On July 16, 2014, the Federal Trade Commission posted revisions to its Frequently Asked Questions that provide guidance on complying with the Children’s Online Privacy Protection Rule (the “COPPA Rule”). The revisions, which are in Section H of the FAQs, address the COPPA Rule requirement that operators of certain websites and online services obtain a parent’s consent before collecting personal information online from a child under the age of 13.
The FTC revised FAQs H.5 and H.10, and added a new FAQ, H.16.
- In FAQ H.5, the FTC addresses obtaining parental consent by collecting a credit card or debit card number without engaging in a monetary transaction. The revised answer indicates that “although collecting a 16-digit credit or debit card number alone” is not sufficient, “there may be circumstances in which collection of the card number – in conjunction with implementing other safeguards – would suffice.” The answer provides as an example that operators could “supplement the request for credit card information with special questions to which only parents would know the answer and find supplemental ways to contact the parent.”
- In FAQ H.10, the FTC discusses whether the developer of an app directed at children can use a third party such as an app store to get parental consent. The revised answer states that a developer may use a third party, “as long as [they] ensure that COPPA requirements are being met,” including the requirement to “provide parents with a direct notice outlining [the developer’s] information collection practices before the parent provides his or her consent.”
- In the new FAQ H.16, the FTC addresses whether an app store that provides a verifiable parental consent mechanism could be liable under COPPA. According to the FTC, because the app store is not an “operator” under COPPA, the app store “will not be liable under COPPA for failing to investigate the privacy practices of the operators for whom [they] obtain consent.” The answer to H.16 also warns that app stores should “evaluate [their] potential liability under Section 5 of the FTC Act. For example, it could be a deceptive practice to misrepresent the level of oversight [they] provide for a child-directed app.”