AMENDMENTS TO THE COPPA RULE RELEASED ON DECEMBER 19 – EFFECTIVE JULY 1, 2013
Amendments to the Children’s Online Privacy Protection Rule (the COPPA Rule), issued by the U.S. Federal Trade Commission (FTC) on December 19th 2012, will tighten the privacy requirements for child-directed websites and mobile apps. The COPPA rule requires operators of websites and online services to obtain a parent’s verifiable consent before collecting personal information from children under 13 and to give parents detailed notice regarding the collected personal information and its uses. The revised Rule modifies the definitions of personal information, operator, and website or online service directed to children. The amendment also revises several other COPPA Rule provisions, such as the methods for obtaining parental consent, and the confidentiality and security requirements.
NEW TYPES OF PERSONAL INFORMATION
The amendment adds additional types of data to the definition of “personal information” that cannot be collected without parental consent. These new categories include photographs, videos, and audio files that contain a child’s image or voice, user names that function as online contact information, and geolocation information. Under the revised Rule, operators must also have a parent’s permission before using persistent identifiers, such as cookies or other tracking tools that use IP addresses or mobile device IDs to follow a child’s activity over time and across different websites or online services. However, parental consent is not required if such tools are used only for providing support for internal operations, such as contextual advertising, frequency capping, legal compliance, site analysis, and network communications. The amended Rule also provides for a process which allows the industry to seek approval for additional activities to be added to the definition of support for internal operations. On the other hand, the FTC specifically clarified that e.g. amassing a profile of an individual child does not constitute support for internal operations.
REVISIONS TO DEFINITIONS OF “OPERATOR” AND “WEBSITE OR ONLINE SERVICE DIRECTED TO CHILDREN”
The definition of “operator” has been revised to clarify that the Rule covers third-party services (such as ad networks and social plug-ins) that collect personal information through a child-directed site or service. The host site or service has strict liability for the third party’s compliance, while the third party must comply only if it has actual knowledge that it is collecting personal information through a child-directed site or service. As regards the definition of a website or online service directed to children, the amendment adds new criteria, such as the presence of child celebrities, to the factors to be considered. The revised Rule also allows a website or service that targets children only as a secondary audience to age-screen visitors and to obtain parental consent only for users under 13.
REVISED METHODS FOR NOTICES AND CONSENT, TIGHTER CONFIDENTIALITY AND SECURITY REQUIREMENTS
Further, the amendment streamlines the requirements for the notices that must be provided on the website or service (and which are typically included in privacy policies) and prescribes the information that must be disclosed in direct notices delivered to parents. It also adds new methods that operators can use for obtaining parental consent, including e.g. electronic scans of signed parental consent forms, and videoconferencing. As for confidentiality and security requirements, the amended Rule strengthens the requirements when releasing children’s personal information to third parties, and sets forth new data retention and deletion requirements. The Rule also strengthens the FTC’s oversight of self-regulatory safe harbor programs.
The revision will require companies that collect information from children to evaluate and revise their privacy policies and other compliance practices before the revised Rule takes effect on 1 July 2013. Moreover, some companies will become newly subject to the Rules requirements and will need to put in place policies and practices to ensure compliance.