Opinion
Case No. 3:12-cv-01487-SI
03-27-2012
UNITED STATES OF AMERICA, Plaintiff, v. ROCKYOU, INC. Defendant.
FOR THE UNITED STATES OF AMERICA: STUART F. DELERY Acting Assistant Attorney General Civil Division U.S. Department of Justice MAAME EWUSI-MENSAH FRIMPONG Acting Deputy Assistant Attorney General Civil Division MICHAEL S. BLUME Director Consumer Protection Branch FOR THE DEFENDANT: GARRET RASMUSSEN Orrick, Herrington & Sutcliffe LLP Attorney for Defendant RockYou, Inc. KENNETH L. JOST Deputy Director Consumer Protection Branch ALAN J. PHELPS Trial Attorney Consumer Protection Branch U.S. Department of Justice
STIPULATED MOTION TO ENTER CONSENT DECREE
AND ORDER FOR CIVIL PENALTIES, INJUNCTION, AND OTHER RELIEF
Plaintiff, the United States of America, and Defendant, RockYou, Inc., by and through their undersigned attorneys, hereby request that the Court enter the Consent Decree and Order for Civil Penalties, Permanent Injunction, and Other Relief that accompanies this Stipulated Motion. All parties have agreed to the terms of the Decree, as evidenced by their signatures thereon.
On March 21, 2012, counsel for Defendant authorized counsel for Plaintiff to sign and file this Stipulated Motion on behalf of all parties. Respectfully submitted this 27th day of March, 2012.
FOR THE UNITED STATES OF
AMERICA:
STUART F. DELERY
Acting Assistant Attorney General
Civil Division
U.S. Department of Justice
MAAME EWUSI-MENSAH FRIMPONG
Acting Deputy Assistant Attorney General
Civil Division
MICHAEL S. BLUME
Director
Consumer Protection Branch
FOR THE DEFENDANT:
____________________
GARRET RASMUSSEN
Orrick, Herrington & Sutcliffe LLP
Attorney for Defendant RockYou, Inc.
KENNETH L. JOST
Deputy Director
Consumer Protection Branch
_______________
ALAN J. PHELPS
Trial Attorney
Consumer Protection Branch
U.S. Department of Justice
CERTIFICATE OF SERVICE
I HEREBY CERTIFY that on this 27th day of March, 2012, the undersigned caused a true and correct copy of the above-entitled STIPULATED MOTION TO ENTER CONSENT DECREE AND ORDER FOR CIVIL PENALTIES, INJUNCTION, AND OTHER RELIEF to be served via overnight delivery upon counsel for the defendants as follows:
GARRET RASMUSSEN
Orrick, Herrington & Sutcliffe LLP
Columbia Center
1152 15th Street, N.W.
Washington, D.C. 20005-1706
Attorney for Defendant RockYou, Inc.
________________
ALAN J. PHELPS
STUART F. DELERY
Acting Assistant Attorney General
Civil Division
U.S. Department of Justice
MICHAEL S. BLUME
Director
Consumer Protection Branch
ALAN PHELPS
Trial Attorney
Consumer Protection Branch
U.S. Department of Justice
Attorneys for the Plaintiff
UNITED STATES OF AMERICA, Plaintiff,
v.
ROCKYOU, INC. Defendant.
Case No. 12-CV-1487
CONSENT DECREE AND ORDER
FOR CIVIL PENALTIES, INJUNCTION
AND OTHER RELIEF
WHEREAS Plaintiff, the United States of America, has commenced this action by filing the complaint herein; Defendant has waived service of the Summons and Complaint; the parties have been represented by the attorneys whose names appear hereafter; and the parties have agreed to settlement of this action upon the following terms and conditions, without adjudication of any issue of fact or law, and without Defendant admitting any issue of fact or law other than those related to jurisdiction and venue;
THEREFORE, on the joint motion of Plaintiff and Defendant, it is hereby ORDERED, ADJUDGED, and DECREED as follows:
1. This Court has jurisdiction of the subject matter and of the parties pursuant to 28 U.S.C. §§ 1331, 1337(a), 1345, and 1355, and 15 U.S.C. §§ 45(m)(l)(A), 53(b), 56(a), and 57b.
2. Venue is proper as to all parties in the Northern District of California under 15 U.S.C. § 53(b) and 28 U.S.C. §§ 1391(b)-(c) and 1395(a).
3. The activities of Defendant are in or affecting commerce as defined in Section 4 of the FTC Act, 15 U.S.C. §44.
4. The Complaint states a claim upon which relief may be granted against Defendant under Sections 5(a)(1), 5(m)(l)(A), 13(b), andl6(a) of the Federal Trade Commission Act ("FTC Act"), 15 U.S.C. §§ 41-58, 45(a)(1), 45(m)(l)(A), 53(b), and 56(a) and under Sections 1303(c) and 1306(d) of the Children's Online Privacy Protection Act of 1998 ("COPPA"), 15 U.S.C. §§ 6501-6506,6502(c), and 6505(d); the Commission's Children's Online Privacy Protection Rule, 16 C.F.R. Part 312. Among other things, the Complaint alleges that:
A. Defendant violated the FTC Act by deceptively representing to consumers that it provided reasonable security for the personal information it collected from consumers;
B. Defendant violated COPPA and the FTC Act by failing to provide notice to parents of its information practices, and to obtain verifiable parental consent prior to collecting, using, and or disclosing personal information from children online;
C. Defendant violated the FTC Act by deceptively representing that it did not collect information from children online; and5. Defendant has entered into this Consent Decree and Order for Civil Penalties, Injunction, and Other Relief ("Order") freely and without coercion. Defendant further acknowledges that it has read the provisions of this Order and is prepared to abide by them.
