On July 16, 2014, the Federal Trade Commission (“FTC”) issued revised guidance regarding compliance with its C Online Privacy Protection Act (“COPPA”). COPPA and the rules promulgated thereunder regulate the collection, use, and disclosure of personal information from children under age 13 by operators of commercial websites and online services, including mobile apps. The recent changes to the FTC’s Complying with COPPA: Frequently Asked Questions document clarify parental consent requirements with respect to such websites and services.
Updated FAQ H.5 softens the requirements for online service operators and developers to verify parental consent via a credit or debit card number, no longer requiring the completion of an actual monetary transaction related to such card number. While provision by a user of debit or credit card information alone remains insufficient to meet the parental consent requirement, “there may be circumstances in which collection of the card number – in conjunction with implementing other safeguards – would suffice” such as requiring additional information.
FAQ H.10, as revised, permits developers of mobile applications to rely on a platform managed by a third party (such as the app stores of Google, Apple, or Amazon) to obtain verifiable parental consent on the developer’s behalf, provided that the developer remains ultimately responsible for ensuring that COPPA notice and consent requirements are met by such third party. The FTC clarified that the developer must be sure such consent is obtained “in a way that is reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent,” and that simply collecting a user ID and password is insufficient.
Finally, the FTC added new FAQ H.16, which provides that third party app stores or platforms are deemed not “operators” of websites “when such stores merely offer the public access to someone else’s child-directed content.” Therefore, such a platform or app store will not be liable under COPPA for failing to investigate the privacy practices of the developers of apps which it makes available to the public. However, the FTC notes that liability for such a platform or app store could arise under Section 5 of the FTC Act for deceptive trade practices, such as misrepresenting the level of oversight the platform provides for child-directed apps.