Federal Trade Commission Continues to Add to COPPA FAQ Guidance
At the end of July 2013, the Federal Trade Commission (“FTC”) released additional guidance on how to comply with the Children’s Online Privacy Protection Rule (“COPPA Rule”). Updates to the COPPA Rule were released by the FTC in December 2012, and became effective July 1, 2013. To assist entities with navigating the changes to the COPPA Rule, the FTC began releasing FAQs in its Complying with COPPA: Frequently Asked Questions (A Guide for Business and Parents and Small Entity Compliance Guide) publication in April 2013. Since that time, the FTC has steadily distributed more guidance each month, with the most recent wave of FAQs released in July.
The July updates to the FAQs address the following topics:
  • Actual Knowledge. FAQs D.10, 11, and 12 provides examples of when a site or service may have “actual knowledge” of collecting personal information on child-directed sites.
  • Share Buttons. FAQ D.9 provides that verifiable parental consent must be obtained if an app includes embedded buttons or plug-ins that allow children to send email or post information.
  • Information Collected from a Child-Directed Site. FAQ K.2 is directed to ad networks and provides guidance on how to comply with the COPPA Rule if the ad network discovers that it has been collecting personal information through a child-directed site. 
The FTC has stated that it intends to continue releasing additional FAQs as it receives new inquiries from interested entities.
September Compliance Deadline for New HIPAA Regulations
The compliance deadline for the Department of Health and Human Services’ (“HHS”) significant revisions to its privacy, security, and data breach regulations is September 23, 2013. The regulations were originally issued under the Health Insurance Portability and Accountability Act (“HIPAA”) and the revisions implement changes made under the Health Information Technology for Economic and Clinical Health Act (“HITECH”).
By the September deadline, affected entities will be expected to complete their transition to the new requirements including those related to privacy notices, contracts, policies and procedures, training, and breach notification. Among the key changes in the new regulations, business associates – as well as their downstream subcontractors – will now be directly liable under HIPAA for complying with the rules. A new breach notification regime for “unsecured protected health information” also applies. In addition to the substantive changes effected by the new regulations, HHS has the ability to seek higher penalties for HIPAA violations even in instances when an entity is not aware of the violation.