FTC Finalizes Amendments to COPPA Rule
March 14, 2013
By Craig Foster
Do you run a website designed for kids? Or do you run a website designed for a general audience that you know collects information from children under the age of 13? Either way, you are likely aware that you must comply with the requirements of the Children's Online Privacy Protection Act (COPPA) and the Children's Online Privacy Protection Rule (the Rule), issued pursuant to COPPA.
What you may not know is that late last year, the Federal Trade Commission (FTC) amended the Rule to clarify the Rule's scope and strengthen its protections for children's personal information, in light of changes in online technology that have occurred since the Rule originally went into effect back in 2000. The amendments, which go into effect July 1, 2013, broaden and clarify the obligations COPPA imposes on companies to give parents greater control over the personal information that websites and online services may collect from children under 13.
Key provisions of the amendments (a) modify certain key COPPA definitions, (b) revise the Rule's parental notice provisions, (c) provide new ways of obtaining parental consent, (d) amend the confidentiality and security requirements, and (e) strengthen the FTC's oversight of certain safe harbor programs.
Overview of COPPA and the Rule
COPPA and the Rule seek to give parents control over what information is collected from their young children online. The Rule applies to (a) operators of commercial websites and online services are directed to children under 13 that collect, use or disclose personal information from children, and (b) operators of general audience websites or online services with actual knowledge that they are collecting, using or disclosing personal information from children under 13.
Operators covered by the Rule must:
Amendments to COPPA Definitions
provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information from children.
give parents the choice of consenting to the operator's collection and internal use of a child's information, but prohibiting the operator from disclosing that information to third parties.
provide parents access to their child's personal information to review and/or have the information deleted.
give parents the opportunity to prevent further use or online collection of a child's personal information.
maintain the confidentiality, security, and integrity of information they collect from children.
The amendments to the Rule modify certain definitions to clarify that:
the Rule applies to operators of child-directed websites or services, but not platforms, such as Google Play or the App Store, when those platforms merely offer access to someone else's child-directed websites or services.
the Rule covers a plug-in or ad network when it has actual knowledge that it is collecting personal information through a child-directed website or service.
websites and services that target children only as a secondary audience may differentiate among users (i.e., conduct age screening) and will be required to provide notice and obtain parental consent only for those users who identify themselves as being younger than 13.
"personal information" now includes geolocation information, photos, videos and audio files that contain a child's image or voice.
"personal information" now also includes persistent identifiers (e.g., cookies) that can be used to recognize a user over time and across different websites or online, except that the parental notice and consent requirements will not apply if the identifier is used only to support the internal operations of the website or service.
an operator may allow children to participate in interactive communities without parental consent, as long as the operator takes reasonable measures to delete or all or virtually all of children's personal information before the children's online postings are made public
. The amended Rule requires that the notice to parents is more concise and more prominently displays key information. The amended Rule also attempts to streamline the disclosures of operators' online privacy policies with regard to the operators' information practices.
. The amendments to the Rule add several new methods that operators may use to obtain verifiable parental consent, including electronic scans of signed parental consent forms, video-conferencing, use of government-issued identification and alternative payment systems, such as debit cards and electronic payment systems (provided they meet certain criteria). In addition, the amended Rule established a voluntary 120-day notice and comment process for businesses to get FTC approval for other methods of obtaining consent.
Confidentiality and Security; Retention
. The Rule, as amended, requires operators to take reasonable steps to ensure that children's personal information is released only to service providers and third parties who (a) are capable maintaining the confidentiality, security and integrity of such information and (b) assure that they will do so. Operators must now also retain children's personal information for only as long as is reasonably necessary and protect against unauthorized access when that information is disposed of.
. COPPA established a "safe harbor" for participants in FTC-approved COPPA self-regulatory programs. The amended Rule adds several provisions intended to strengthen the FTC's oversight of these self-regulatory safe harbor programs, such as by requiring the program participants to submit periodic reports to the FTC.
Please note that this Client Alert is intended only to summarize COPPA and Rule requirements and significant amendments to the Rule. For more details concerning amendments to the Rule or questions about complying with COPPA in general, please contact any member of our Information Privacy & Security