Earlier this week, the Federal Trade Commission announced an update to its frequently asked questions (“FAQs”) document to assist online operators as they prepare for changes to the Children’s Online Privacy Protection (“COPPA”) Rule, which go into effect on July 1, 2013. The updated FAQs clarify parental notice and consent obligations for child-directed apps that collect information from a child in order to send push notifications to users. The new question (No. 80) and answer read as follows:
80. I have a child-directed app and want to send push notifications. Do I need to get parental consent?
- The information you collect from the child’s device used to send push notifications is online contact information – it permits you to contact the user outside the confines of your app – and is therefore personal information under the Rule. To the extent the child has specifically requested push notifications, however, you may be able to rely on the “multiple-contact” exception to verifiable parental consent, for which you must also collect a parent’s online contact information and provide parents with direct notice of your information practices and an opportunity to opt-out. See FAQ 58. Importantly, in order to fit within this exception, your push notifications must be reasonably related to the content of your app. If you want to combine this online contact information with other personal information collected from the child, you cannot rely on this exception and must provide parents with direct notice and obtain verifiable parental consent prior to sending push notifications to the child.
The FTC’s latest update to the COPPA FAQs follows other recent efforts to educate operators of websites and online services directed to children about their obligations under the amended Rule. As we described last week, the FTC recently sent letters to more than 90 U.S. and foreign-based companies to highlight the significant Rule changes relating to the definition of “personal information.”