The Federal Trade Commission (FTC) has issued guidance to answer stakeholder questions about changes to the Children’s Online Privacy Protection Act (COPPA) slated to take effect on July 1, 2013. According to FTC, the new rules apply not only to the operators of Websites and mobile apps directed at children younger than age 13, but the operators of general audience sites and apps “with actual knowledge that they are collecting, using, or disclosing personal information from children under 13,” as well as third-party operators “that have actual knowledge that they are collecting personal information directly from users of another Web site or online service directed to children.”

In addition to describing the types of personal information covered by COPPA, which for the first time will class IP addresses as persistent identifiers, the guidance addresses, among other things, (i) new online privacy policy rules, including requirements for displaying the policy; (ii) disclosure requirements for the collection and use of geolocation data; (iii) when and how to acquire parental consent if necessary; (iv) the disclosure of collected information to third parties; and (v) limitations on data collection. It also discusses how industry groups and other parties adhering to self-regulatory guidelines can qualify as an FTC-approved “COPPA safe harbor program,” which under the amended rules must offer protections that are equal to or greater than the agency’s standards; a mandatory assessment mechanism; and “effective disciplinary actions for member operators who do not comply with the safe harbor program guidelines.”

“A court can hold operators who violate the Rule liable for civil penalties of up to $16,000 per violation,” states FTC, noting that foreign-operated sites directed at U.S. children must still comply with COPPA. “The amount of civil penalties a court assesses may turn on a number of factors, including the egregiousness of the violations, whether the operator has previously violated the Rule, the number of children involved, the amount and type of personal information collected, how the information was used, whether it was shared with third parties, and the size of the company.”