Last week, the staff of the Federal Trade Commission ("FTC") issued crucial reading for operators of websites, apps, plug-ins, ad networks and other online services (together, "Services") that are subject to its recently revised rule implementing the Children’s Online Privacy Protection Act ("Rule"): a much anticipated update of its COPPA FAQs.1 Many of the 92 FAQs mirror those previously published by the staff, and most of the new FAQs draw largely from the FTC’s Statement of Basis and Purpose issued with the final revised Rule. A few things, however, are new. While they do not address all of the issues businesses are facing as they prepare to come into compliance by the revised Rule’s July 1, 2013, effective date, the FAQs provide valuable insight into how the staff interprets the revised Rule and how it thinks companies should comply.
Highlights are below.
The staff explains how operators should treat information that it collected prior to the revised Rule’s effective date but that did not fall within the definition of "personal information" at the time it was collected (FAQ 4):
- An operator must obtain parental consent "immediately" for already collected geo-location because the inclusion of geo-location in the revised Rule’s definition of "personal information" was a mere clarification of, and not a change to, the existing Rule.
- An operator does not have to obtain parental consent for already collected photos, videos and audio files, but the staff recommends that, as a best practice, it either obtain parental consent or discontinue its use and disclosure of such materials.
- An operator does not have to obtain parental consent for already collected screen or user names, but staff encourages that, as a best practice, it obtain parental consent, if possible. It also explains that a previously collected screen or user name is covered by the Rule if the operator associates new personal information with it after the revised Rule’s effective date.
- An operator does not have to obtain parental consent for an already collected persistent identifier, but if it associates new personal information with it after the revised Rule’s effective date, then it must obtain parental consent (unless the collection falls within an exception, such as for the support of the Service’s internal operations).
- The staff takes the position that a Service that is directed to children but does not target children as its primary audience may not, after age-screening, completely block children from the Service. Instead, it is the staff’s view that the Service must offer some content to children who identify as under 13. This is new and flows from the Rule revision that permits such a Service to age screen users so that it may treat those who are under 13 differently from those who are older (rather than having to treat all users as children under 13, as the Rule generally requires of Services "directed to children"). Although neither the COPPA statute itself nor the revised Rule imposes an obligation on such a mixed audience Service to affirmatively provide content for those who identify as under 13, the staff’s apparent theory for this requirement is that such a Service may not completely block children because it is directed to children and will therefore, presumably, know that it will attract children, including those who return after having been age-blocked.2 (FAQs 36, 38, 53) It is not clear from the FAQs what the staff believes that such a Service must do—perhaps offering a minimum of content would suffice—only what such an operator apparently cannot do, which is to block age-screened under-13s altogether. This is new, untested and apparently unsupported in the Rule. Moreover, the staff’s theory seems to require some evidentiary burden in any enforcement action. It may be revised in coming months. In the meantime, though, this is the staff’s enforcement position.
The staff provides app operators with guidance on providing notice and obtaining verifiable parental consent.
- If an app will collect personal information as soon as it is downloaded, the operator should provide direct notice and obtain parental consent at the point of purchase, or it should insert a landing page to do so before the download is complete. (FAQ 30)
- An operator may not rely on a parent’s app store account number or password, without some other indicia of reliability, to meet the Rule’s consent requirements. The staff explains that this information, alone, does not provide sufficient assurance that the person entering the information is the parent and not the child. (FAQ 66)
The staff addresses an operator’s obligations with respect to the collection of personal information by third parties from the operator’s users.
- The operator is not required to inform third parties of the child-directed nature of the Service, but the staff recommends that it signal this to the third party because the operator is strictly liable for the collection of personal information from its users, including by a third party. The operator may arrange with the third party to provide adequate COPPA protections. (FAQ 40)
- An operator must inquire into the information collection practices of every third party that can collect information via the operator’s Service. The operator can assess its compliance obligations only if it has this information. (FAQ 42)
The staff provides guidance on how the revised Rule applies to photos submitted by children, a new category of "personal information" under the Rule.
- A feature allowing children to submit photos is subject to the Rule unless the operator prescreens them prior to posting and deletes any personal information contained in them, including images of children and geo-location metadata. (FAQ 44)
- Compliance is not necessary if an operator blurs the facial features of children in photos before posting and removes any other personal information, including geo-location metadata. (FAQ 45)
- The operator of an app does not "collect" personal information—and therefore does not trigger the Rule—when the app interacts with a photo that is stored on the user’s device but is never transmitted to the operator. (FAQ 47)•
The revised Rule requires an operator to take reasonable steps to release children’s personal information only to service providers and third parties that are capable of maintaining its security and provide assurances they will do so. The staff believes this requires an operator to:
- Determine what the service provider or third party’s practices are for maintaining security and confidentiality and preventing unauthorized access or use;
- Expressly address expectations for treatment of the children’s personal information in its contracts with the service provider or third party; and
- Use reasonable means, such as periodic monitoring, to confirm that the service provider or third party is maintaining the security and confidentiality of the information. (FAQ 82)