A couple of days ago I posted some information about requiring Apple Computer to provide a filter for Internet content on their computing devices as a matter of law. After thinking about it, I decided to take a look at the ways we protect – or don’t protect – children from prurient Internet content. Here’s what I found, and it looks like we have a long way to go, the First Amendment notwithstanding.
APOLOGIES – this post is extremely long, but I have chosen to include the major text from everything I found (from at least one source each) in the interests of thoroughness.
COPA – Child Online protection Act
- The federal government was enjoined from enforcing COPA by a court order in 1998. In 1999, the United States Court of Appeals for the Third Circuit upheld the injunction and struck down the law, ruling that it was too broad in using “community standards” as part of the definition of harmful materials. In May 2002, the Supreme Court reviewed this ruling, found the given reason insufficient and returned the case to the Circuit Court; the law remained blocked. On March 6, 2003, the 3rd Circuit Court again struck down the law as unconstitutional, this time finding that it would hinder protected speech among adults. The government again sought review in the Supreme Court.
- On June 29, 2004, in Ashcroft v. American Civil Liberties Union (ACLU), the Supreme Court upheld the injunction on enforcement, ruling that the law was likely to be unconstitutional. Notably, the court mentioned that “filtering’s superiority to COPA is confirmed by the explicit findings of the Commission on Child Online Protection, which Congress created to evaluate the relative merits of different means of restricting minors’ ability to gain access to harmful materials on the internet.” The court also wrote that it was five years since the district court had considered the effectiveness of filtering software and that two less-restrictive laws had been passed since COPA, one prohibiting misleading domain names and another creating a child-safe .kids domain, and that given the rapid pace of internet development those might be sufficient to restrict access by minors to specific material. The court referred the case back to the district court for a trial, which began on October 25, 2006.
In preparation for that trial, the Department of Justice issued subpoenas to various search engines to obtain Web addresses and records of searches as one part of a study undertaken by a witness in support of the law. The search engines turned over the requested information, except for Google, which challenged the subpoenas. The court limited the subpoena to a sample of URLs in Google’s database, but declined to enforce the request for searches conducted by users; Google then complied.
On March 22, 2007, U.S. District Judge Lowell A. Reed, Jr. once again struck down the Child Online Protection Act, finding the law facially in violation of the First and Fifth Amendments of the United States Constitution. In addition to the plaintiffs ACLU et al., several witnesses testified in defense of first amendment rights on the Internet, including the director of the Erotic Authors Association, Marilyn Jaye Lewis. Reed issued an order permanently enjoining the government from enforcing COPA, commenting that “perhaps we do the minors of this country harm if First Amendment protections, which they will with age inherit fully, are chipped away in the name of their protection.” The government again appealed, and the case was heard before the Third Circuit.
On January 21, 2009, the United States Supreme Court refused to hear appeals of the lower court decision, effectively killing the law
CIPA – Children’s Internet Protection Act
Children’s Internet Protection Act
The Children’s Internet Protection Act (CIPA) was enacted by Congress in 2000 to address concerns about children’s access to obscene or harmful content over the Internet. CIPA imposes certain requirements on schools or libraries that receive discounts for Internet access or internal connections through the E-rate program – a program that makes certain communications services and products more affordable for eligible schools and libraries. In early 2001, the FCC issued rules implementing CIPA and provided updates to those rules in 2011.
What CIPA Requires
Schools and libraries subject to CIPA may not receive the discounts offered by the E-rate program unless they certify that they have an Internet safety policy that includes technology protection measures. The protection measures must block or filter Internet access to pictures that are: (a) obscene; (b) child pornography; or (c) harmful to minors (for computers that are accessed by minors). Before adopting this Internet safety policy, schools and libraries must provide reasonable notice and hold at least one public hearing or meeting to address the proposal.
Schools subject to CIPA have two additional certification requirements: 1) their Internet safety policies must include monitoring the online activities of minors; and 2) as required by the Protecting Children in the 21st Century Act, they must provide for educating minors about appropriate online behavior, including interacting with other individuals on social networking websites and in chat rooms, and cyberbullying awareness and response.
Schools and libraries subject to CIPA are required to adopt and implement an Internet safety policy addressing:
(a) access by minors to inappropriate matter on the Internet;
(b) the safety and security of minors when using electronic mail, chat rooms and other forms of direct electronic communications;
(c) unauthorized access, including so-called “hacking,” and other unlawful activities by minors online;
(d) unauthorized disclosure, use, and dissemination of personal information regarding minors; and
(e) measures restricting minors’ access to materials harmful to them.
Schools and libraries must certify they are in compliance with CIPA before they can receive E-rate funding.
