Entertainment Software Rating Board    
 
 

 

Privacy Seal Requirements

ESRB Privacy Online Seal Requirements apply to websites directed to users 13 and over. If any part of your website is directed to children under 13 (12 years and younger), or you have actual knowledge that you are collecting personal information from children under 13, you must follow our Kids Privacy Online Seal Requirements.

 

I.  PRIVACY STATEMENT REQUIREMENTS

This section covers the information you must include in your privacy statement. Publish on your website a plain-English privacy statement that tells users clearly and concisely how you collect, use, and disclose their personal information. Your Privacy Statement should be easy to read with no animated graphics, advertisements, or any distracting marketing materials. It should have no unrelated, contradictory, or confusing information. Your Privacy Statement must include:

 

1. What you collect. Specify the types of personal information you collect. Examples of personal information include:

  • User's full name
  • Email address (including instant messaging user identifier or screen name revealing a user's email address).
  • Home address
  • Phone or fax number
  • Credit card number
  • Social security number
  • Driver's license number
  • Demographic information that is combined with personal information (e.g., gender, education, political affiliation, etc.)
  • Persistent identifier like a customer number held in a cookie or a processor serial number, where such identifier is associated with individually identifiable information
  • Last name or photograph of the user combined with other information that permits physical or online contact

 

2. How you collect it. List the types of personal information you collect and describe your method for collecting personal information. By collection, we mean obtaining personal information from a user by any means, whether direct or indirect. Common examples of collecting are:

  • Directly requesting the information from the user online
  • Enabling a user to make personal information publicly available to other users through postings in chat rooms, on message boards, or other means involving publishing or making available personal information to other users or third parties
  • Passive, non-obvious methods such as cookies or web beacons

 

3. Uses for personal information.

  • State what you — and your vendors, sponsors, or third party companies — do with personal information collected such as website registration, customer support, product fulfillment, giveaways, contests, email-a-friend, or other promotions

 

4. Protections and security for personal information.

  • Describe how you protect personal information
  • Describe how you give users access to review, correct, or delete their personal information

 

5. Sharing, renting, or selling personal information to third parties. State whether you give, rent, or sell personal information to third parties. If third parties are involved, state:

  • What types of business those third parties are engaged in
  • What they do with the personal information
  • Whether they have agreed to protect the confidentiality, security, and integrity of personal information

 

6. Choice.

  • Tell users about the choices available to them regarding how their personal information is collected and used

 

7. Contact information. Your Privacy Statement must inform users about:

  • The email address where users can file privacy complaints
  • Your company's phone number and postal address
  • ESRB's email and postal address

 

8. Clear privacy statements. Your Privacy Statement must be clear and understandably written, with no unrelated, confusing, or contradictory information.

  • Don't include any animated graphics, advertising, or distracting marketing information
  • Post the "last modified" date of your Privacy Statement

 

II.   ESRB SEAL POSTING REQUIREMENTS

Once we certify that your website complies with our requirements, you must prominently post the appropriate version of the ESRB Privacy Online seal confirming that the ESRB has officially certified your website. You may not alter (or allow others to alter) the ESRB seal. ESRB's seal assures users that a privacy statement on your website accurately describes how you collect and use personal information, and that you submit to ongoing monitoring and enforcement of your privacy practices.

 

1. If your website is directed toward a general audience (i.e., not directed toward children under 13):

 

  • Post prominently the "Click to Privacy Statement" seal on the home page of each of your ESRB certified websites
  • Post prominently the "Click to Privacy Statement" seal at each information-entry point on your website
  • Link each "Click to Privacy Statement" seal to your privacy statement
  • Post the ESRB "Click to Privacy Statement" seal on your privacy statement, and link it to a specific page on our website for users to know you're a certified member in good standing

 

2. If any part of your website is directed toward children under 13, post our "Children's Click-to-Privacy Statement" seal on the home page of the children's area and at each information-entry point.

 

3. To tell if your website is directed toward children under 13, pay close attention to the following considerations:

  • Subject matter
  • Visual or audio content
  • Age of models
  • Language or other characteristics of the website
  • Advertising promoting or appearing on the website is directed to children
  • Competent and reliable empirical evidence regarding audience composition
  • Evidence regarding intended audience
  • Whether website uses animated characters and/or child-orientated activities and incentives

 

The final determination of whether a website is directed to children will be based on the overall character of the website. The presence or absence of one or more factors is not determinative; all of the factors will be taken into account. If yours is a general audience website with some areas directed toward children, follow the general audience directions for the website. However, in the areas that are directed toward children, follow our Kids Privacy Online Seal Requirements.

