As the July 1, 2013 implementation date of the updated Children’s Online Privacy Protection Rule (“COPPA Rule”) approaches, businesses are working to modify their systems to comply with the new requirements. To help them meet the deadline, the Federal Trade Commission (“FTC” or “Commission”) on May 15th sent more than 90 “educational letters” to app developers whose online services appear to collect personal information (as defined under the revised Rule) from children under 13. The letters did not reflect an official evaluation of the companies’ COPPA compliance status. The FTC has not published a list of companies that received such letters.
As explained by the Commission, these letters fall into four main categories:
- Letters to domestic companies that may collect images or sounds of children;
- Letters to domestic companies that may collect persistent identifiers from children;
- Letters for foreign companies that may collect images or sounds of children in the United States; and
- Letters to foreign companies that may collect persistent identifiers from children in the United States.
The letters explain to the companies that their mobile apps appear to collect various “personal information” from children in the United States as that term will be defined effective July 1, 2013. Specifically, the letters alert the businesses that the expanded definition of “personal information” will include a photograph or video with a child’s image, or audio file with a child’s voice. Additionally, the FTC explains that “personal information” will include screen or user names that function as online contact information, and persistent identifiers that can be used to recognize users over time and across different websites or online services.
The letters advise the companies that covered app developers will be required to:
- Give notice and obtain parental consent for personal information collected on their apps from third parties (unless an exception applies);
- Take reasonable steps to release children’s personal information only to companies capable of keeping the data secure and confidential; and
- Meet new data retention and deletion requirements.
The letters conclude by encouraging the companies to review their mobile app offerings in advance of the upcoming changes to the COPPA Rule.