In December 2012, the Federal Trade Commission (FTC) issued revisions to the Children’s Online Privacy Protection Act Rule (COPPA Rule or Rule). The COPPA Rule creates extensive parental notice and consent requirements, among other obligations, for organizations that (1) operate a website or online service that is “directed to children” under 13 and that collects “personal information” from users or (2) knowingly collect personal information from children under 13 through a website or online service. The new Rule takes effect today (July 1, 2013).
The FTC made significant changes that affect how the Rule functions in the definitions section, rather than in the operational sections. This tail-wags-the-dog approach means that organizations may be required to devote additional resources to understanding and complying with the Rule. Significant changes to the COPPA Rule include the following:
- There are more scenarios under which operators will be subject to the COPPA Rule. (1) Previously, operators of plug-ins and ad networks were viewed by most as not subject to the Rule unless they had actual knowledge that they were collecting personal information from a child. The new Rule provides that these operators will also be subject to the COPPA Rule when they have actual knowledge that they are collecting personal information directly from users of a child-directed website or online service. (2) An operator of a website or online service that is not directed to children will be subject to the COPPA Rule if the operator allows another party to collect personal information from a user through the site and the operator has actual knowledge that the user is a child. (3) Operators of websites or online services directed to children are subject to the COPPA Rule if their service providers or agents collect personal information through the website or online service. (4) An operator of a child-directed site is also subject to the Rule if other parties who are not service providers or agents collect personal information through the site and the operator “benefits by allowing” the collection of information.
- The definition of personal information was expanded to include, among other things, geolocation information, screen names or users names that function as “online contact information,” and persistent identifiers that “can be used to recognize a user over time and across different websites or online services.” IP addresses, device serial numbers, unique device identifiers, and cookies or cookie IDs, in some circumstances, are all forms of persistent identifiers under the new Rule. Video and audio files containing a child’s image or voice are also considered to be personal information, according to the new Rule.
- The revisions to the Rule provide a new compliance mechanism for operators of websites and online services that are directed to children but do not target children as their primary audience. These operators may elect to age-screen all users and provide parental notice and obtain parental consent only for users that self-identify as under 13 years old. Alternatively, these operators could age-screen all users and prevent the website from collecting personal information from users under 13. Practically speaking, exercising the latter option will require operators to block children from using the website or online service. In order to utilize this new compliance mechanism, according to the COPPA Rule, an operator may not collect any personal information until the operator exercises one of these two age-screening options.
- An operator of a website or online service is not required to comply with the parental consent requirements if the only type of personal information collected is a persistent identifier and that identifier is used solely for “support for internal operations” of the website or online service. The FTC expanded the definition of support for internal operations to include, among other things, contextual advertising (but not behavioral advertising), frequency capping of advertising, and legal or regulatory compliance. The new Rule also creates a process through which an organization may file a written request with the FTC to include additional activities within the definition of support for internal operations.
- There are new confidentiality and information security requirements, including a requirement that operators of websites and online services obtain certain assurances from third parties with whom they share access to children’s information.
- The new Rule also provides new methods of obtaining parental consent, including electronic scans of signed consent forms and videoconferencing. A process was created that would allow operators of websites and online services to seek FTC approval of methods of parental consent that are not explicitly endorsed by the Rule.
As we explained in a recent client alert, the FTC has been proactive in seeking out websites and online services that do not comply with the new Rule, and state agencies are also taking a more active role in monitoring organizations for COPPA compliance. Organizations that have not already examined the new COPPA Rule to determine how they are impacted by the changes, including whether they are now covered by the Rule, should do so as soon as possible.