D. Defendant violated the FTC Act by deceptively representing that it would delete any personal information collected from children online.
6. Plaintiff and Defendant hereby waive all rights to appeal or otherwise challenge the validity of this Order.
7. Plaintiff and Defendant stipulate and agree that entry of this Order shall constitute a full, complete, and final settlement of this action.
8. Defendant has agreed that this Order does not entitle it to seek or to obtain attorneys' fees as a prevailing party under the Equal Access to Justice Act, 28U.S.C.§2412, and Defendant further waives any rights to attorneys' fees that may arise under said provision of law.
9. Entry of this Order is in the public interest.
DEFINITIONS
10. "Rule" means the Federal Trade Commission's Children's Online Privacy Protection Rule, 16 C.F.R. Part 312.
11. The terms "child," "collects," "collection," "Commission," "delete," "disclosure," "Internet," "online contact information," "operator," "parent," "person," "personal information," "third party," "verifiable consent," and "website or online service directed to children," are defined in Section 312.2 of the Rule, 16 C.F.R. § 312.2.
12. "Consumer personal information" means individually identifiable information from or about an individual consumer including, but not limited to: (a) a first and last name; (b) a home or other physical address, including street name and name of city or town; (c) an email address or other online contact information, such as an instant messaging user identifier or a screen name; (d) a telephone number; (e) a Social Security number; (f) a driver's license or other state-issued identification number; (g) a financial institution account number; (h) credit or debit card information; (i) a persistent identifier, such as a customer number held in a "cookie," a static Internet Protocol ("IP") address, or processor serial number; (j) nonpublic communications and content posted on Defendant's web site or within Defendant's applications provided on any other web site; or (k) any information that is combined with any of (a) through (i) above.
13. "Defendant" means Rock You, Inc., a corporation, its successors and assigns and its officers, agents, representatives, and employees.
INJUNCTION REGARDING COLLECTION OF INFORMATION
FROM CHILDREN ONLINE
14. IT IS ORDERED that Defendant, and its officers, agents, representatives, and employees, and all persons in active concert or participation with them who receive actual notice of this Order by personal service or otherwise, are hereby enjoined, directly or through any corporation, subsidiary, division, website, or other device, in connection with any website or online service directed to children, or on any website or online service through which they, with actual knowledge, collect, use, and/or disclose personal information from children, from:
A. failing to provide sufficient notice of the information Defendant collects online
from children, how it uses such information, its disclosure practices, and all other content, as required by Section 312.4(b) of the Rule, 16 C.F.R. § 312.4(b);5. IT IS FURTHER ORDERED that Defendant, and its officers, agents, representatives, and employees, and all persons in active concert or participation with them who receive actual notice of this Order by personal service or otherwise, are hereby enjoined, directly or through any corporation, subsidiary, division, website, or other device, in connection with the operation of any website or online service, from making any misrepresentation concerning the collection, use, disclosure, or deletion of children's personal information.
B. failing to provide direct notice to parents of what information Defendant collects online from children, how it uses such information, its disclosure practices, and all other required content, as required by Section 312.4(c) of the Rule, 16 C.F.R. § 312.4(c);
C. failing to obtain verifiable parental consent before any collection, use, and/or disclosure of personal information from children, as required by Section 312.5 of the Rule, 16 C.F.R. § 312.5(a)(1);
D. failing to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children, as required by Section 312.8 of the Rule, 16 C.F.R. § 312.8; or
E. violating any other provision of the Rule, 16 C.F.R. Part 312, and as the Rule may hereafter be amended. A copy of the Rule is attached hereto as "Appendix A" and incorporated herein as if fully set forth verbatim.
DELETION OF CHILDREN'S PERSONAL INFORMATION
16. IT IS FURTHER ORDERED that Defendant, within 10 days from the date of receipt of notice of the entry of this Order shall delete all personal information collected and maintained within its possession, custody, or control in violation of the Rule at any time from April 21, 2000 through the date of entry of this Order.
CONSUMER EDUCATION REMEDY
17. IT IS FURTHER ORDERED that, for a period of 5 years from the date of entry of this Order, Defendant, in connection with its operation of any website or online service directed to children, and any website or online service through which Defendant, with actual knowledge, collects, uses, and/or discloses personal information from children, shall place a clear and conspicuous notice, that will unavoidably be seen by users prior to the collection of personal information from the users, which states as follows in bold typeface:
NOTICE: Visit www.OnGuardOnline.gov for tips from the Federal Trade Commission on protecting kids' privacy onlineDefendant shall be required to change the hyperlinks/URLs within 15 days after receipt of notice from the Federal Trade Commission of a change to such hyperlinks/URLs.
["www.OnguardOnline.gov" must contain a hyperlink to http ://www.onguardonline.go v/topics/kids-privacy. aspx]
CIVIL PENALTY
18. IT IS FURTHER ORDERED that Defendant shall pay to Plaintiff a civil penalty, pursuant to Section 5(m)(l)(A) of the FTC Act, 15 U.S.C. § 45(m)(l)(A), in the amount of two hundred and fifty thousand dollars ($250,000), due and payable within five (5) days of receipt of notice of the entry of this Order. Unless otherwise directed, payment
shall be made by electronic fund transfer in accordance with procedures specified by the Consumer Protection Branch, Civil Division, U.S. Department of Justice, Washington, DC 20530.
19. Defendant relinquishes all dominion, control, and title to the funds paid to the fullest extent permitted by law. Defendant shall make no claim to or demand return of the funds, directly or indirectly, through counsel or otherwise.
