The FTC announced yesterday that it had made several important changes to the COPPA Rule, although the basics remain intact, as the underlying law hasn’t changed. Those who operate a website or online service directed to children under 13 must still give notice to parents and obtain their verifiable consent before collecting, using, or disclosing personal information from children under 13. As a result of the new Rule, website operators that fall under COPPA’s jurisdiction will likely now need to get parental consent to engage in most behavioral–but not contextual-advertising, which relies on use of persistent identifiers. Consent will be needed, or these sites may need to avoid behavioral advertising, because “persistent identifiers that are used to recognize a user over time and across different websites or online services” has been added to the definition of personal information. The amended Rule will also require parental consent to collect photos, videos, and audio files from children that contain a child’s image or voice unless one of the Rule’s exceptions to parental consent applies. These, too, have been added to the list of personal information, where the original Rule makes these personally identifiable only if combined with other information that permits online or physical contacting. Other times when parental consent may be needed include collecting geo-location and screen name information. In a nod to industry comments, the new Rule does not contain a broad definition of “screen names” as personal information, instead narrowing it to only those that permit direct contact with a person online. With respect to parental consent, the new Rule does not eliminate “email plus” for internal uses of a child’s information, as had originally been anticipated. It does, though, provide for new enumerated methods for getting consent including electronic scans of signed parental consent forms, videoconferencing, and alternative payment systems. The Rule also contains a mechanism for the FTC to add new parental consent procedures to the list after July 2013 if parties request. There is also now a process for providing “voluntary notice” to a parent, in situations where notice and consent may not be required.
The FTC has left largely intact the method for determining if a site falls under COPPA’s scope, using a “totality of the circumstances” approach, but adding in new factors to look at to determine if the site is targeted to children. Sites that knowingly collect information from children are also covered, and the FTC stressed that this includes when a child voluntarily indicates age, not just when age is requested. The new Rule also included a strict liability standard for child-directed operators who permit others to collect personally identifiable information from children on their sites. These other entities might include plug-ins or other entities gathering information behind the scenes on a website. This change was made to the Rule notwithstanding industry objections and requests for a “due diligence” safe harbor. In disagreeing with the industry, the FTC noted that it believed the website was in the best position “to know which plug-ins it integrates into its site, and is also in the best position to give notice and obtain consent from the parents,” but it did indicate that it would look at the level of due diligence as a factor (although not a complete liability shield).
TIP: Of the changes to the new Rule that will likely result in the most work and diligence between now and July 1, will be the obligations placed on website operators with respect to plug-ins and other vendors who may be operating on their sites. While there are many other changes to the COPPA Rule, it is important to keep in mind that the Rule is fundamentally the same as it is now—obtain parental consent before collecting personally identifiable information from children. Companies should ensure that they are familiar with the new list of items that constitute “personally identifiable information” under the updated Rule.