Despite calls by major industry players for delay, the Federal Trade Commission (FTC) has confirmed that its previously announced new rule for the Children’s Online Privacy Protection Act (COPPA) will go into effect on July 1, 2013 (COPPA Rule). The new COPPA Rule, which was announced by the FTC in December 2012, will affect a much broader range of enterprises and applications than was previously the case, and constitutes a major revamping of the governing rules for COPPA. All operators of commercial websites and online services, including mobile applications, that are either directed (in whole or in part) to children under 13 or that have actual knowledge that they are collecting, using or disclosing personal information from children under 13 should pay close attention to the new Rule.
COPPA, which was enacted in 1998, seeks to put parents in control over “personal information” collected online from children under the age of 13 by giving notice to parents and obtaining their verifiable consent before collecting information from children. The new COPPA Rule was developed by the FTC to ensure that the COPPA keeps up with new technology and the ways that the children use the Internet, mobile devices and social networking.
Under the new COPPA Rule, the scope of the “personal information” governed by the COPPA Rule will be considerably expanded. As explained in the Frequently Asked Questions (FAQ) for the COPPA Rule, which were published by the FTC on April 25, 2013, personal information will now include not only names, addresses, telephone and social security numbers, but persistent identifiers (such as information about a child’s activities on its website or online service) that can be used to identify users over time and across different websites. In addition, geolocation information sufficient to identity the street name and location of an individual, photos or videos, and screen or user names will also be considered personal information.
The COPPA Rule also will apply to more types of online services, including operators not only of child-directed sites or services, but sites that integrate outside services collecting personal information from visitors, such as plug-ins or advertising networks. The scope of “online services” governed by the COPPA Rule also includes not only services on the Internet, but those that connect to the Internet or to wide-area networks, including mobile networks and Internet-enabled location-based services.
The number of websites that are “directed to children” has also been expanded under the COPPA Rule. The COPPA Rule lists a number of factors that should be considered in assessing whether a website is “directed to children,” including the site’s subject matter, visual content, use of animated characters, music or other audio content, age of models, presence of child celebrities, language and whether the advertising present on the site is directed to children. The COPPA Rule FAQ also states that operators of websites cannot age screen and block users who identify as being under the age of 13 if the websites are “directed to children.” Websites that target children only as a secondary audience will be able to use age screens to differentiate between child and non-child users, for example by offering different activities to such users.
As before, there are several important limitations on the scope of the COPPA Rule. For example, COPPA only pertains to information obtained from children online—not to information about children. COPPA will also not prevent parents or other adults from posting photos about children on the Internet. The COPPA Rule also makes it clear that children may participate in interactive communities without parental consent so long as operators take reasonable measures to delete children’s personal information before it goes public. Nonetheless, the reach of COPPA continues to be very broad, extending to information obtained on a voluntary basis from children, including by websites located outside the United States.
The COPPA Rule makes changes to the direct notice that must be given to parents under COPPA before a website collects personal information from children. The COPPA Rule now provides specific guidance for notice in four distinct scenarios, i.e., where operators (i) seek to obtain a parent’s verifiable consent prior to the collection of a child’s personal information, (ii) voluntarily seek to provide notice to parents of activities that do not involve the collection of personal information, (iii) intend to communicate with a child multiple times via online contact information and collects no other information and (iv) where the purpose of an operator’s information is to protect a child’s safety but the information is not used or disclosed for any other purpose. As the FTC has stated, the “intention of these changes is to help ensure that the direct notice functions as an effective ‘just-in-time’ message to parents about an operator’s information practices, while also directing parents online to view any additional information contained in the operator’s online notice.”
The FAQ for the COPPA Rule addresses numerous additional issues, such as the duty of general purpose websites to investigate the ages of visitors to the websites and to block children under 13 from using the websites, the details of verifiable parental permission to allow children to access websites, exceptions to the parental consent obligations, self-regulatory safe harbor programs, and data retention and deletion obligations. Those who operate websites, services or applications that are directed to children or teenagers—or may have knowledge that children access their websites—should carefully consult the new COPPA Rule and the FAQ. The FTC has signaled that it will vigorously enforce the COPPA Rule, which is punishable by civil penalties of up to $16,000 per violation.