At the International Association of Privacy Professionals' annual privacy conference last week, FTC senior attorney Mamie Kresses discussed the new liability concerns for operators of websites and services due to the recent revisions to the FTC's COPPA Rule. (COPPA, the Children's Online Privacy Protection Act, and the COPPA Rule, require, among other things, that operators of websites and services that are directed to children under 13, or that knowingly collect personal information from children under 13, obtain parental consent. We summarized these revisions in a client alert.)
The revised definition of "operator" includes (1) an operator of a child-directed site or service that allows outside services, such as plug-ins and advertising networks, to collect personal information from visits, and (2) a plug-in or ad network when it has actual knowledge that it is collecting personal information through a child-directed website or service. According to Kresses, a child-directed website or service could face enforcement actions if it failed to prevent third parties that are on the site or service from collecting data without parental consent. Kresses also stated that an operator of a website or service could still be liable for a COPPA Rule violation even if it has a service agreement in place prohibiting third parties from collecting information from children under 13. Kresses suggested that companies be selective about what third-party content appears on their sites.
The COPPA Rule revisions also expanded the definition of personal information to include geolocation information, photos, videos, audio files, and persistent identifiers such as Internet Protocol addresses and mobile device IDs that are not used for supporting internal operations like contextual advertising and frequency capping. Kresses responded to questions about how companies should handle information that, prior to the Rule revision, was not considered "personal information." She stated that if a company collected information prior to the revisions, and that information now falls within the definition of personal information, that the company cannot use that information after July 1st without first obtaining parental consent. She acknowledged that many companies collected this information without obtaining parental consent and that it could be very difficult to obtain consent at this point. She also indicated that if a company cannot use information it collected, it should delete the information.
The revised Rule takes effect July 1, 2013. Kresses said that the FTC will issue more guidance on how to comply with the revised Rule soon.