20. Defendant agrees that the facts as alleged in the Complaint filed in this action shall be taken as true, without further proof, in any subsequent civil litigation filed by or on behalf of the Commission to enforce its rights to any payment or money judgment pursuant to this Order.
21. In the event of any default in payment, which default continues for ten (10) days beyond the due date of payment, the entire unpaid penalty, together with interest, as computed pursuant to 28 U.S.C. § 1961 (accrued from the date of default to the date of payment) shall immediately become due and payable.
INJUNCTION REGARDING SECURITY OF CONSUMER PERSONAL
INFORMATION
22. IT IS ORDERED that Defendant, and its officers, agents, representatives, and employees, directly or through any corporation, subsidiary, limited liability company, division, or other device, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which they maintain and protect the privacy, confidentiality, security, or integrity of consumer personal information collected from or about consumers.
23. IT IS FURTHER ORDERED that Defendant, and its officers, agents, representatives, and employees, directly or through any corporation, subsidiary, limited liability company, division, or other device, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall, no later than the date of service of this order, establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of consumer personal information collected from or about consumers. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to Defendant's size and complexity, the nature and scope of Defendant's activities, and the sensitivity of the consumer personal information collected from or about consumers, including:
A. the designation of an employee or employees to coordinate and be accountable for the information security program.
B. the identification of material internal and external risks to the security, confidentiality, and integrity of consumer personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks,
intrusions, or other systems failures.24. IT IS FURTHER ORDERED that, in connection with its compliance with Paragraph 23 of this order, Defendant shall obtain initial and biennial assessments and reports ("Assessments") from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession. The reporting period for the Assessments shall cover: (1) the first year after service of the Order for the initial Assessment, and (2) each 2 year period thereafter for 20 years after service of the Order for the biennial Assessments.
C. the design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards' key controls, systems, and procedures.
D. the development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding consumer personal information they receive from Defendant, and requiring service providers by contract to implement and maintain appropriate safeguards.
E. the evaluation and adjustment of Defendant's information security program in light of the results of the testing and monitoring required by subpart C, any material changes to Defendant's operations or business arrangements, or any other circumstances that Defendant knows or has reason to know may have a material impact on the effectiveness of its information security program.
A. Each Assessment shall:
1. set forth the specific administrative, technical, and physical safeguards that Defendant has implemented and maintained during the reporting period;B. Each Assessment shall be prepared and completed within 60 days after the end of the reporting period to which the Assessment applies by a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; or a qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.
2. explain how such safeguards are appropriate to Defendant's size and complexity, the nature and scope of Defendant's activities, and the sensitivity of the consumer personal information collected from or about consumers;
3. explain how the safeguards that have been implemented meet or exceed the protections required by the Paragraph 23 of this Order; and
4. certify that Defendant's security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of consumer personal information is protected and has so operated throughout the reporting period.
C. Defendant shall provide the initial Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within 10 days after the Assessment has been prepared. All subsequent biennial Assessments shall be retained by Defendant until the order is terminated and provided to the Associate Director for Enforcement within 10 days of request.
ORDER ACKNOWLEDGMENTS
25. IT IS FURTHER ORDERED that Defendant obtain acknowledgments of receipt of this Order:
A. Defendant, within 7 days of entry of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.
B. For 8 years after entry of this Order, Defendant must deliver a copy of this Order to: (1) all principals, officers, directors, and managers; (2) all employees, agents, and representatives having supervisory responsibilities relating to the collection, retention, storage, or security of consumer personal information and all employees, agents, and representatives having supervisory responsibilities related to the operation of any website or online service subject to this Order; and (3) any business entity resulting from any change in structure as set forth in the Section titled "Compliance Reporting." Delivery must occur within 7 days of entry of this Order for current personnel. To all others, delivery must occur before they assume their responsibilities.
C. From each individual or entity to which a Defendant delivered a copy of this Order, that Defendant must obtain, within 30 days, a signed and dated acknowledgment of receipt of this Order.
COMPLIANCE REPORTING
26. IT IS FURTHER ORDERED that Defendant make timely submissions to the Commission:
A. One hundred eighty (180) days after the date of entry of this Order, Defendant must submit a compliance report, sworn under penalty of perjury. This report must:
1. Designate at least one telephone number and an email, physical, and postal address as points of contact, which representatives of the Commission may use to communicate with Defendant;
2. Identify all of Defendant's businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses;
3. Describe the activities of each business, including the products and services offered and the means of advertising, marketing, and sales;
4. Describe in detail whether and how Defendant is in compliance with each Section of this Order;
5. Provide a statement setting forth in detail the criteria and process through which Defendant's websites or online services register visitors online for any activity requiring the submission of personal information, and a copy of each different version of screen or page providing or collecting registration information;
6. Provide a copy of each different version of any privacy notice posted on each website or online service operated by Defendant;
7. Provide a statement setting forth in detail each place where the privacy
notice on any such website or online service is located and a copy of each different version of screen or page on which such website or online service collects personal information;B. For 20 years following entry of this Order, Defendant must submit a compliance notice, sworn under penalty of perjury, within 14 days of any change in the
8. Provide a copy of each different version of any privacy notice sent to parents of children that register on each website or online service;
9. Provide a statement setting forth in detail when and how each such notice to parents is provided;
10. Provide a statement setting forth in detail the methods used to obtain verifiable parental consent prior to any collection, use, and/or disclosure of personal information from children;
11. Provide a statement setting forth in detail the means provided for parents to review the personal information collected from their children and to refuse to permit its further use or maintenance;
12. Provide a statement setting forth in detail why each type of information collected from a child is reasonably necessaiy for the provision of the particular related activity;
13. Provide a statement setting forth in detail the procedures used to protect the confidentiality, security, and integrity of personal information collected from children; and
14. Provide a copy of each Order Acknowledgement obtained pursuant to this Order, unless previously submitted to the Commission.
following: (a) any designated point of contact; or (b) the structure of Defendant or any entity that Defendant has any ownership interest in or directly or indirectly controls that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.