 

III.  CONSUMER PROTECTION REQUIREMENTS

This section identifies the internal practices you must have to protect the privacy of users 13 and over. (If any part of your website is directed toward children under 13, or you have actual knowledge that you are collecting personal information from children under 13, you must follow our Kids Privacy Online Seal Requirements.) Give users the choice to exercise reasonable control over the collection, use, and disclosure of their personal information, and provide them with effective ways to exercise their choice. Additionally, limit the collection and retention of personal information to only those items necessary for valid business reasons, and obtained by lawful and fair means.

 

1. Limiting information collection

  • Collect only the personal information required for a valid business reason
  • Periodically evaluate whether a valid business reason continues to exist to collect or retain personal information. If a valid business reason ceases to exist, limit your collection and retention practices accordingly.

 

2. Choice. Give users the choice to exercise reasonable control over the collection, use, and disclosure of their personal information, and provide them with effective means to exercise their choice. Keep in mind, some laws may require you to retain certain information about your customers. At a minimum, you must provide users with the choices to:

  • Opt-out of the sharing of their personal information with third parties
  • Opt-out of the use of their personal information for purposes incompatible with the original conditions under which it was gathered

 

3. Access. Give users reasonable access to the personal information you collected about them by enacting a timely, inexpensive way for them to:

  • Review the personal information collected about them online
  • Contest or correct inaccurate personal information
  • Prevent further use and collection of their personal information
  • Require deletion of their personal information
  • Reasonably ensure, in light of the available technology, that the person requesting access to the personal information is the person to whom the information belongs

 

IV.   SECURITY REQUIREMENTS

This section identifies the reasonable security measures and procedures you must have in place, taking into account available technology, to protect the confidentiality, security, and integrity of personal information collected from users.

 

1. Restricting access to information. Take reasonable steps to protect personal information from unauthorized access, use, or disclosure. Some examples of reasonable precautions to protect personal information include:

  • Limiting access to only those employees performing a legitimate business function
  • Taking technical security measures, such as encryption or passwords, to prevent unauthorized access
  • Storing personal information on secure servers

 

2. Ensuring information is reliable. Personal information is reliable if it is accurate, complete, and up to date. Some examples of reasonable measures include:

  • Give users access to their personal information to verify and correct it
  • Using only reputable sources for cross-referencing information
  • Destroying personal information promptly after user request or converting it to an anonymous form

 

3. Checking up on third parties. Take reasonable steps to ensure that third parties to whom you transfer personal information know about your security practices, and that the third parties also take reasonable precautions to protect transferred personal information. "Third parties" refers to any person who is neither the collector of personal information nor vendors or others who provide support for the internal operations of a website. Additionally, require third parties that buy or rent personal information from you to provide their name, address, tax identification number, telephone number, and samples of material to be distributed.

 

V.   ESRB OVERSIGHT REQUIREMENTS

This section describes our own internal procedures to ensure that you follow our seal requirements. If you fail to comply with any requirement, we have the authority to expel you from our privacy seal program, impose fines, and contact regulators. Our goal is to ensure that the privacy practices of our members agree with existing privacy protection laws, and that consumers are informed and protected when using the Internet.

 

1. Onsite audit. If you are seeking initial certification, complete a self-assessment questionnaire, and submit to an initial onsite audit by the ESRB before certification. Each audit is conducted by a staff attorney who is trained in privacy law. Through these onsite audits, ESRB determines whether your Privacy Statement represents accurately your online information practices. They also give us the opportunity to ensure that your information practices meet all our requirements.

 

2. Monitoring. You must submit to quarterly reviews of your practices. The goal is to provide effective ongoing enforcement and assure you and your users that a reliable safeguard exists to verify that your privacy policy implementation is effective.

 

ESRB monitoring of your website is unannounced and conducted by specially trained personnel who review it, page by page, to see that:

  • A working link to your privacy statement appears on the homepage and at each information-entry point
  • Except for websites directed to children, places to enter personal information include a field for date of birth to prevent accidental collection of personal information from children before obtaining prior verifiable parental consent
  • You follow all aspects of ESRB Privacy Online Seal Requirements

 

If your information practices may have violated our requirements, we will start an inquiry and notify you. Depending on the inquiry's results, ESRB may take further action.

 

3. Violations. If ESRB determines that a violation of the Requirements occurred, we will notify you in writing of the specific violations, the corrective actions you must take, and the consequences of inaction.

 

Failure to make corrections may result in a number of penalties, including fines paid to ESRB, payments to the United States Treasury, removal of the ESRB Privacy Online seal, and referral to the Federal Trade Commission (see Outside Referral, below).

 

We base penalties on the type of violations and whether such violations were inadvertent, intentional, or willful. In addition, we may assess penalties for a pattern of non-compliance.

 

4. Spot checks. Submit to randomly scheduled, unannounced audits of your privacy practices, known as "spot checks." These spot checks involve the seeding of your database by ESRB, which submits fictitious user data at each information-entry point. The website's response is then tracked and recorded to determine whether your information collection and use practices follow your Privacy Statement.

