In anticipation of the July 1 effective date for the new COPPA regulations, the FTC has continued to review and update its COPPA FAQs. One of the updates describes when a child-directed website can have a plug-in like a “Facebook Like” button. This has been a question of particular concern for websites that have content intended both for children and their parents. The FTC has indicated that some such sites can have plug-ins without getting prior consent if an exception applies. In particular, an exception would apply if all of the following three criteria are met: (1) the third-party operator only collects a persistent identifier and no other personal information; (2) the user affirmatively interacts with the third-party for that persistent identifier to be collected; and (3) the third-party has previously age-screened the user to confirm they are not a child. So for a plug-in that is used in a way that meets these criteria, an exception to the requirement to notify parents and get their consent will apply, provided that the rule wasn’t triggered in some other way. An example of how the rule could otherwise be triggered would be if other personally identifiable information was being collected from a child. In the context of plug-ins, that might be if the plug-in was being used to also collect comments or other information. If so, the exception wouldn’t apply.
TIP: Companies seeking to take advantage of this exception should look at the plug-ins on their websites, and confirm that they are not being used to collect other personal information from a user, and confirm that the user is taking an affirmative step before any persistent identifiers associated with that button are collected. This may require conversations with the third party vendors to understand what the plug ins might collect.