C. Defendant must submit to the Commission notice of the filing of any bankruptcy petition, insolvency proceeding, or any similar proceeding by or against Defendant within 14 days of its filing.
D. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 18 U.S.C. § 1746, such as by concluding: "I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____" and supplying the date, signatory's full name, title (if applicable), and signature.
E. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: FTC v. Rock You, Inc.
RECORDKEEPING
27. IT IS FURTHER ORDERED that Defendant must create certain records for 20 years after entry of the Order, and to retain each such record for 5 years. Specifically,
Defendant, in connection with personal information collected from consumers, including children under the age of 13, must maintain the following records:
A. Accounting records showing the revenues from all goods or services sold, all costs incurred in generating those revenues, and the resulting net profit or loss;
B. Personnel records showing, for each person providing services, whether as an employee or otherwise, that person's: name, addresses, and telephone numbers; job title or position; dates of service; and, if applicable, the reason for termination;
C. A copy of all complaints submitted by consumers to Defendant regarding its information security practices or its practices relating to the collection or retention of consumer personal information, including from children;
D. All records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission; and
E. A sample copy of every materially different form, page, or screen created, maintained, or otherwise provided by Defendant through which Defendant collects personal information, and a sample copy of each materially different document containing any representation regarding Defendant's collection, use, and disclosure practices pertaining to personal information of a child. Each web page copy shall be accompanied by the URL of the web page where the material was posted online. Electronic copies shall include all text and graphics files, audio scripts, and other computer files used in presenting information on the Internet. Provided, however, that Defendant shall not be required to retain any document for longer than two (2) years after the document was created, or to
retain a print or electronic copy of any amended web page or screen to the extent that the amendment does not affect Defendant's compliance obligations under this Order.
COMPLIANCE MONITORING
28. IT IS FURTHER ORDERED that for the purpose of monitoring compliance with this Order:
A. Within 14 days of receipt of a written request from a representative of the Commission, Defendant must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury; appear for depositions; and produce documents, for inspection and copying. The Commission is also authorized to obtain discovery, without further leave of court, using any of the procedures prescribed by Federal Rules of Civil Procedure 29, 30 (including telephonic depositions), 31, 33, 34, 36, 45, and 69.
B. For matters concerning this Order, the Commission is authorized to communicate directly with Defendant. Defendant must permit representatives of the Commission to interview any employee or other person affiliated with any Defendant who has agreed to such an interview. The person interviewed may have counsel present.
C. The Commission may use all other lawful means, including posing, through its representatives, as consumers, suppliers, or other individuals or entities, to Defendant or any individual or entity affiliated with Defendant, without the necessity of identification or prior notice. Nothing in this Order limits the Commission's lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.
RETENTION OF JURISDICTION
29. IT IS FURTHER ORDERED that this Court retains jurisdiction of this matter for the purposes of construction, modification, and enforcement of this Order.
JUDGMENT IS THEREFORE ENTERED in favor of Plaintiff and against Defendant, pursuant to all the terms and conditions recited above.
______________________________
UNITED STATES DISTRICT JUDGE
The parties, by their counsel, hereby consent to the terms and conditions of the Order as set forth above and consent to the entry thereof.
FOR THE UNITED STATES OF AMERICA:
STUART F. DELERY
Acting Assistant Attorney General
Civil Division
U.S. Department of Justice
MAAME EWUSI-MENSAH FRIMPONG
Acting Deputy Assistant Attorney General
Civil Division
MICHAEL S. BLUME
Director
Consumer Protection Branch
KENNETH L. JOST
Deputy Director
Consumer Protection Branch
________________
ALAN PHELPS
Trial Attorney
Consumer Protection Branch
U.S. Department of Justice
FOR THE FEDERAL TRADE COMMISSION:
____________________
KATRINA ANE BLODGETT
Attorney
Federal Trade Commission
_________________
MAMIE KRESSES
Attorney
__________________
CHRISTOPHER OLSEN
Attorney
Federal Trade Commission
FOR THE DEFENDANT:
Rock You, Inc.
_____________
LISA MARINO
Chief Executive Officer
RockYou, Inc.
____________________
GARRET RASMUSSEN
Orrick, Herrington & Sutcliffe LLP
Attorney for Defendant Rock You, Inc.
Appendix A
§ 311.5 Labeling.
A manufacturer or other seller may represent, on a label on a container of processed used oil, that such oil is substantially equivalent to new oil for use as engine oil only if the manufacturer has determined that the oil is substantially equivalent to new oil for use as engine oil in accordance with the NIST test procedures, prescribed under § 31.1.4 of this- part, and has based the representation on that determination.
§ 311.6 Prohibited acts.
It is unlawful for any manufacturer or other seller to represent, on a label on a container of processed used" oil, that such oil is substantially equivalent to new oil for use as engine oil unless the manufacturer or other seller has based such representation on the manufacturer's determination that the; processed used oil is substantially equivalent to new oil for use as engine oil in accordance with the NIST test procedures prescribed under §311.4 61 this part.- Violations win be subject- to enforcement; through civil penalties (as adjusted for Inflation pursuant to §1.98 of this chapter):, imprisonment, and/or injunctive relief in accordance with the enforcement provisions of Section 525 of the Energy Policy and Conservation Act (42 U.S.C. 6395).
