequently visited Web site accessed from consumers' homes. The GeoCities Web site can be found at http://www.geocities.com

GeoCities provides numerous services to its members, including free and fee-based personal home pages and free e-mail service. In order to become a member of GeoCities, individuals must complete an online application form that requests certain personal identifying information. At the time of the investigation, the form designated certain information as mandatory and other information as "optional." The form also asked applicants to select whether they wished to receive specific "special offers" from advertisers, and specific products or services from individual companies.

Through this registration process, GeoCities created a database that included e-mail and postal addresses, member interest areas, and demographics including income, education, gender, marital status and occupation, the FTC said. According to the agency, this information created target markets for advertisers and resulted in disclosure of personal identifying information of children and adults to third-party marketers.

The FTC's complaint alleges that GeoCities misrepresented that the personal identifying information it collected through the membership application form was used only to provide members the specific advertising offers and products or services they requested, and that the "optional" information (education level, income, marital status, occupation, and interests) would not be released to anyone without the member's permission. In fact, the complaint alleges, this information was disclosed to third parties, who used it to target members for solicitations beyond those agreed to by the member.

The complaint also charges that GeoCities engaged in deceptive practices relating to its collection of information from children. According to the FTC, GeoCities promotes the Official GeoCities GeoKidz Club and contests for children in the Enchanted Forest neighborhood. Children wishing to join in these activities are required to complete forms that solicit personal identifying information. The agency charged that GeoCities misrepresented that GeoCities itself operated the GeoKidz Club and certain contests, and that the information collected online through the club and contests was maintained by GeoCities. In fact, according to the complaint, the Club and contests were run by third-party "community leaders" hosted on the GeoCities Web site, who collected and maintained the information.

The proposed settlement would prohibit GeoCities from misrepresenting the purpose for which it collects or uses personal identifying information from or about consumers, including children. Personal information is defined to include name, physical and e-mail address, phone number, and any other information that by itself or in combination with other information is identifiable to a specific individual.

The order would require the company to post on its site a clear and prominent Privacy Notice, telling consumers what information is being collected and for what purpose, to whom it will be disclosed, and how consumers can access and remove the information. The Notice, or a clear and prominent hyperlink to the Notice, would have to appear on the Web site's home page and at each location on the site at which such information is collected.

The order also would prohibit GeoCities from misrepresenting either the identity of a party collecting any personal identifying information or the sponsorship of any activity on its Web site.

To ensure parental control, the settlement would require GeoCities to obtain parental consent before collecting personal identifying information from children 12 and under. This provision conforms to current industry self-regulatory guidelines. The order would not require any particular procedure for obtaining parental consent, allowing for future technological developments, but would include a specific procedure that would be deemed to comply with the order. Under that procedure, GeoCities could collect certain "limited screening information" from consumers attempting to register at the site for the purpose of identifying and blocking children 12 and under from registering without their parent's permission. The company would then (a) notify the parents of the child's interest in registering at the site, and (b) obtain a parent's express consent. The order specifies several means by which the parent can transmit his/her consent, including a signed statement sent by mail or a credit card authorization.

Under the proposed order, GeoCities would be required to notify its members and provide them with an opportunity to have their information deleted from GeoCities' and any third parties' databases. The settlement would require GeoCities to notify the parents of children 12 and under and to delete their information, unless a parent affirmatively consents to its retention and use. GeoCities also would be required to contact third parties to whom it previously disclosed the information and request that those parties delete that information as well.

Finally, the settlement would require GeoCities to provide, for five years, a clear and prominent hyperlink within its Privacy Notice directing visitors to the FTC's Web site, http://www.ftc.gov, to view educational material on consumer privacy. Currently, the FTC site contains a brochure entitled: "Site-Seeing on the Internet." GeoCities also would be required to establish an information practices training program for its employees and volunteer community leaders.

The Commission vote to publish the proposed consent agreement was 4-0.

 

Internet Research

Web Facts

Safe Sites

Discover Search

CyberTips

Top 10 Online Scams

Type -n- Talk

Internet Law ««

Box of Browsers

ISP Review

VoIP

 

 

Home | Box of Browsers | Ergonomics | CyberTips | Mica Market | Contact