what is COPPA?
The Children’s Online Privacy Protection Act of 1998 (COPPA), and the COPPA Rule, 16 C.F.R. Part 312, promulgated by the Federal Trade Commission (FTC) under that Act, require that website operations and online services providers take specific precautions when collecting personal information from children under the age of 13. Specifically, the COPPA Rule applies to any operators of websites or online services that either (a) direct their site or services to children under the age of 13; or (b) have actual knowledge that they are collecting personal information from children under the age of 13. It requires those operators to give notice to and get verifiable consent from parents before collecting, using or disclosing such personal information. The Rule also imposes obligations on operators to keep the information they collect from children secure and limits the amount of personal information that children must submit to participate in online activities to what is reasonably necessary for participation.
what has changed in the COPPA rule?
In December 2012 the FTC issued an amended COPPA Rule to address ever-evolving technology, including mobile devices and website analytic tools, and changes in the way children use and access the internet, including the increasing use of social networking sites by children. The amended Rule, which goes into effect July 1, 2013, clarifies who is covered by the Rule, what qualifies as “personal information,” and what methods for providing notice and obtaining verifiable consent are appropriate. Below is a summary of the most important changes in the amended COPPA Rule and some tips for making sure you comply with its requirements.
downstream services providers and third parties covered by rule
The amended Rule makes it clear that the COPPA requirements extend to third party plug-ins or ad networks that integrate with child-directed sites or services.
This means that covered operators who may use third party services to collect personal information (as opposed to collecting themselves) must comply with COPPA with respect to that collection and will be strictly liable for the third party services’ failure to do so. Likewise, the third party providers who collect such information must also comply with the notice and consent provisions when the provider is aware that children under 13 are submitting personal information.
expanded definition of personal information
In one of the most important changes in the Rule, the FTC has expanded the definition of “personal information” to include new categories of information that are prolific now that mobile devices and social networking services are such an integral part of children’s use of the internet. Specifically, the Rule now encompasses geolocation information, screen names (even if they do not reveal the user’s email address), and photos, videos and audio files that contain a child’s image or voice. Importantly, these types of information might be collected without being actively solicited by a website provider (for example, some applications or analytic tools may automatically capture geolocation data and some sites may allow under 13 users to submit multimedia that could contain a child’s image or voice). Regardless, all of this information is now considered “personal information” under the Rule, and triggers the requirement of notifying parents and obtaining their verifiable consent before the operator collects such information.
In addition, the definition of personal information now includes “persistent identifiers,” which are web analytic tools that are used to recognize users over time and across different websites or online services. IP addresses and cookies are common examples of persistent identifiers under the Rule. Importantly, the Rule exempts operators from obtaining parental consent when it collects persistent identifiers for the sole purpose of supporting the website or the operator’s internal operations. However, the Rule explicitly forbids operators and third-party services from using these types of identifiers for behavioral advertising to create a profile on a specific individual or for any other purpose without parental consent.
what is required of operators who already have collected data falling under the new definition?
The FTC has provided guidelines for operators who may have already collected the types of information that fall within the new definition of personal information in the amended Rule. The FTC has determined that some categories are merely clarifications of the original Rule and therefore operators must have parental consent for any of these categories of information, even if collected prior to the effective date of the amended Rule. Included in these categories is geolocation data that is precise enough to determine the name of a street and city or town. If this information was collected prior to the effective date without parental consent, the operator must obtain the required consent immediately and/or delete the information. Keep in mind that photos and videos that are uploaded by users may contain geolocation information in the file metadata, or the media content itself may reveal geolocation.
For other types of information, prior information collected under the original Rule without consent are outside of COPPA’s scope if collected prior to the amended Rule’s effective date on July 1, 2013. (Of course, the operator must comply with COPPA’s notice and consent requirements for any ongoing collection of those types of information.) These “new” categories include:
- For photos, videos or files, no parental consent is required for information collected prior to effective date of the amended Rule, unless the media’s metadata or content reveal geolocation. However as a best practice, FTC staff recommends that entities either discontinue use/disclosure of this information or, if possible, obtain consent.
- For screen names that do not include an email address, operators do not need to go back and get consent for information collected prior to the effective date of the amended Rule as long as the operator does not associate new information with the screen name after July 1, 2013. Again, as a best practice, the FTC encourages operators to obtain consent if possible.
- For persistent identifiers, the original Rule covered persistent identifiers only if they were tied to individually identifiable information. For persistent identifiers that qualify as personal information under the amended Rule (but not under the original Rule), operators need not seek parental consent for such information collected prior to the effective date of the amended Rule unless the operator combines previously collected information with new information collected after the effective date of the amended Rule.
- The name, address, telephone number and email address of all operators collecting or maintaining personal information through the site or service (or, if there are multiple operators, identify one that will handle all inquiries from parents);
- A description of what information the operator collects from children, including whether the operator enables children to make their personal information publicly available, how the operator uses such information, and the operator’s disclosure practices for such information; and
- Information regarding procedures that allow the parent to: (a) review their child’s personal information; (b) request deletion of their child’s personal information; and (c) refuse to permit further collection or use.
specific format and content for notice to parents
The amended Rule significantly changed the format and content of the information that must be included in an operator’s direct notice to parents. Whether direct notice is required, and the form it must take, depends upon what information is collected and for what purpose. By way of example only, operators are required to provide direct notice to parents to obtain verifiable consent to collect or use information about a child, as well as in those circumstances where the operator intends to communicate with the child multiple times. The amended Rule sets out the specific circumstances in which direct notice is required or appropriate, and the specific format and content of such notices. These can be found in 16 CFR §312.4(c)(1). Operators with questions about direct notice should consult the individual regulations and/or seek legal advice.
methods for obtaining parental consent
The amended Rule also clarified or supplemented the acceptable methods for obtaining verifiable parental consent, including:
- Allowing electronic scans of parental consent forms in addition to forms being returned by US mail or fax;
- Obtaining consent through a telephone call or video conference with trained personnel;
- Use of government-issued identification
- Obtaining consent through the use of payment systems such as debit cards, credit cards or other online payment systems;
- The use of “email plus” if personal information will be used only for internal purposes. “Email plus” allows the operator to email a request to the parent to obtain consent by return email message, as long as the operator takes an additional confirming step after receiving the parent’s message to ensure the parent (and not the child) has sent the confirming email.
tips for making sure you comply with COPPA
- Consider whether (a) your website is directed at children under 13, or (b) you actually collect personal information from children under 13 to determine whether COPPA applies.
- Conduct an audit of the types of information your website solicits and collects from children and determine whether any of that information is “personal information.” (Remember, COPPA restricts collection/use/disclosure of information from children under 13; it does not cover information about children under 13 if collected from other sources, like their parents.)
- Consider whether an audit of photos, videos or files collected under the original Rule should be made to determine if geolocation data was unwittingly collected without express parental consent.
- Determine whether you use any third party plug-ins or ad networks on your site that may be collecting “personal information” from children under 13 and thereby expose you to liability.
- Examine any website analytic tools that you or your third party providers may use and determine whether your use is consistent with COPPA’s restrictions on the use of persistent identifiers.
- Determine whether your notice to parents regarding your collection, use and disclosure of information is adequate.
- Make sure your methods of obtaining and verifying parental consent comply with those methods set forth in the COPPA Rule. If your method is different than those explicitly described in the Rule, consider seeking FTC approval of your method.
- Determine whether the personal information you collect from children under 13 is shared with any service providers or third parties. If so, review and audit the security procedures used by these third parties and obtain assurance that the data will be kept secure.