[60 FR 55121, Oct, 31, 1995, as amended at 65 PR 69666, Nov, 20, 20001
PART 312—CHILDREN'S ONLINE PRIVACY PROTECTION RULE
Sec.
312.1 Scope of regulations in this part.
312.2 Definitions.
312.3 Regulatian of unfair or deceptive acts or practices hi- connection with the collection, use, and/or disclosure of personal information from- and about children on the Internet.
312.4 Notice.
312.5 Parental consent.
312.6 Right of parent to review personal information provided by a child.
312.7 Prohibition against conditioning a child's participation on collection of personal information,
312.8 Confidentiality, security, and integrity of pecs&nai information collected from children,
312.9 Enforcement.
312.10 Safe harbors.
312.11. Rulemaking review.
312.12 Severability.
AUTHORITY; 15 U.S.C. 6501-6508.
SOURCE: 64 FR 59911, Nov. 3, 1999, unless otherwise noted.
§312.1 Scope of regulations in this part.
This part implements the Children's Online Privacy Protection Act of 1998, (15 U.S.C. 6501, et seq.,) which prohibits unfair or deceptive acts or practices in connection with the collection, use, and/or disclosure of personal information from and about' children on the Internet. The effective date of this part is April 21, 2000.
§312.2 Definitions.
Child means an individual under the age of 13
Collects or collection means the gathering of any personal information from a child by any means, including but not limited to:
(a) Requesting that children submit personal information online;
(b) . Enabling children- to make personal information publicly available-through a chat; room, .message board, or other means, except where the. operator deletes all individually identifiable information from postings by children before they are made public, and also deletes such information from the operator's records; or
(c) The passive tracking or use of any identifying code linked to an individual, such as a cookie.
Commission means the Federal Trade Corn mission.
Delate means to remove personal information such that It is not maintained, in "retrievable form and cannot be retrieved in the normal course of business.
Disclosure means, with respect to personal information:
(a) The release of personal information collected from a child in identifiable form by an operator for any par-pose; except where an operator provides such information to a person who provides support for the internal operations of the website or online service and who does hot disclose or use that information .for any other purpose. For purposes of this definition:
(1) Release of personal information means the sharing, selling, renting, or any other means of providing personal information to any third party, and(b) Making personal information collected from a child by an operator publicly available in identifiable form, by any means, including by a public posting through the Internet, or through a personal home page posted on a website or online service; a pen pal service; an electronic mail service; a message board; or a chat room.
(2) Support- for the internal operations of the website or online service means those activities- necessary to maintain the technical functioning of the website or online service, of to fulfill a request of a child as permitted by § 312.5(c)(2) and (3); or
Federal agency means an agency, as that term is defined in Section 551(1) of title 5, United States Code.
Internet means collectively the myriad of computer and telecommunications facilities, including equipment and operating software, which comprise, the interconnected world-wide network of networks that employ' the Transmission Control Protocol/internet Protocol, or any predecessor or successor protocols to such protocol, to communicate information of all Muds by wire, radio, or other methods of transmission.
Online contact information means an e-mail address or any other substantially similar identifier that permits direct contact with a person online.
Operator means any person who operates a website located on the Internet or an online service and who collects or maintains personal information from or about the users of or visitors to such website or online service, or on whose behalf such information is collected or maintained, where such website or online service is operated for commercial purposes, including any person offering products or services for sale through that website or online service, involving commerce:
(a) Among the several States or with 1 or more foreign nations;
(b) In any territory of the United States or in the District of Columbia, or between any such territory and
(1) Another such territory, or(c) Between the District of Columbia and any State, territory, or foreign nation; This definition, does not include any nonprofit entity that would otherwise- be exempt from coverage under Section 5 of the Federal Trade Commission Act (15 U.S.C. 45).
(2) Any State or foreign nation; or
Parent includes -a legal guardian.
Person means any individual, partnership, corporation, trust, estate, cooperative, association, or other entity.
Personal information means' individually identifiable information about an Individual collected online, including:
(a) A first and last name;
(b) A home or other physical address including street name and name of a city or town;
(c) Ah e-mail address or other online contact information, including but not limited to an instant messaging user identifier, or a screen name that reveals an Individual's email address;
(d) A telephone number;
(e) A Social Security number;
(f) A persistent Identifier, such as a customer number held in a cookie or a processor serial number, where such Identifier is associated with individually identifiable information; or a combination of a last name or photograph of the individual with other information such that the combination permits physical or online contacting; or
(g) Information concerning the child or the: parents of that child that the; operator collects online from the child and combines with an identifier described in this definition.
Third party means any person who is not:
(a) Ah operator with respect to the collection or maintenance of personal information on the website or online service; or
(b) A person who provides support for the internal operations of the website or online service and who does not use or disclose information protected under this part for any other purpose.
Obtaining verifiable, consent means making any reasonable effort (taking into consideration available technology) to ensure that before personal information is collected from a child, a parent: of the child:
(a) Receives notice of the operator's personal information collection, use, and disclosure practices; and
(b) Authorizes any collection, use, and/or disclosure of the personal information.
