As discussed on this blog, earlier this year the Federal Trade Commission (FTC) adopted final amendments to the Children’s Online Privacy Protection Rule (COPPA), which are set to go into effect on July 1, 2013. The COPPA amendments will have equally binding effects on both websites and mobile apps.
New COPPA Requirements
In essence, the COPPA amendments strengthen online privacy protection for children under 13 years of age and ensure that parents are given an increased role in their children’s online activities (including via mobile apps).
To summarize, the July COPPA amendments:
- offer companies a new, streamlined and voluntary approval process for obtaining parental consent;
- close a loophole that allowed child-directed mobile apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent;
- extend COPPA coverage to cases in which third parties are doing the collection;
- extend COPPA coverage to persistent identifiers that can recognize users over time and across different websites or online services, such as IP addresses and mobile device IDs;
- strengthen data security protections by requiring that covered website operators and online service providers take reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential;
- require that covered website and mobile operators adopt reasonable procedures for data retention and deletion; and
- strengthen the FTC’s oversight of self-regulatory safe harbor programs.
Amended COPPA Effect on Mobile Apps
Regardless of the type or target audience of mobile apps, if owners are aware that their mobile apps are collecting personal information from children under the age of 13, or if they know that their mobile apps are collecting personal information from another website or online service (including another mobile app) targeted to children under the age of 13, the owners must clearly explain the mobile apps’ information practices, provide direct notice to parents about those practices and obtain parental consent before collecting the child’s personal information. These obligations apply to mobile app companies when third parties (like ad networks or plug-ins) collect personal information through their mobile apps.
Moreover, COPPA requires that mobile app companies keep “personal information” collected from children under the age of 13 confidential and secure. The amended COPPA rule defines “personal information” to include the child’s first and last name, their mailing address, telephone number, online contact information, user name, geolocation information and persistent identifiers that can be used to recognize a user over time and across different websites or online services (such as device identifiers, cookie identifiers, serial numbers, or IP addresses).
Moreover, if a mobile app is designed or targeted towards children under the age of 13 and collects personal information, there are additional COPPA requirements that must be adhered to, which will be detailed in a forthcoming post.
In light of these amendments, mobile app companies that collect consumer information (even if unintentionally from children under 13 years of age) should immediately review their data collection and usage practices and seek to ensure compliance with the amended COPPA. Entities that fail to comply with the requirements of COPPA could find themselves facing regulatory action, which could result in significant fines.