The Federal Trade Commission recently released its revised rule implementing the provisions of the Children’s Online Privacy Protection Act (commonly referred to as the “COPPA Rule”), which will go into effect on July 1, 2013. COPPA applies to web sites that are targeted at children under the age of 13 and which are collecting information from those children (“covered website”). The Act requires web site operators to notify parents and obtain their consent before collecting personal information from children under 13. Primarily, the Rule requires a covered website to provide notice to parents about its information collection practices, as well as obtain verifiable parental consent prior to collecting personal information from children. It also requires privacy policies that fully explain how information will be used.
Due to the rapid advancements in technology, including mobile technology, and the rate at which children are exposed to things online, the FTC believed that the time had come to update the COPPA Rule. Now, after several rounds of comments, including revisions in September 2011 and August 2012, the revised Rule has been released, including some notable changes. The primary changes to the Rule include revised definitions to several terms, changes to the methods by which website operators are required to contact parents, changes to the ways that operators are able to obtain parental consent, strengthened security provisions, and additional monitoring of self-regulatory safe harbors. We address the major revisions below:
Definitions. The Rule includes revised definitions for several terms including, among others, the following:
- Website or Online Service Directed to Children. The revised Rule clarifies the definition of “website or online service directed to children” to include only those websites that target children. The FTC will view items such as subject matter, animated characters, child-oriented activities, child celebrities or celebrities that appeal to children, and other characteristics in determining if a website is targeting children. Such websites will be deemed as collecting information from children when they have “actual knowledge” of such collection. Those websites directed at a broader audience including, but not primarily targeting children, can comply with the Rule if they do not collect personal information from any visitor without age screening and if they then comply with the Rule’s parental notice and consent requirements for those visitors that identify themselves as being under the age of 13.
- Personal Information. The FTC has revised the definition of “personal information” to now include geolocation data, photographs and videos, as well as audio files that contain a child’s image or voice. Additionally, the definition of “screen or user name,” which is included as a type of personal information will only be included where it functions as online contact information. The definition of “persistent identifiers,” which were previously only covered by the Rule if they were associated with individually identifiable information has also been expanded to include those technologies that can identify a user over time and across multiple websites or online services. The collection of persistent identifiers is exempt from the Rule’s requirements where they are only used to support internal operations.
To be clear, the FTC also defined “support for internal operations” to include (among other things) contextual advertising, frequency capping, legal compliance, site analysis, and network communications. There is, however, an exception that restricts website operators from using or disclosing information collected for the purpose of contacting a specific person absent parental consent. Likewise, this information cannot be used for behavioral advertising, to compile profiles on individuals or for any other purpose. Industry members may seek formal approval from the FTC to expand the definition of the term.
- Operator. Under the new Rule, the term “operator” has been redefined as it applies to the relationship between a plug-in or advertisement network and the entity running a covered website on which such third parties are permitted to collect personal information from visitors to the covered websites. The new definition only covers those website operators that design and control the child-directed content. For example, the operator of a covered website that targets children, but does not collect information will now be required to comply with the Rule’s requirements if they permit third-party plug-ins and advertising networks to collect information from children on their site.
Now, plug-in and advertising network operators are only defined as co-operators of a website for purposes of complying with the Rule where they have actual knowledge that they are collecting information from children. The actual site owner may be responsible for notifying the plug-in operators regarding this information. Specifically, the FTC noted that the “actual knowledge” standard will likely be met in situations where the website provider notifies the plug-in operator of the child-directed nature of the site or where there is evidence that a representative of the plug-in operator identifies the nature of the site. The FTC did not, however, limit “actual knowledge” to these situations as it may be assumed based on other facts and will be determined on a case-by-case basis.
- Deletion Standard for Publicly Posted Information. Under the former Rule, website operators were required to delete “all individually identifiable information from postings by children before they [were] made public, and also delete such information from the operator’s records,” absent verifiable parental consent for such collection. This “100% deletion” standard has now been replaced with a requirement that website operators take reasonable measures to delete all or virtually all children’s personal information before publishing such information.
- Parental Consent Verification. The FTC also chose to update the methods by which website operators can obtain verifiable parental consent. In addition to the already approved methods such as use of credit card transactions, calling toll-free numbers, and e-mail plus, the new Rule also provides additional consent mechanisms for parents. These include the following: electronic scans of signed parental consent forms, videoconferencing, use of government-issued ID, and alternative payment systems that meet the same stringent criteria as credit cards, including providing notice of the transaction to the primary account holder. Businesses may also continue to use FTC-approved safe harbor program methods.
To encourage innovation in this area, the new Rule encourages the industry to create new methods of obtaining verifiable parental consent. The Rule indicates that the FTC will provide a written determination within 120 days of the filing of a proposal. There will also be a public notice and comment period. If any portions of the proposal are considered confidential or trade secrets, the submitter can ask that that information not be made public. Additionally, where the FTC disagrees and feels that information should be disclosed, the submitter may withdraw its proposal to avoid publicizing such information.
- The Rule Retains the One-Time Use Exception to Parental Consent. The FTC has chosen to retain the one-time use exception to providing parents with notice and obtaining verifiable consent. Therefore, a website operator can still collect a child’s online contact information to respond to a one-time request then delete such information. This exception commonly applies to sweepstakes, homework help services, birthday messages, refer-a-friend emails, and the like.
- Confidentiality & Security. As originally proposed in September 2011, the FTC has decided to add a requirement that operators provide more oversight of service providers and third parties to whom they disclose personal information to ensure that they have reasonable procedures to protect the information. Additionally, the proposed changes reinforce that operators should retain information only while the information is necessary, and then destroy it to prevent unauthorized access. Previously, the Rule simply required operators to keep children’s personal information confidential and secure.
- Updates to Safe Harbor Program. The FTC has made several revisions to the provision covering safe harbor programs, which are programs created by industry groups and FTC-approved to help website operators to comply with the COPPA Rule. These changes are the same that were proposed in September 2011. Thus, the Rule now requires industry groups seeking to create safe harbor programs to verify their competence to create and oversee them. Additionally, such groups would be required to oversee their members and submit periodic reports to the FTC regarding their programs.