As we previously reported, the Federal Trade Commission (FTC) adopted final amendments to the Children’s Online Privacy Protection Rule (COPPA), effective on July 1, 2013, that serve to: (i) strengthen online privacy protection for children under 13 years of age; and (ii) ensure that parents are given an increased role in controlling their children’s online activities (including via mobile apps).
The FTC recently updated the COPPA Frequently Asked Questions (“FAQs”) section of its website to provide additional guidance with respect to interpreting the COPPA amendments. Specifically, the FTC made revisions to FAQ H.5, which focuses on obtaining parental consent through the collection of credit or debit card information; FAQ H.10, which focuses on obtaining parental consent through third party apps; and FAQ H.16, which focuses on third party platform liability for obtaining verifiable parental consent for app developers.
COPPA Amendment Guidance
FAQ H.5: The general rule is that any parental consent mechanism “must be reasonably calculated, in light of available technology, to ensure that the parent providing consent is the child’s parent.” While the FTC indicates that the use of a credit card, debit card, or other online payment system in connection with a monetary transaction “automatically” meets this standard, there may be circumstances in which collection of the card number alone (in the absence of a monetary transaction) – in conjunction with implementing other safeguards – would “suffice.” The FTC provides an example of such safeguards, namely: supplementing the request for credit card information with special questions that only the parent would know the answers to.
FAQ H.10: The FTC revised this FAQ to allow app developers to rely on third parties to obtain parental consent, as long as the COPPA requirements are otherwise met. For example, the mere entry of an app store account number or password, without other indicia of reliability, such as knowledge-based authentication questions or verification of government identification, does not provide sufficient assurance that the person entering the account or password information is the parent, and not the child. Importantly, the FTC indicates that – before the parent provides his or her consent – parents must be provided with direct notice outlining the app developer’s information collection practices.
FAQ H.16: This FAQ focuses on app store liability in operating a platform that provides a verifiable parental consent mechanism for app developers. Specifically, the FCC explains that an app store would not fall within the definition of “operator” under COPPA by virtue of the fact that it is merely offering the “public access to someone else’s child-directed content.” Therefore, the app store would not be liable for failing to investigate the privacy practices of the operators for whom it obtains consent. The FTC points out, however, that liability may arise under Section 5 of the FTC Act if, for example, the app store misrepresents the level of oversight it provides for a child-directed app.