Website or online service directed to children means a commercial website of online service; or portion thereof, that is targeted to children. Provided, how-ever, that a commercial website or online service, or a portion thereof, shall not be deemed directed to children solely because it refers or links to a commercial website or online service directed to children by using information location tools, including a directory, index, reference, pointer, or hypertext link. In determining whether a commercial website or online service, or a portion thereof, is targeted to children, the commission will consider its-subject matter, visual or audio con-, tent age of models, language or other characteristics of the website or online service, as well as whether advertising promoting or appearing on the website or online- service Is directed to children. The Commission will also consider competent and reliable empirical, evidence regarding audience composition; evidence regarding the intended audience; and whether a site uses animated characters and/or child-oriented activities "and incentives. §312.3 Regulation of unfair or deceptive acts or practices in connection with the collection, use, and/or disclosure of personal information from and about children on the Internet,
General requirements:. It shall be unlawful for any operator of a website or online service directed to children, or any operator that -has actual knowledge that It is collecting or maintaining personal information from a, child, to collect personal information from a child in a manner that violates the regulations prescribed under this part. Generally, under this part, an operator must:
(a) Provide notice on the website or online service of what information it collects from children, how it uses such information, and its disclosure practices for such information (§ 312.4(b));
(b) Obtain verifiable parental consent prior to any collection, use, and/or disclosure of personal information from children (§ 312,8);
(c) Provide a reasonable means for a parent to review the personal information collected from a child and to refuse to permit its further use or maintenance (§312,6);
(d) Not condition a child's participation in a game, the offering of a prize, or another activity on the child disclosing more personal information than is reasonably necessary to participate in such activity (§312.7); and
.(e) Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children (§312.8).
§ 312.4 Notice.
(a) General principles of notice. All notices under §§ 312.3(a) and 312,5 must be clearly and understandably written, be complete, and must contain no unrelated, confusing, or contradictory materials.
(b) Notice on the website or online service. Under § 312.3(a), an Operator of a website or online service directed to children must post a link to a notice of its information practices with regard to children on the home page of its website or online service and. at each area on the. website or online service where personal information is collected from children-. An operator of a general audience website or online service that has a separate children's area or site must post a link to a notice of its information practices with regard to children on the home page of the children's area,
(1) Placement of the notice. (i) The link to the notice must be clearly labeled as a notice of the website or online service's information practices with regard to children:
(ii) The link to the notice, must be placed in a clear and prominent place and manner on the home page of the website or online service; and(2) Content of the. notice. To be complete, the notice of the website or online service's information practices must state the following:
(iii) The link to the notice must be placed in a clear and prominent place and manner at each area on the website or online service where children directly provide, or are asked to provide, personal information, and in close proximity to the requests for information in each such area.
(i) The name, address, telephone number, and e-mail address of all operators collecting or maintaining personal information from children through the website or online service. Provided that: the operators of a website or online service may list the name, address, phone: number, and e-mail address, of one operator who will respond to all inquiries from parents: concerning' the operators' privacy policies and use of: children's information, as long as the names of all the operators collecting or maintaining personal information from children through the website or online service are also listed in the notice;
(ii) The types of personal information collected from children and whether the personal Information is collected directly or passively:
(ill) How such personal information is or may be used by the operator(s). including but-apt limited tip fulfillment of a requested transaction, recordkeeping, marketing back to the child, or making it publicly available through a chat room or by other means;
(iv) Whether personal Information is disclosed to third parties, and if so, the types of business in which such third parties are engaged, and the general purposes for which such information is used; whether those third parties have agreed to maintain the confidentiality, security, and integrity of the personal information they obtain from the operator; and that the parent has the option to consent to the collection and use of their child's personal information without consenting to the disclosure of that information to third parties;
(v) That the operator is prohibited from conditioning a child's participation in an activity on the child's disclosing more personal information than is reasonably necessary to participate in such activity; and
(vi) That the parent can review and have deleted the child's personal information, and refuse to permit further collection or use of the child's information, and state the procedures for doing so.
(c) Notice to a parent. Under §312.6, an operator must make reasonable efforts, taking into account available technology, to ensure that, a parent of a child receives notice of the operator's practices with regard to the collection, use, and/or disclosure of the child's personal information, including notice of any material change In the collection, use, arid/or disclosure, practices to which the parent has previously consented.
(1) Content of the notice to the parent. (1) All notices must state the: following:
(A) That the operator wishes to collect personal information from the child;
(B) The information_set forth in paragraph (b) of this section.
(ii) In the case of a notice to obtain verifiable parental consent under 5312.5(a), the notice must also state that the parent's consent is required for the collection, use, and/or disclosure of such information, and state the means by which the parent can provide verifiable consent, to the collection of information.
(iii) In the ease of a notice under the exception in §312.5(c)(3), the notice must also state the following:
(A) That the operator lias collected the child's e-mail address or other online contact information to respond to the child's request for information and that the requested information will require more than one contact with the child;
(.B) That the parent may refuse to permit further contact, with tits child and require the deletion of the information, and how the parent can do so; and
(C) That if the parent fails to respond to the notice, the operator may use the information for the purpose(s) stated in the notice.
(iv) In the case of a notice under the exception in §312.5(c)(4), the notice must also state the following:
(A) That the operator has collected the child's name and e-mail address or other online contact information to protect the safety of the child participating on the website or online service;
(B) That the parent may refuse to permit the use of the information and
require the deletion of the information, and how the parent can do so; and
(C) That if the parent fails to respond to the notice, the operator may use the. information for the purpose stated in the notice.
§312.5 Parental consent.
(a) General requirements. (1) An operator is required to obtain verifiable parental consent before any collection, use, and/or disclosure of personal information from children, including consent to any material change in the collection, use, and/or disclosure practices to which the parent has previously consented.
(2) An operator must give the parent the option to consent to the collection and use of the child's personal information without consenting: to disclosure of his or her personal information to third parties.
(b) Mechanisms for verifiable parental consent, (1) An operator must make reasonable efforts to obtain verifiable parental consent, taking into consideration available technology. Any method to obtain verifiable parental consent must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent.
