Following a multi-year review that began in 2010, the Federal Trade Commission (“FTC”) has released its updated Children’s Online Privacy Protection Rule (“COPPA Rule” or “Rule”).1 Revisions to the COPPA Rule become effective July 1, 2013. Between now and that effective date, the FTC is expected to refine its Frequently Asked Questions to help businesses comply with new aspects of the Rule.
The COPPA Rule continues to apply to operators of commercial websites and online services directed to children under age 13 that collect, use, or disclose personal information from children, and operators of general audience websites or online services that have actual knowledge that they are collecting, using, or disclosing personal information from children under the age of 13. Now, however, instead of focusing on first parties, the Rule has expanded to cover third parties such as social plug-ins and ad networks as well when they have actual knowledge that they are collecting personal information from a first-party site or service that is directed to children. At the same time, first-party operators of websites and online services will now be strictly liable for the actions of such third parties.
Additional changes to the Rule include an expansion of data considered to be personal information. The COPPA Rule now covers information such as: persistent identifiers that can be used to recognize a user over time and across different websites or online services (e.g., IP addresses and mobile device IDs); screen names that function as online contact information; photos, videos, and audio files containing a child’s image or voice; and geolocation information.
Providing notice and obtaining verifiable consent from parents prior to the collection of such personal information from children continues to be a core requirement of the COPPA Rule. Operators of websites and online services also now have data security obligations when working with service providers and third parties, including receiving assurances about how these entities will treat the data. Additionally, personal information may only be maintained as long as reasonably necessary to fulfill the purpose for which it was collected, after which time the data must be deleted.