The Federal Trade Commission (“FTC”) recently issued supplemental guidance on the Children’s Online Privacy Protection Act (“COPPA”) in the form of updated answers to FAQs. As loyal blog readers will recall, we have previously written about the revised COPPA Rule, which took effect last month, as well as the FTC’s April FAQs. The latest FAQs provide additional advice on complying with the revised Rule, including several notable clarifications.
No Responsibility for Lying: The amended COPPA Rule does not hold operators responsible for children who lie about their age to register for general audience sites or online services whose terms of service prohibit their participation. Such sites or online services must “have actual knowledge that a child is under age 13” for COPPA to apply. Although the Rule does not require operators to ask for their visitors’ age, those that do “may rely on the age information its users enter, even if it that age information is not accurate.” However, an operator that later determines a particular user is under age 13 must comply with COPPA’s notice and parental consent requirements. FAQ A.14; G.1.
Territorial Scope of COPPA: COPPA covers web sites and services based outside of the United States “if they are directed at children” in the U.S., “or if they knowingly collect personal information from children in the United States.” In addition, U.S.-based sites and services that collect information from children in other countries are also subject to COPPA. FAQ B.7.
Information Collected About Children from Parents or Other Adults Not Covered: The FTC reaffirmed that COPPA only covers personal information collected from children. The law is not triggered by an adult uploading pictures of children on a general audience site or in the non-child directed portion of a mixed-audience site. The Commission reiterated, however, that it expects operators to “keep confidential any information obtained from parents in the course of obtaining parental consent or providing for parental access pursuant to COPPA.” Furthermore, operators of sites and services primarily directed at children must assume that the person uploading a photo is a child and must design their systems either: (1) to give notice and obtain prior parental consent, (2) to remove any child images and metadata prior to posting, or (3) to create a special area for posting by adults, if that is the intention. FAQ A.10; E.4.
Ability to Screen for Age: In most instances, a web site or online service directed at children may not screen users for age and therefore cannot separate users in order to limit its obligation to obtain parental consent to children under age 13. A narrow exception exists for a site or service that may be directed at children but that does not target them as its primary audience. Operators of such sites or services may age-screen if they (1) do not collect personal information from any visitor prior to collecting age information, and (2) prevent the collection, use or disclosure of personal information from visitors who identify themselves as under age 13 without first complying with the amended Rule’s notice and parental consent provisions. FAQ D.2
Blocking Users Under Age 13: Notably, according to the FTC, COPPA prevents operators of web sites or online services “directed” at children from blocking children from participating altogether in their site or service, even if they do not intend children to be their primary audience. Instead, the revised Rule allows them to age-screen to distinguish between child and non-child visitors. The updated FAQs instruct that operators then may provide different activities or functions for users, based on their age, but may not prohibit children from participating in their child-directed site or service. Taken literally, the FTC’s instruction would prevent a site or service directed – but not primarily targeted to – children from choosing no longer to allow them to participate in order to avoid the costs and burdens of COPPA compliance. FAQ D.2, 4.
COPPA Covers Kids’ Sharing of their Creations: Operators of child-directed apps that allow children to create things (such as a painting) must obtain “verifiable parental consent before enabling children to share” these creations with others, even through third parties or their app. COPPA’s definition of “collection” includes requesting, prompting or encouraging a child to submit personal information online, and enabling a child to make personal information publicly available in any form. “Disclosure” under COPPA includes making a child’s personal information publicly available in identifiable form through an email service or other means, such as a social network. Accordingly, the law covers a situation where a child emails a painting and a message or posts content on his or her social networking page through child-directed app. FAQ D.9.
Assessing the Reasonableness of Service Provider and Third Party’s Security Measures: Prior to sharing children’s personal information with service providers or third parties, operators should evaluate the data practices those organizations use to maintain the confidentiality and security of the personal information and to prevent unauthorized access to or use of the information. Any contracts with such providers or third parties should expressly address the operator’s expectations for the treatment of the data. In addition, operators must utilize reasonable means, such as periodic monitoring, to verify that the service providers or third parties with whom they share children’s personal information maintain the confidentiality and security of that data. FAQ K.1.