- CIPA does not apply to schools and libraries receiving discounts only for telecommunications service only;
- An authorized person may disable the blocking or filtering measure during use by an adult to enable access for bona fide research or other lawful purposes.
- CIPA does not require the tracking of Internet use by minors or adults.
You can find out more about CIPA or apply for E-rate funding by contacting the Universal Service Administrative Company’s (USAC) Schools and Libraries Division (SLD). SLD also operates a client service bureau to answer questions at 1-888-203-8100 or via email through the SLD website.
For More Information
For information about other communications issues, visit the FCC’s Consumer website, or contact the FCC’s Consumer Center by calling 1-888-CALL-FCC (1-888-225-5322) voice or 1-888-TELL-FCC (1-888-835-5322) TTY; faxing 1-866-418-0232; or writing to:
Federal Communications Commission
Consumer and Governmental Affairs Bureau
Consumer Inquiries and Complaints Division
445 12th Street, SW
Washington, D.C. 20554.
COPPA – Children’s Online Privacy Protection Act
How to comply with Children’s Online Privacy Protection Act
The Federal Trade Commission staff prepared this guide to help you comply with the new requirements for protecting children’s privacy online and understand the FTC’s enforcement authority.
Who Must Comply
If you operate a commercial Web site or an online service directed to children under 13 that collects personal information from children or if you operate a general audience Web site and have actual knowledge that you are collecting personal information from children, you must comply with the Children’s Online Privacy Protection Act.
To determine whether a Web site is directed to children, the FTC considers several factors, including the subject matter; visual or audio content; the age of models on the site; language; whether advertising on the Web site is directed to children; information regarding the age of the actual or intended audience; and whether a site uses animated characters or other child-oriented features.
To determine whether an entity is an “operator” with respect to information collected at a site, the FTC will consider who owns and controls the information; who pays for the collection and maintenance of the information; what the pre-existing contractual relationships are in connection with the information; and what role the Web site plays in collecting or maintaining the information.
The Children’s Online Privacy Protection Act and Rule apply to individually identifiable information about a child that is collected online, such as full name, home address, email address, telephone number or any other information that would allow someone to identify or contact the child. The Act and Rule also cover other types of information — for example, hobbies, interests and information collected through cookies or other types of tracking mechanisms — when they are tied to individually identifiable information.
An operator must post a link to a notice of its information practices on the home page of its Web site or online service and at each area where it collects personal information from children. An operator of a general audience site with a separate children’s area must post a link to its notice on the home page of the children’s area.
The link to the privacy notice must be clear and prominent. Operators may want to use a larger font size or a different color type on a contrasting background to make it stand out. A link in small print at the bottom of the page — or a link that is indistinguishable from other links on your site — is not considered clear and prominent.
The notice must be clearly written and understandable; it should not include any unrelated or confusing materials. It must state the following information:
The name and contact information (address, telephone number and email address) of all operators collecting or maintaining children’s personal information through the Web site or online service. If more than one operator is collecting information at the site, the site may select and provide contact information for only one operator who will respond to all inquiries from parents about the site’s privacy policies. Still, the names of all the operators must be listed in the notice.
The kinds of personal information collected from children (for example, name, address, email address, hobbies, etc.) and how the information is collected — directly from the child or passively, say, through cookies.
How the operator uses the personal information. For example, is it for marketing back to the child? Notifying contest winners? Allowing the child to make the information publicly available through a chat room?
Whether the operator discloses information collected from children to third parties. If so, the operator also must disclose the kinds of businesses in which the third parties are engaged; the general purposes for which the information is used; and whether the third parties have agreed to maintain the confidentiality and security of the information.
That the parent has the option to agree to the collection and use of the child’s information without consenting to the disclosure of the information to third parties.
That the operator may not require a child to disclose more information than is reasonably necessary to participate in an activity as a condition of participation.
That the parent can review the child’s personal information, ask to have it deleted and refuse to allow any further collection or use of the child’s information. The notice also must state the procedures for the parent to follow.
Direct Notice to Parents
The notice to parents must contain the same information included on the notice on the Web site. In addition, an operator must notify a parent that it wishes to collect personal information from the child; that the parent’s consent is required for the collection, use and disclosure of the information; and how the parent can provide consent. The notice to parents must be written clearly and understandably, and must not contain any unrelated or confusing information. An operator may use any one of a number of methods to notify a parent, including sending an email message to the parent or a notice by postal mail.
Verifiable Parental Consent
Before collecting, using or disclosing personal information from a child, an operator must obtain verifiable parental consent from the child’s parent. This means an operator must make reasonable efforts (taking into consideration available technology) to ensure that before personal information is collected from a child, a parent of the child receives notice of the operator’s information practices and consents to those practices.
