Privacy and Youth Protection

The Internet is perceived as a threat by some individuals, and they are vehemently opposed to having their images or personal information available to others. This perception is not unjustifiable, as demonstrated by periodic media coverage of predators who exploit the Internet to select, locate, and contact their victims.

Collecting Personal Information

Councils are urged to be discreet when collecting personal information via their Web sites. Privacy is a delicate issue on the Internet, and many people are reluctant to use sites or interfaces that require them to provide personal information such as their name, address, telephone number, e-mail address, etc. We recommend that councils avoid using the Internet to gather this information about users unless it is necessary to accomplish the user's goals. For example, you would have to request a telephone number and contact name from an organization that wishes to be contacted about starting a unit, but it should not be necessary that they provide this information merely in order to read information about starting a unit.

It is especially important to treat contact information carefully: contact information should be used only for the purpose for which it was provided. It is unethical and in some cases illegal to use this data for any solicitation or communication outside the context in which it was provided. The issue is particularly serious regarding contact information for children under 13.

FTC Guidelines

The Federal Trade Commission recommends that charities and companies that collect personal information from online visitors use the following set of four standards—known as "fair information practices"—in creating privacy policies to post on their Web sites:

  1. Notification.
  2. Visitors to the Web site should be notified as to what personal information is being gathered, how that information is used by the organization, and with what third parties, if any, the organization will share it.
  3. Choice.
  4. Visitors should be provided with a means by which to contact the organization or take other actions to ensure that their personal information is not shared, if they so choose.
  5. Security.
  6. Users of the site should be notified of the means by which the organization protects personal information, including protection from any misuse, alteration, or access by unauthorized users. Organizations should strive to ensure that the same level of privacy protection is extended by any third parties with whom they share individuals' personal information.
  7. Access.
  8. Web site users should have reasonable access to any personal information about themselves that the organization holds, as well as a means of correcting or amending the information if it is inaccurate

Children's Online Privacy Protection Act

While the Children's Online Privacy Protection Act (COPPA) applies to commercial Web sites, it provides sound guidance for any Web site that is intended for use by children under 13. Therefore, if your Web site collects any personally identifiable information from or about children, you should review and consider complying with this legislation. The full text of COPPA can be found online at http://www.ftc.gov/ogc/coppa1.htm. Information on how to comply with the act is available at the FTC's "Kidz Privacy" Web site at http://www.ftc.gov/bcp/conline/pubs/buspubs/coppa.htm.

Providing Personal Information

Regarding e-mail specifically, there remains the potential for a flood of correspondence to overwhelm the council staff if e-mail addresses are published on the Web site. The presence of e-mail addresses on a majority of council sites would seem to suggest that this potential has not become an actual problem, but a council should be prepared to react, possibly by removing contact from its site or even shutting down the mailbox, if problems do occur.

Contact information should only be published for a reason—specifically, whether there is a valid need for the members and/or the public to speak directly with a given individual because of that person's role in the organization. The council's policy should address these three groups separately, for these reasons:

Youth Participants and Parents

Contact information for youth participants should never be provided on the Internet. If the council wishes to maintain contact information for youth participants, it is strongly recommended that these lists are kept entirely off-line.

Concerning e-mail addresses in particular, councils should be aware that there are computer programs that crawl the Internet compiling lists of e-mail addresses that appear on Web pages. These lists are often sold to e-mail marketers who regularly send unsolicited advertisements, primarily for pornography and pyramid schemes. It is recommended that councils that wish to provide e-mail contact information utilize techniques to prevent or minimize this unfortunate side effect (such as "escaping" characters or using CGI scripts that maintain the actual addresses in a safe location).

Adult Volunteers

Contact information for adult volunteers should be treated with caution, as it is likely this information will be personal in nature (home addresses, residential telephone numbers, and private e-mail accounts). If this information is made available on the Web site, it would be preferable to provide it in a password-protected area of the Web site to which the general public has no access. Exceptions may be made for those volunteers whom it would be necessary for third parties to contact in order to obtain information about joining, starting, or supporting individual units.

It is strongly recommended that this information be published only after obtaining written authorization, and that these individuals should know that they can (and how to) request the prompt removal of their information at any time.

Council Employees

If a third-party exploits information such as individual telephone numbers and e-mail addresses to harass or threaten employees, this could result in legal action being taken against the council. For that reason, it is recommended that the council provide only its main telephone number and generic e-mail addresses ("webmaster@council.org", "info@council.org", "contact@council.org", etc.) on its Web site.

Personal contact information—home telephone numbers, addresses, and private e-mail accounts—for council employees should be treated with the same discretion as that of adult volunteers.

Photographs and Names

A council should obtain permission before publishing any photographs on the Internet except those taken by council employees.

Because some states have privacy laws that could be implicated if a child's photograph is published on the Internet without his parents' permission, ownership of the image alone does not carry with it the right to publish it. Therefore, the council should obtain permission from any person who is the subject of a photograph before displaying their image or likeness on the Internet.

When using photographs of members, especially youth, it is also important to consider their safety and privacy when choosing captions or ancillary text. Some councils have established policies that no names will be associated with photographs at all, whereas others have a "first name only" policy for youth under a certain age, but allow the full names of adult leaders and older Scouts to be published.