 

5. Consumer Online Hotline. We respond to all user concerns and complaints submitted by any method. A quick and easy method is to contact us via our Consumer Online Hotline form.

 

6. Outside referral. If you fail to respond appropriately to a valid complaint or an ESRB Privacy Online mandate, or in any way engage in a pattern of violating ESRB Privacy Online Seal Requirements, we may refer the issue to the Federal Trade Commission for engaging in unfair and deceptive trade practices.

 

7. Program assistance, not legal advice. ESRB Privacy Online is an independent privacy seal provider, committed to making the Internet a secure, reliable, and private place to share information and conduct business. Although our staff consists of talented legal professionals, we aren't a source of legal advice. Whenever we answer a privacy-related question from one of our members, our response is limited to the scope of our program, and should not be construed as legal advice. Additionally, although we will treat any information you provide to us as confidential, your information isn't protected by the attorney-client privilege. This means that we may be required to disclose information to regulators, by court order, or as requested by law enforcement authorities. If you need specific legal advice about your company's situation, consult an attorney-at-law licensed in your jurisdiction.

 

VI.  ORGANIZATIONAL REQUIREMENTS

This section describes the requirements of your company's organization and procedures. In particular, you must designate a site coordinator and a user grievance coordinator. Although these are technically two separate functions, one person may hold both positions. The goal is to create an effective and affordable mechanism for ensuring compliance with your own privacy policies, and an appropriate means of recourse for users.

 

1. Positions

A. Site Coordinator. Designate a Site Coordinator to serve as the primary liaison between your company and ESRB. Make sure you notify ESRB of any personnel changes and new contact information. The site coordinator's main responsibilities are to:

  • Obtain ESRB approval before making material changes to your privacy policies or practices. A material change in how you collect, use, or disclose personal information can occur when, for example, you obtain consent from a user to collect limited personal information to participate in one activity online but subsequently also wish to offer the user access to another activity such as chat rooms
  • Obtain ESRB approval whenever you add a personal information entry page
  • Obtain ESRB approval of any websites directed to children under 13
  • Implement promptly any changes to ESRB Privacy Online Seal Requirements
  • Implement promptly any changes required as a result of ESRB's monitoring
  • Update ESRB when you add a top-level domain
  • Complete ESRB's annual self-assessment questionnaire

B. User Grievance Coordinator. Designate a User Grievance Coordinator. Keep this information current with ESRB. The User Grievance Coordinator's main responsibilities are to:

  • Serve as the initial point of contact for all user privacy complaints
  • Coordinate complaint tracking and reporting with ESRB Privacy Online
  • Investigate complaints
  • If possible, resolve privacy questions and complaints within 30 days

 

2. Procedures

A. Complaint Mechanism. Implement procedures to receive and resolve privacy inquiries and complaints.

  • Post an email address and telephone number on your privacy statement to receive privacy inquiries and complaints
  • Tell ESRB when you receive a privacy complaint
  • Have the User Grievance Coordinator investigate the complaint
  • Detail the results of the investigation in a written response to the complainant
  • Consult with ESRB to decide how to remedy a violation, including:
    • Making corrections
    • Stopping collection of personal information
    • Deleting information collected improperly
    • Compensating the complainant
  • If your internal mechanisms don't address a user grievance effectively, refer the user to ESRB Privacy Online's Alternative Dispute Resolution Officer. Fully participate in any inquiry or investigation by ESRB and agree to accept its judgment as final
  • Notify ESRB once you resolve a complaint

 

B. Compliance Mechanism. Implement effective procedures to ensure compliance with your company's privacy policy.

  • Be prepared to verify that the assertions you make about your privacy practices are true, and that your privacy practices have been implemented as you represented
  • Train staff who collect personal information from or about users to follow your stated privacy policies and practices
  • Create a system of incentives or sanctions to encourage adherence to your privacy policies

 

3. Alternative Dispute Resolution

  • Implement an internal dispute resolution program designed to fairly and expeditiously resolve privacy related complaints raised by users or ESRB. Additionally, you must submit to ESRB's Alternative Dispute Resolution services when user grievances are not effectively addressed through your company's own internal mechanisms. Fully participate in any inquiry or investigation by ESRB and agree to accept its judgment as final.

 

4. Self Assessment Questionnaire

  • Complete ESRB's "Self Assessment Questionnaire" describing your privacy practices annually at each 12-month anniversary. You must complete this questionnaire diligently and in good faith, and sign and attest that all the statements made are true and accurate as of the date submitted.

 

5. License Agreement

Execute and agree to be bound by the ESRB Privacy Online License Agreement. As part of this Agreement, and as a material obligation, you agree to comply with all aspects of the ESRB Privacy Online Program. Failure to comply with any aspect of our Program could be interpreted by ESRB as a material breach of the Agreement and result in legal action.

 

 

 

 

 

  
copyright terms of use privacy employment
search ESRB
   

 

Privacy logo