Doing Business with Children: Compliance with the Amended COPPA Rule

As of July 1, 2013, the Federal Trade Commission’s regulations implementing the Children’s Online Privacy and Protection Act (“COPPA”) were amended to address changes in the way children use and access the Internet, including through mobile devices and social networking. Originally enacted in 1998, COPPA applies to operators of websites and online services, including apps, that are directed to children under 13 or that serve a general audience and know they are collecting personal information from children under 13. If such a site or service is covered by COPPA, it must obtain parental consent before collecting personal information from the child and it must honor the parent’s choices about how the information is used, including any revocation of consent. Retailers and other operators of websites and online services need to familiarize themselves with the latest developments in the COPPA Rule and take appropriate steps to comply.

New Developments in the COPPA Rule

Key changes to the COPPA Rule include the following:

Increased liability. Covered operators must take reasonable steps to ensure that children’s personal information is disclosed only to service providers and third parties capable of maintaining the confidentiality, security, and integrity of the information. Note that such operators will be liable for the collection activities of third parties even if the operators themselves do not collect personal information. Operators of child-directed sites will be strictly liable for personal information collected by third parties through their sites, while such third parties will be liable as co-operators only if they have actual knowledge that they are collecting information from children.

Expanded definition of “personal information.” Personal information now includes geolocation information sufficient to identify street name and city or town; photos, videos, and audio recordings containing a child’s image or voice; a screen or user name that functions as online contact information; and “persistent identifiers” such as a cookie or IP address that can be used to recognize a user over time and across different websites or online services.

Notice and consent. The methods companies may use to obtain verifiable parental consent have been expanded and clarified (e.g., returning a signed consent form; calling a toll-free number staffed by a trained live person; etc.). The Rule includes some narrow exceptions to the consent requirement, such as where an operator collects a persistent identifier but no other personal information and the identifier is used solely to provide one of seven necessary types of support for the internal operations of the website or online service.

Retention and deletion. Personal information collected from children may be retained only as long as is reasonably necessary to fulfill the purpose for which the information was collected and must be deleted using reasonable measures to protect against unauthorized access to, or use of, the information.

Privacy policy requirements. Privacy policies must state: (i) the name, address, telephone number, and e-mail address of all operators collecting or maintaining personal information through the site or service (or the contact information for one operator that will handle all inquiries); (ii) a description of what information the operator collects from children, including whether the operator enables children to make their personal information publicly available, how the operator uses such information, and the operator’s disclosure practices for such information; and (iii) the procedures for parents to review and delete their child’s personal information and to refuse to permit its further collection or use.

Takeaways for Operators of Websites and Online Services

If you have not already done so, you should determine whether COPPA applies to your business. Even businesses that do not specifically target children are likely to be covered by COPPA. If you think COPPA applies, you should consult with your attorney and consider whether you need to do any of the following:

• Review and update your privacy policies as needed;

• Review and clarify your relationships with third party services such as plug-ins and advertising networks that may collect personal information (and if you are a third-party service provider, you need to determine whether the first-party site or service is directed to children);

• Review and update your procedures for giving “direct notice” to parents and obtaining their “verifiable” consent before collecting information from their children; and

• Review and update your procedures to honor parent rights and protect the security of their children’s information.

For additional information about the amended COPPA Rule, you may wish to consult the FTC’s updated guidance documents, including Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business and Complying with COPPA: Frequently Asked Questions.

Related topics: Compliance, Intellectual Property, Privacy, Retail