After years of consideration and feedback the Federal Trade Commission released the final revision to the 14-year old Children’s Online Privacy Protection Act (COPPA) Rule. The FTC began its review of the Rule back in April 2010 and we reported on the proposed amendments here. The revised Rule, with only a few exceptions, essentially follow the changes proposed earlier this year.
COPPA regulates website and online services either (a) directed to children under 13 or (b) that have actual knowledge that a user is under 13. The main message delivered at a press conference announcing the final amendments was the importance of protecting children in the mobile and online spaces. Senator Jay Rockefeller (D-WV) said the committee’s goals are to make child protections “strong, stronger and yet stronger.”
New provisions expand the definition of “personal information” (PI) collected to trigger parental consent — mostly to adapt the effectiveness of the law to new online and mobile technologies. The updated regulation requires parental consent before operators in the online or mobile application space collect PI from children, but provides a carve out for data used only “for the sole purpose of supporting the website or online service’s internal operations, such as contextual advertising, frequency capping, legal compliance, site analysis, and network communications.” Contextual advertising provides content based on the site visited (e.g. if you are visiting a sports site there may be advertisements for sporting equipment) while behavioral advertising delivers ads based on tracking the user’s Internet browsing activities and targeting the advertisements to their interests (e.g. if you look at a pair of shoes on a site today you may see those shoes advertised on other sites you visit tomorrow). Sites willing to forgo behavioral advertisements can use this caveat to target child audiences with less worry about violating COPPA requirements.
In addition, other key changes include:
“Personal Information”now includes:
- photos, videos, or audio files that contain the child’s image or voice
- persistent identifiers used to “recognize a user over time and across different websites or online services,” but only to the extent they are not used to support the internal operations of the site or service. This means that sites like Google cannot use tracking tools to follow children across websites to provide behavioral advertising, but they can use the same tools to track users (including children) to gage and adjust bandwidth to effectively provide their services
- “Operator” extends to child-directed sites and online services that allow third parties (such as plug-ins or advertising networks) to collect personal information from users. In the news conference Wednesday, FTC Chairman Leibowitz said this does not include the App Store or Google Play because they are general purpose stores and not primarily targeted to children under 13.
- “Website or online service directed to children” extends to plug-ins or ad networks when they have actual knowledge they’re collecting personal information from a child-directed site. Previously, third-party data brokers could use plug-ins and ad networks to collect information on children without notifying and obtaining consent from parents. This loophole has been closed, and in some instances third parties will have to comply with all of the COPPA rules as if they were directly interacting with children.
There is a new carve out in this section that allows sites and services that are directed to children, but whose primary audience is not children, to use an age screen to apply COPPA protections only to those that self-identify as under 13. The FTC also affirmed their use of “totality of the circumstances” to determine whether a site or service is directed to children, adding musical content, the presence of child celebrities, and celebrities who appeal to children, to the list of factors considered.
- The change to the definition of “Collection” of personal information now allows operators to run interactive communities with child participants without parental consent, so long as the child’s personal information it deleted before it’s made public.
- The final rule also establishes a process allowing operators to get formal approval to add permitted activities to the definition of “support for internal operations.”
Notice and Consent
- The final rule requires “just in time” notice that makes it easier for parents to get the most important details about the information being collected. The notice must include
- What information has already been collected
- Purpose of the notice
- Actions the parents must take
- Description of how the information will be used
- A hyperlink to the website privacy notice
- In addition to using the already approved methods of obtaining consent (including “Email Plus”) operators can use:
- “scan and send” forms
- video conferencing consent
- government-issued identification
- alternative payment systems (such as debit cards) as long as they meet certain criteria
- The FTC has also established a voluntary 120-day notice and comment process allowing operators to get approval for other methods.
- Operators are required to take reasonable steps to ensure children’s personal information is only released to companies that are capable of maintaining the confidentiality and security of the information.
- Operators must only retain data for as long as reasonably necessary to fulfill the purpose for which is was collected.
- The new rule requires the “safe harbor programs” to audit their members and report the aggregated results of the audits to the FTC.
For further reading: Center for Democracy & Technology
The Rule is effective on July 1, 2013 — giving operators and advertisers some time to determine a path to compliance. This is the time to start reviewing operations and how the new Rule affects your business. You may also want review the recommendations made by the FTC Business Blog.