The Federal Trade Commission (FTC) recently issued a revised set of frequently asked questions (FAQs) explaining certain aspects of the newly amended rule implementing the Children’s Online Privacy Protection Act (COPPA) that are schedule to take effect on July 1, 2013. The new FAQs, Complying With COPPA: Frequently Asked Questions, contain guidance for operators of commercial and social networking web sites as well as other online service providers (such as mobile apps) that are either directed to children under 13 or otherwise gather personal information from children under 13. Among other things, the FAQs explain how the new Rule expands the scope of entities that must comply with COPPA, as well as the scope of the “personal information” that may not be collected from children under 13 without parental consent.
Some of the more notable questions answered by the FAQs are:
Will the new Rule prevent children from lying about their age?
No. If an operator of a general audience web site or online service screens its users for age, the operator may rely on the ages provided, including an age that is inaccurate as long as the web site or service operator does not have actual knowledge that a child under 13 is the person providing such information. If an operator learns after-the-fact that a specific user is actually a child under age 13, COPPA’s notice and consent provisions apply.
Does ‘personal information’ include passive information collection technologies, like ‘cookies,’ ‘GUIDs,’ and ‘IP addresses’?
Yes, the new Rule modifies the definition of ‘personal information’ to include any ‘persistent identifier’ that allows recognition of the user over time and across different web sites or online services, such as a customer number in a cookie, an IP address, or a device serial number.
If I have an online service for teenagers, how does the new Rule affect me?
Even if a site or service is intended to be directed to teenagers, if a significant number of children under 13 also visit the site or use the service, it may be considered ‘directed to children’ under the Rule. In most instances, a web site or service ‘directed to children’ must treat all visitors as children under 13 and provide COPPA’s protections to all users of the site. Such sites and services may not block children under age 13 from using the site/service.
If I want to offer a child-directed app that would allow children to post pictures of their favorite pets or places, how does the new Rule apply to me?
The new Rule considers photos, videos, and audio files that contain a child’s image or voice to be “personal information,” as are any persistent identifiers of a child. Geolocation data allowing for the identification of a street and city or town is also “personal information.” Operators must therefore (i) pre-screen and delete any photos that contain personal information, including geolocation data and persistent identifiers; (ii) give parental notice and obtain consent before allowing children to upload photos of themselves or other children, or (iii) ensure that any persistent identifiers collected pursuant to the child’s upload are used only to support internal operations of the app.
What should I do about information I collected from children prior to the effective date of the new Rule that is now considered ‘personal information’?
The answer depends on the type of “personal information” collected by a site or online service operator:
- Geolocation Information: if you collected geolocation information of a child without parental consent, you must obtain that consent immediately.
- Photo, Video, or Audio Files Containing a Child’s Image or Voice: you do not need to obtain parental consent for such files collected prior to the new Rule’s effective date, but must do so for any collected as of July 1, 2013.
- Screen Name or User Name: the new Rule considers a screen name or user name to be personal information if it “permits direct contact with a person online.” If you have (or will have) collected such a screen name or user name prior to July 1, 2013, you must obtain parental consent for that collection, and, as of that date, you must also obtain such consent before using any previously-collected screen name or user name by associating new personal information.
- Persistent Identifiers: Parental consent is not required to use a persistent identifier collected prior to the effective date, but if you collect or associate new information with such an identifier as of July 1, 2013, you must obtain such consent.
The new COPPA FAQs cover a variety of other issues and merit careful review by operators in consultation with their legal counsel. The new Rule’s provisions are complex and, even as clarified by the revised FAQs, contain ambiguities, and given the FTC’s aggressive posture with respect to COPPA enforcement, the FAQs and the Rule itself demand substantial attention.