FTC Senior Attorney Discusses COPPA Revisions


At the International Association of Privacy Professionals' annual privacy conference last week, FTC senior attorney Mamie Kresses discussed the new liability concerns for operators of websites and services due to the recent revisions to the FTC's COPPA Rule. (COPPA, the Children's Online Privacy Protection Act, and the COPPA Rule, require, among other things, that operators of websites and services that are directed to children under 13, or that knowingly collect personal information from children under 13, obtain parental consent. We summarized these revisions in a client alert.)

The revised definition of "operator" includes (1) an operator of a child-directed site or service that allows outside services, such as plug-ins and advertising networks, to collect personal information from visits, and (2) a plug-in or ad network when it has actual knowledge that it is collecting personal information through a child-directed website or service. According to Kresses, a child-directed website or service could face enforcement actions if it failed to prevent third parties that are on the site or service from collecting data without parental consent. Kresses also stated that an operator of a website or service could still be liable for a COPPA Rule violation even if it has a service agreement in place prohibiting third parties from collecting information from children under 13. Kresses suggested that companies be selective about what third-party content appears on their sites.

The COPPA Rule revisions also expanded the definition of personal information to include geolocation information, photos, videos, audio files, and persistent identifiers such as Internet Protocol addresses and mobile device IDs that are not used for supporting internal operations like contextual advertising and frequency capping. Kresses responded to questions about how companies should handle information that, prior to the Rule revision, was not considered "personal information." She stated that if a company collected information prior to the revisions, and that information now falls within the definition of personal information, that the company cannot use that information after July 1st without first obtaining parental consent. She acknowledged that many companies collected this information without obtaining parental consent and that it could be very difficult to obtain consent at this point. She also indicated that if a company cannot use information it collected, it should delete the information.

The revised Rule takes effect July 1, 2013. Kresses said that the FTC will issue more guidance on how to comply with the revised Rule soon.

For more information about the content of this alert, please contact Ieuan Jolly or Nerissa Coyle McGinn.

Written by:

Published In:


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Loeb & Loeb LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.