The Federal Trade Commission (“FTC”) has announced its amended Children’s Online Privacy Protection Act (“COPPA”) Rule, which becomes effective July 1, 2013.

The FTC’s COPPA Rule imposes specific requirements on websites and online services directed to children under 13.  The revised COPPA Rule leaves in place most of its principal existing features, including that such sites and services must (a) post a clear and comprehensive privacy policy concerning children’s “personal information”, (b) give direct notice to parents and get their verifiable consent before collecting, using or disclosing personal information from children under 13, (c) give parents options to limit or prohibit use of such information, and to periodically review and update their choices on those options, and (d) maintain the confidentiality and security of information collected from children.  For more on the FTC’s enforcement of COPPA rules, click here.

In 2010, the FTC initiated a review of its existing COPPA Rule to “keep up with evolving technology and changes in the way children use and access the Internet, including the increased use of mobile devices and social networking”.  Following such review, the FTC posted its proposed amendments and then allowed an extended period for public comments.

As announced by the FTC, the principal changes to the COPPA Rule are:

1. Businesses Covered by COPPA:  The Rule has been revised to expressly cover (a) any child-directed site or service that integrates outside services, such as plug-ins or advertising networks, that collect personal information from visitors, and (b) those outside plug-in or ad network services that have actual knowledge they are collecting personal information through a child-directed website or online service.  The existing Rule requires that sites and services whose “primary target audience” is children must give notice to and obtain consent from parents of all users under 13.  This now has been expanded to require that sites and services “that target children only as a secondary audience or to a lesser degree” must provide notice and obtain parental consent for users who identify themselves as being younger than 13.
2. “Personal Information”:  This key definition has been expanded to include “geolocation information, as well as photos, videos, and audio files that contain a child’s image or voice”.  The Rule now also covers “persistent identifiers” that can be used to recognize users over time and across different websites or online services (unless the operator’s sole purpose is to support its own internal operations, such as for payment and delivery functions, spam protection, and statistical reporting).  The FTC made clear that while use of “persistent identifiers” to collect and retain data about the consumer’s online activities over time requires parental consent, using them to enable “the delivery of advertisements based upon a consumer’s current visit to a web page or single search query” is permissible without consent.
3. Obtaining Parental Consent:  The FTC has added several new methods that operators can use to obtain verifiable parental consent:  electronic scans of the signed consent forms; video-conferencing; use of government-issued identifications; and alternative payment systems, such as debit cards and electronic payment systems, provided they meet certain criteria.  Operators that collect children’s personal information for internal use only may obtain consent through an email from the parent, as long as the operator confirms such consent by sending a delayed email of confirmation or calling or sending a letter to the parent.  The FTC has also established a voluntary 120 day notice and comment process so parties can seek approval of additional consent methods.
4. Confidentiality and Security Requirements:  The amendments require covered websites and online services to take reasonable steps to make sure that children’s personal information is released only to service providers and third parties that are capable of maintaining the confidentiality, security and integrity of the information, and to give suitable assurances they will do so.  The information may be retained only as long as is reasonably necessary, and the operators must protect against unauthorized access or use.
5. Self-Regulatory Safe Harbors:  The FTC is also requiring that the approved self-regulatory “safe harbor” programs audit their members and report annually to the FTC the aggregated results of those audits.

For more information on the new COPPA Rule, visit the FTC’s website here.