In December 2012, the Federal Trade Commission (FTC) issued updated rules to the Child's Online Privacy Protection Act (COPPA), which significantly expand COPPA's scope and application. COPPA, which governs the collection, use, and disclosure of personal information from children under 13 online, requires operators of websites and online services that are directed to children or that have actual knowledge that they are collecting information from children to provide notice to and obtain consent from the child's parents prior to collecting personal information from the child. The new rules – which are effective July 1, 2013 – broaden the type of information covered by COPPA, apply to a much wider group of website and online service operators, and impose new data security, protection, retention, and deletion requirements.
Who is Covered
Under the new rules, a provider of a website or online service that is directed to children is considered an "operator" covered by COPPA and is primarily responsible for information that is collected through its site by third party services, such as ad-networks and plug-ins (e.g., Facebook "Like" and Twitter "tweet" buttons). In other words, a child-directed website or service is liable for information collected by a third party provider operating on their website or service, even if they do not have actual knowledge of the third party's collection of personal information through its website or service.
The new rules also cover third parties with actual knowledge that they are collecting children's online information through another's website or online service. This means that plug-ins and ad-networks that are aware that they are collecting information from children will also be required to notify parents and obtain parental consent before collecting a child's information.
Websites and services that are directed at children but do not target children as their primary audience will be permitted to age-screen users and will only be required to notify parents and obtain parental consent for users that self-report as younger than 13 years of age.
What is Covered
The list of "personal information" that cannot be collected without notifying parents and obtaining parental consent has been expanded to include geolocation information, photographs, and videos. Persistent identifiers that recognize users over time and across different websites and services (e.g., IP addresses and mobile device IDs) can only be collected by a website or online service to support its internal operations.
The new rules also impose additional requirements for the way operators of websites and online services are required to treat the online personal information they collect from children. Prior to disclosure of children's personal information to service providers or third parties, operators of websites and online services must inquire about the other party's ability to maintain the confidentiality, security, and integrity of the information and must obtain that party's assurances regarding the proper treatment of such information after it is received from the operator. In addition, the new rules require that operators delete children's personal information when the purpose for which they collected the information is fulfilled. When deleting the information, the operators must also use reasonable measures (considering available technology) to protect against unauthorized access or use of the information during the deletion process.
What You Should Do Now
We encourage operators of websites, apps, and other online services to review their information practices and those of third parties that collect information through their sites. Many sites and services previously unaffected will now be subject to COPPA and will need to institute compliance procedures. Operators of websites and online services that were previously covered by COPPA should review their compliance procedures and collection practices to determine what changes are needed and implement changes to their privacy policies and parental notices prior to the new rules becoming effective on July 1, 2013.
For More Information
While this alert has discussed some of the more important rule changes, many other changes may affect your compliance with COPPA. If you have any questions about COPPA compliance or other online privacy issues, or if you would like assistance with creating or reviewing COPPA compliant practices and privacy policies, please contact: