For many years, under the authority of the Children’s Online Privacy Protection Act (COPPA), the Federal Trade Commission has imposed special regulations on websites and online services that are either directed to children under 13 or whose owners or operators have actual knowledge that they are collecting personal information from children under age 13. On December 19, 2012, the FTC announced final, major changes to the COPPA Rule in response to advances in technology and internet use that have occurred since the COPPA Rule was first enacted.
According to the FTC’s news release, and the accompanying Federal Register notice, the FTC’s final regulation makes the following changes to the COPPA rule:
-
Updates definitions as follows:
-
The meaning of the term “operator” now makes clear that the COPPA Rule covers a child-directed site or service that integrates outside services, such as plug-ins or advertising networks, that collect personal information from its visitors. This updated definition of “operator” does not extend liability to platforms, such as Google Play or the App Store, when those platforms merely offer the public access to child-directed apps.
-
The definition of a website or online service “directed to children” now includes plug-ins or ad networks whose operators have actual knowledge that they are collecting personal information through a child-directed website or online service. Additionally, sites and services that target children only as a secondary audience, or to a lesser degree, may differentiate among users, and will be required to provide notice and obtain parental consent only for those users who identify themselves as being younger than 13.
-
The term “collection” of personal information now permits operators to allow children to participate in interactive communities without parental consent, so long as the operators take reasonable measures to delete all or virtually all of the children’s personal information before it is made public.
-
Modifies the list of children’s “personal information” that cannot be collected without parental notice and consent, updating this category to include geo-location information, photographs, and videos.
-
Offers companies a voluntary, streamlined, and transparent approval process for new ways of obtaining parental consent, including the following:
-
Electronic scans of signed parental consent forms
-
Video-conferencing
-
The use of government-issued identification
-
Alternative payment systems, such as debit cards and electronic payment systems, provided they meet certain criteria
-
Consent methods approved under a voluntary 120-day notice and comment process by which parties can seek the FTC’s approval of new consent methods.
-
Closes a loophole that allowed child-directed apps and websites to allow third parties to collect personal information from children through plug-ins without parental notice and consent.
-
Extends coverage in some of the cases in which third parties collect children’s personal information so that those third parties must comply with the COPPA.
-
Extends the COPPA Rule to cover persistent identifiers that can recognize users over time and across different websites or online services, such as Internet protocol (IP) addresses and mobile device IDs.
-
Strengthens data security protections by requiring that covered website operators and online service providers take reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential.
-
Requires that covered website operators adopt reasonable procedures for data retention and deletion.
-
Strengthens the FTC’s oversight of self-regulatory safe harbor programs.
The final amended COPPA Rule takes effect on July 1, 2013.
About the Author
Steven Imparl received his Bachelor of Science and law degrees from DePaul University. His law practice is concentrated in Internet, e-commerce, and computer law. In addition, his professional experience includes information systems management.
This specialized background, combining information technology and business with law, gives him an edge in interpreting Internet issues. In addition to writing Internet Law: The Complete Guide, he is a frequent contributor on Internet and e-commerce issues to other publications.
He is a member of the Illinois Bar.