Until April 2002, the FTC will use a sliding scale approach to parental consent in which the required method of consent will vary based on how the operator uses the child’s personal information. That is, if the operator uses the information for internal purposes, a less rigorous method of consent is required. If the operator discloses the information to others , the situation presents greater dangers to children, and a more reliable method of consent is required. The sliding scale approach will sunset in April 2002 subject to a Commission review planned for October 2001.
Operators may use email to get parental consent for all internal uses of personal information, such as marketing back to a child based on his or her preferences or communicating promotional updates about site content, as long as they take additional steps to increase the likelihood that the parent has, in fact, provided the consent. For example, operators might seek confirmation from a parent in a delayed confirmatory email, or confirm the parent’s consent by letter or phone call.
When operators want to disclose a child’s personal information to third parties or make it publicly available (for example, through a chat room or message board), the sliding scale requires them to use a more reliable method of consent, including:
getting a signed form from the parent via postal mail or facsimile;
accepting and verifying a credit card number in connection with a transaction;
taking calls from parents, through a toll-free telephone number staffed by trained personnel;
email accompanied by digital signature;
But in the case of a monitored chat room, if all individually identifiable information is stripped from postings before it is made public — and the information is deleted from the operator’s records — an operator does not have to get prior parental consent.
Disclosures to Third Parties
An operator must give a parent the option to agree to the collection and use of the child’s personal information without agreeing to the disclosure of the information to third parties. However, when a parent agrees to the collection and use of their child’s personal information, the operator may release that information to others who uses it solely to provide support for the internal operations of the website or service, including technical support and order fulfillment.
The regulations include several exceptions that allow operators to collect a child’s email address without getting the parent’s consent in advance. These exceptions cover many popular online activities for kids, including contests , online newsletters , homework help and electronic postcards .
Prior parental consent is not required when:
an operator collects a child’s or parent’s email address to provide notice and seek consent;
an operator collects an email address to respond to a one-time request from a child and then deletes it;
an operator collects an email address to respond more than once to a specific request — say, for a subscription to a newsletter. In this case, the operator must notify the parent that it is communicating regularly with the child and give the parent the opportunity to stop the communication before sending or delivering a second communication to a child;
an operator collects a child’s name or online contact information to protect the safety of a child who is participating on the site. In this case, the operator must notify the parent and give him or her the opportunity to prevent further use of the information;
an operator collects a child’s name or online contact information to protect the security or liability of the site or to respond to law enforcement, if necessary, and does not use it for any other purpose.
October 2001/April 2002
In October 2001, the Commission will seek public comment to determine whether technology has progressed and whether secure electronic methods for obtaining verifiable parental consent are widely available and affordable. Subject to the Commission’s review, the sliding scale will expire in April 2002. Until then, operators are encouraged to use the more reliable methods of consent for all uses of children’s personal information.
New Notice for Consent
An operator is required to send a new notice and request for consent to parents if there are material changes in the collection, use or disclosure practices to which the parent had previously agreed. Take the case of the operator who got parental consent for a child to participate in contests that require the child to submit limited personal information, but who now wants to offer the child chat rooms. Or, consider the case of the operator who wants to disclose the child’s information to third parties who are in materially different lines of business from those covered by the original consent — for example, marketers of diet pills rather than marketers of stuffed animals. In these cases, the Rule requires new notice and consent.
At a parent’s request, operators must disclose the general kinds of personal information they collect online from children (for example, name, address, telephone number, email address, hobbies), as well as the specific information collected from children who visit their sites. Operators must use reasonable procedures to ensure they are dealing with the child’s parent before they provide access to the child’s specific information.
They can use a variety of methods to verify the parent’s identity, including:
obtaining a signed form from the parent via postal mail or facsimile;
accepting and verifying a credit card number;
taking calls from parents on a toll-free telephone number staffed by trained personnel;
email accompanied by digital signature;
email accompanied by a PIN or password obtained through one of the verification methods above.
Operators who follow one of these procedures acting in good faith to a request for parental access are protected from liability under federal and state law for inadvertent disclosures of a child’s information to someone who purports to be a parent.
Revoking & Deleting
At any time, a parent may revoke his/her consent, refuse to allow an operator to further use or collect their child’s personal information, and direct the operator to delete the information. In turn, the operator may terminate any service provided to the child, but only if the information at issue is reasonably necessary for the child’s participation in that activity. For example, an operator may require children to provide their email addresses to participate in a chat room so the operator can contact a youngster if he is misbehaving in the chat room. If, after giving consent, a parent asks the operator to delete the child’s information, the operator may refuse to allow the child to participate in the chat room in the future. If other activities on the Web site do not require the child’s email address, the operator must allow the child access to those activities.