(2) Methods to obtain verifiable parental consent that satisfy the requirements of this paragraph include: providing a consent form to. be signed by the parent and returned to the operator by postal mail or facsimile; requiring a parent to use a credit card to connection with a transaction; having a parent call a toll-free telephone number staffed by trained personnel; using a digital certificate that uses public key technology; and using e-mail accompanied by a. PIN or password obtained through one of the verification methods listed in this paragraph. Provided thai: Until the Commission otherwise determines, methods to obtain verifiable parental consent for uses of information other than, the "disclosures" defined by §312.2 may also include use of e-mail coupled with additional steps to provide assurances that the person providing the consent is the: parent. Such additional steps include; sending a. confirmatory e-mail to the parent, following receipt of consent; or
obtaining a postal address or telephone number from the parent and confirming the parent's consent by letter or telephone call. Operators who use such methods must provide notice that the parent can revoke any consent given in response to the earlier e-mail-(c) Exceptions to prior parental consent. Verifiable parental consent is required prior to any collection, use and/or disclosure of personal information from a child except as set forth in this paragraph. The exceptions to prior parental consent are as follows:
(1) Where the operator collects the name or online contact Information of a parent or child to be used for the sole purpose of obtaining parental consent or providing notice under §312,4, If the operator has not. Obtained parental consent after a reasonable time from the date of the Information collection, the operator must delete such information from its records;
(2) Where the- operator collects online contact information; from a child for the sole purpose of responding directly on a one-time basis to a specific request from the child, and; where such information is not used to recontact the child and is deleted by the operator from its records;
(3.) Where the Operator collects online contact Information from a child to he used, to respond directly more than once: to a specific request from the child, and where such information is not Used for any other purpose. In such cases, the operator must make reasonable efforts, taking into consideration available technology, to ensure that a parent receives notice and has the opportunity to request that the operator make no further use of the information, as described in §312.4(c), immediately after the initial response and before making any additional response to the child. Mechanisms to- provide such notice include, but are not limited to, sending the notice by postal mall or sending the notice to the parent's e-mail address, but do not include asking a child- to print a notice form or sending an e-mail to the child;
(4) Where the operator collects a child's name and online contact information to the extent reasonably necessary to protect the safety of a child participant on the website or online
service, and the operator uses reasonable efforts to provide a parent notice as described in § 312.4(c), where such information, is:
(i) Used for the sole purpose of protecting the child's safety;(5) Where the operator collects a child's name and online contact information and such information is not used for any other purpose, to the extent reasonably necessary:
(ii) Not used to recontact the child or for any other purpose;
(iii) Not disclosed, on the website or online service; and
(i) To protect the security or integrity of its website or online service;
(ii) To take precautions against liability;
(iii) To respond to judicial process; or
(iv) To the extent permitted under other provisions of law, to provide information to law enforcement agencies^ or Cor an investigation on a matter related to public safety.
[64 FR 59011, Nov. 3, 1999, as amended at 67 FR 18821, Apr. 17, 3002; 70 FR 21106, Apr. 22, 2005]
§ 312.6 Right of parent to review, personal information provided by a child.
(a). Upon request of a parent whose child has provided personal information to a website or online service, the operator of that website or online service is required to provide to that parent the following:
(1) A description of the specific types or categories of personal information, collected from children by the operator, such as name, address, telephone, number, e-mail address, hobbies, and extracurricular activities;
(2) The opportunity at any time to refuse to permit the operator's further use or future online collection of personal information, from that, child, and to direct the operator to delete the child's personal information; and
(3) Notwithstanding any other provision of law, a means of reviewing any personal information collected from the child. The means employed by the operator to carry out this provision must:
(i) Ensure that the requestor is a parent of that child, taking Into account available technology; and
(ii) Not be unduly burdensome to the parent.
(b) Neither an operator nor the operator's agent shall beheld Liable under any Federal or State law for any disclosure made in good faith and following reasonable procedures in responding to a request for disclosure of personal information under this section,
(c) Subject to the limitations set forth in §312.7, an operator may terminate any service provided to a child whose parent has refused, under paragraph (a)(2) of this section, to permit the operator's further use or collection of personal information from his or her child or has directed the operator to delete the child's personal information.
§312.7 Prohibition against conditioning a child's participation on collection of"personal information.
An operator is prohibited from conditioning- a child's participation in a game, the offering of a prize, or another activity on the child's disclosing more personal information than is reasonably necessary to participate fn such activity;
§312.8 Confidentiality, security, and integrity of personal information collected from children.
The- operator" must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children,
§312.9 Enforcement.
Subject to sections 85.03 and G505 Of the Children's Online Privacy Protection Act of 1998, a violation of a regulation: prescribed under section 6602 (a) of this Act shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed, under" section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57afa)(l)(B)),
§312.10 Safe harbors.
