The Federal Trade Commission has quietly changed its position on the level of parental consent required under the Children’s Online Privacy Protection Act (“COPPA”) for e-cards sent from a website directed to children.

Under COPPA, websites directed to children under 13 are required to obtain parental consent prior to the collection of personal information – including an email address or a first and last name – from children under 13. There are certain exceptions to this requirement, including the so-called “one-time use” exception, which permits websites directed to children to collect an email address to respond once to a child’s specific request, provided that the website deletes that email address after doing so. The FTC had taken the position that an e-card – which typically permits a child to send a message to a friend’s email account – fell under this exception. Thus, no parental consent was required.

At the end of last year, however, the FTC amended its “Frequently Asked Questions about the Children’s Online Privacy Protection Rule,” available at, and specifically noted in response to the FAQ concerning e-cards (FAQ 44) that “where an operator’s e-card or forward-to-a-friend system discloses the sender’s email address or first and last name in the message, the operator must obtain verifiable parental consent before such collection and disclosure.” Accordingly, operators of websites directed to children must now comply with COPPA’s verifiable parental consent provisions before permitting children under 13 to send e-cards that disclose their email addresses or full names.