The Rule covers all personal information collected after April 21, 2000, regardless of any prior relationship an operator has had with a child. For example, if an operator collects the name and email address of a child before April 21, 2000, but plans to seek information about the child’s street address after that date, the later collection would trigger the Rule’s requirements. In addition, come April 21, 2000, if an operator continues to offer activities that involve the ongoing collection of information from children — like a chat room — or begins to offer such activities for the first time, notice and consent are required for all participating children regardless of whether the children had already registered at the site.
Industry groups or others can create self-regulatory programs to govern participants’ compliance with the Children’s Online Privacy Protection Rule . These guidelines must include independent monitoring and disciplinary procedures and must be submitted to the Commission for approval. The Commission will publish the guidelines and seek public comment in considering whether to approve the guidelines. An operator’s compliance with Commission-approved self-regulatory guidelines will generally serve as a Asafe harbor” in any enforcement action for violations of the Rule.
The Commission may bring enforcement actions and impose civil penalties for violations of the Rule in the same manner as for other Rules under the FTC Act. The Commission also retains authority under Section 5 of the FTC Act to examine information practices for deception and unfairness, including those in use before the Rule’s effective date. In interpreting Section 5 of the FTC Act, the Commission has determined that a representation, omission or practice is deceptive if it is likely to:
mislead consumers; and
affect consumers’ behavior or decisions about the product or service.
Specifically, it is a deceptive practice under Section 5 to represent that a Web site is collecting personal identifying information from a child for one reason (say, to earn points to redeem a premium) when the information will be used for another reason that a parent would find material — and when the Web site does not disclose the other reason clearly or prominently.
In addition, an act or practice is unfair if the injury it causes, or is likely to cause, is:
not outweighed by other benefits; and
not reasonably avoidable.
For example, it is likely to be an unfair practice in violation of Section 5 to collect personal identifying information from a child, such as email address, home address or phone number, and disclose that information to a third party without giving parents adequate notice and a chance to control the collection and use of the information.
CDA – Communications Decency Act
The Communications Decency Act of 1996 (CDA) was the first notable attempt by the United States Congress to regulate pornographic material on the Internet. In 1997, in the landmark cyberlaw case of Reno v. ACLU, the United States Supreme Court struck the anti-indecency provisions of the Act.
The Act was Title V of the Telecommunications Act of 1996. It was introduced to the Senate Committee of Commerce, Science, and Transportation by Senators James Exon (D-NE) and Slade Gorton (R-WA) in 1995. The amendment that became the CDA was added to the Telecommunications Act in the Senate by an 84–16 vote on June 14, 1995.
As eventually passed by Congress, Title V affected the Internet (and online communications) in two significant ways. First, it attempted to regulate both indecency (when available to children) and obscenity in cyberspace. Second, Section 230 of the Act has been interpreted to say that operators of Internet services are not to be construed as publishers (and thus not legally liable for the words of third parties who use their services).
Anti-indecency and anti-obscenity provisions
The most controversial portions of the Act were those relating to indecency on the Internet. The relevant sections of the Act were introduced in response to fears that Internet pornography was on the rise. Indecency in TV and radio broadcasting had already been regulated by the Federal Communications Commission—broadcasting of offensive speech was restricted to certain hours of the day, when minors were supposedly least likely to be exposed. Violators could be fined and potentially lose their licenses. The Internet, however, had only recently been opened to commercial interests by the 1992 amendment to the National Science Foundation Act and thus had not been taken into consideration by previous laws. The CDA, which affected the Internet and cable television, marked the first attempt to expand regulation to these new media.
Passed by Congress on February 1, 1996, and signed by President Bill Clinton on February 8, 1996, the CDA imposed criminal sanctions on anyone who
- knowingly (A) uses an interactive computer service to send to a specific person or persons under 18 years of age, or (B) uses any interactive computer service to display in a manner available to a person under 18 years of age, any comment, request, suggestion, proposal, image, or other communication that, in context, depicts or describes, in terms patently offensive as measured by contemporary community standards, sexual or excretory activities or organs.
It further criminalized the transmission of materials that were “obscene or indecent” to persons known to be under 18.
Free speech advocates, however, worked diligently and successfully to overturn the portion relating to indecent, but not obscene, speech. They argued that speech protected under the First Amendment, such as printed novels or the use of the seven dirty words, would suddenly become unlawful when posted to the Internet. Critics also claimed the bill would have a chilling effect on the availability of medical information. Online civil liberties organizations arranged protests against the bill, for example the Black World Wide Web protest which encouraged webmasters to make their sites’ backgrounds black for 48 hours after its passage, and the Electronic Frontier Foundation‘s Blue Ribbon Online Free Speech Campaign.