Federal Trade Commission (FTC) amendments to the Children’s Online Privacy Protection Rule (COPPA), effective July 1, 2013, impose more stringent requirements on the collection of personal information from children through websites and online services operators. COPPA targets operators of commercial websites and online services, such as mobile apps, directed at children under 13 that collect, use, or disclose personal information from children. The FTC analyzes various factors to determine whether a site or service is considered “directed at children” including:
- subject matter of the site or service;
- the use of animated characters;
- child oriented activities;
- music & the presence of child celebrities; and
- the type of advertising of promoting on the website or online service.
The amended rule provides various updates to COPPA, and requires operators to obtain parental permission before collecting data from children. The updated definition of personal information now includes geo-location information, photographs, videos, screen or user names, and persistent identifiers that can be used to recognize a user over time and across different websites or online services, such as IP addresses and mobile device IDs. The amended rule further requires:
- posting clearly written privacy policies, which must include contact information for all operators collecting personal information;
- a description of that information;
- an option allowing the parent to rescind consent and have the child’s information deleted;
Additionally, the amended rule significantly changed the format and content of the information that must be included in an operator’s direct notice to parents. The rule requires operators to make reasonable efforts, taking into account available technology, to ensure that a parent of a child receives direct notice of the operator’s practices with regard to the collection, use, or disclosure of personal information from children, including notice of any material changes to practices to which the parent previously consented. COPPA now provides a very detailed roadmap of what information must be included in your direct notice depending upon what personal information is collected and for what purposes.
COPPA does, however, provide various exceptions to parental consent, such as:
- one-time response exception, which permits a website to send a response to a child, via the child’s online contact information, without sending notice to the parent or obtaining parental consent;
- this exception applies in limited circumstances and allows a single communication, after which the operator must promptly delete the child’s online contact information from their records, and may not use the child’s online contact information to re-contact the child.