(a) In general. An operator will be deemed to be in compliance with the requirements of this part if that operator complies with- self-regulatory guidelines, issued by representatives of the marketing or online industries, or by other persons, that, after notice and comment, are approved by the Commission,
(b) Criteria for approval of self-regulatory guidelines. To be approved by the Commission, guidelines must include the following:
(1) A requirement that operators subject to the guidelines ("subject operators") implement substantially similar requirements that provide the same or greater protections for children as those contained in §§312,2 through 312,9;
(2) An effective, mandatory mechanism for the independent assessment of subject operators' compliance with the guidelines. This performance standard may be satisfied by:
(i) Periodic reviews of subject operators:' in formation practices conducted on a random basis either by the Industry group promulgating the guidelines or by an independent entity;(3) Effective incentives for subject operators' compliance with the guidelines: This performance standard may be satisfied by:
(ii) Periodic reviews of all subject operators' information practices, conducted cither by the industry group promulgating the guidelines or by an independent entity;
(ill) Seeding Of subject Operators1 databases, if accompanied by either paragraphs (b)(2)(i) or (b)(2)(ii) of this section; or
(iv) Any other equally effective independent assessment mechanism; and
(i) Mandatory, public reporting of disciplinary action taken against subject operators by the industry group promulgating the guidelines;(4) The assessment mechanism required under paragraph (b)(2) of this section- can be provided by an Independent enforcement program, such as a seal program. In considering whether to initiate an investigation or to bring an enforcement action for violations of this part, and in considering appropriate remedies for such violations, the Commission will take into account whether an operator has "been subject to self-regulatory guidelines approved under this section and whether the operator has taken remedial action pursuant to such guidelines, including but not limited to actions set forth in paragraphs (b)(3)(i) through (iii) of this sec-tion.
(ii) Consumer redress;
(ill) Voluntary payments to the United States Treasury in connection with an industry-directed program for violators of the guidelines;
(iv) Referral to the Commission of operators who engage in a pattern or practice of violating the guidelines; or
(v) Any other equally effective incentive.
(c) Request for Commission approval of self-regulatory guidelines. (1) To obtain Commission approval of self-regulatory guidelines, industry groups or other persons must file a request for such approval, A request shall be accompanied by the following:
(i) A copy of the full text of the guidelines for which approval is sought and any accompanying commentary;
(ii) A comparison of each provision of §§312.3 through 312.it with the corresponding provisions of the guidelines; and
(iii) A statement explaining:
(A) How the guidelines, including the applicable assessment mechanism, meet the requirements of this part; and
(B) How the assessment mechanism and compliance incentives required under paragraphs (b)(2) and (3) of this section provide effective enforcement of the requirements of this part,
(2) The Corn mission shall act upon a request under this section within 180 days of the filing of such request and shall set forth its conclusions in writing.
(3) industry groups or other persons whose guidelines have been approved by the Commission must submit proposed changes in those guidelines for review and approval by the Commission in the manner required for initial approval of guidelines under paragraph (c)(1). The statement required under paragraph (c)(l)(iii) must describe how the proposed changes affect existing provisions of the guidelines.
(d) Records. Industry groups or other persons who seek safe harbor treatment by compliance with guidelines that have been approved under this part shall maintain for a period not less than three years and upon request make available to the Commission for inspection and copying:
(1) Consumer complaints alleging violations of the guidelines by subject operators;
(2) Records of disciplinary actions taken against subject operators; and
(3) Results of the independent assessments of subject operators' compliance required under paragraph (b)(2) of this section.
(e) Revocation of approval. The Commission reserves the right to revoke any approval granted tinder this section if at any time it determines that the approved self-regulatory guidelines and their implementation do not, in fact, meet the requirements of this part.
§312.11 Rulemaking review.
No later than April 21, 2005, the Commission shall initiate a rulemaking review proceeding to evaluate the implementation of this part, including the effect, of the implementation, of this: part on practices relating to the collection and disclosure of information relating to children, children's ability to obtain access to information of their choice online, and on the availability of websites directed to children; and report to Congress on the; results of this review.
§ 812.12 Severability.
The provisions of this part are separate and severable from one another. If any provision is stayed or determined to be invalid, it is the Commission's intention that the remaining provisions shall continue in effect,
PART 313—PRIVACY OF CONSUMER FINANCIAL INFORMATION
See.
313.1 Purpose and scope.
313.2 Model privacy form and examples.
313.3 Definitions,
Subpart A — Privacy and Opt Out Notices
313.4 Initial privacy notice to consumers required.
313.5 Annual privacy notice to customers required.
313.6 Information to be included in privacy notices.
313.7 Form of opt out notice to consumers; opt out methods.
313.8 Revised privacy notices.
313.9 Delivering privacy and opt out notices.
Subpart B—Limits on Disclosures
313.10 Limitation on disclosure of nonpublic personal information to nonaffiliated third parties-.
313.11 Limits on redisclosure and reuse of Information.
313.12 Limits on sharing- account number information for marketing purposes.
Subpart C— Exceptionsb
313.13 Exception to opt out requirements for service providers and joint, marketing.
313.14 Exceptions to: notice and opt out requirements for processing and servicing transactions.
313.15 Other exceptions to notice and opt out requirements.
Subpart D—Relation to Other Laws; Effective Date
313.16 Protection of Pair Credit Reporting Act,
313.17 Relation to State laws.
313.18 Effective date; transition rule.
APPENDIX A TO PART 313—MODEL PRIVACY FROM
APPENDIX B TO PART 313—SAMPLE CLAUSES
AUTHORITY: 15 U.S.C.. 6801 et seq.
SOURCE: 65 FR 33677, May 24, 2000, unless otherwise noted.
§313.1 Purpose and scope.
(a) Purpose. This part governs the treatment of nonpublic personal information about consumers: by the financial institutions listed in paragraph (b) of this section. This part:
(1) Requires a financial institution in specified circumstances to. provide notice to customers about its privacy policies and practices;
(2) Describes the conditions under which a financial institution may disclose nonpublic personal information about consumers to nonaffiliated third parties; and
(3) Provides a method for consumers to prevent a. financial institution from disclosing that Information to most nonaffiliated third parties by "opting out" of that disclosure, subject to the. exceptions in §§313.13, 313.14, and 313.15.
(b) Scope. This part applies only to nonpublic personal Information about individuals who obtain financial products Or services primarily for personal, family or household purposes from the