COPPA Update: FTC Provides Further Guidance with FAQ Additions

by Davis Wright Tremaine LLP

The Federal Trade Commission has added to its recently revised “Frequently Asked Questions” (FAQs) to assist covered entities in complying with the first major update of regulations implementing the Children’s Online Privacy Prevention Act (COPPA Rule). The question-and-answer pairs are more clearly organized by topic and provide additional guidance, largely for ad networks. Specifically:

  • One new FAQ provides greater latitude for ad networks that find out after the new rules’ effective date that they have been collecting personal information from a child-directed website, by allowing continued use of converted data and persistent identifiers under certain circumstances.
  • The new FAQs also limit the circumstances somewhat where ad networks are deemed to have “actual knowledge” of the child-directed nature of sites from which they collect personal information. For example, one FAQ clarifies that knowledge gained by an ad network’s employees will less likely be attributed to the ad network if the ad network prominently discloses on its site or service the methods by which the ad network can be directly contacted with COPPA information.
  •  A related FAQ allows ad networks to rely on first-party affirmative representations of their non-child-directed status, including through signaling from the embedding webpage, so long as the ad network does not separately discover additional indicia of a website’s child-directed nature.  If such additional indicia are “inconclusive,” the ad network may still ordinarily continue to rely on the site’s or service’s specific affirmative representations.
  • Another new FAQ further establishes that, without more, the receipt of a list of websites (or services) claimed to be child-directed from parents’ organizations, advocacy groups, or similar entities is not enough to be deemed “actual knowledge” with respect to those websites or services.

This post discusses these additions to the FAQs – for further points of guidance provided in the COPPA FAQs, see our prior post, here.

When the Federal Trade Commission declined to extend the July 1, 2013, effective date for the overhaul of its COPPA Rule, it substantially revised the related FAQs, which are a key resource for understanding the regulations. Now, the FTC has acted on a promise to update the FAQs as questions arise post-effective date.

One of the recently updated FAQs poses the hypothetical of an ad network that finds out after the updated COPPA Rule’s effective date that it has been collecting personal information from a child-directed website.  This new FAQ indicates that, unless an exception applies, the entity must stop collecting the information immediately, and obtain verifiable parental consent if it continues to collect new personal information from the website, re-collects personal information collected previously, or uses or discloses personal information now known to have come from the child-directed site. Verifiable parental consent must be obtained before using or disclosing the previously-collected data if there is actual knowledge it was collected from a child-directed site. Parental requests regarding the information must be honored even if there will be no further disclosure. And, the FTC urges, information known to have come from the child-directed site should be deleted “as a best practice.”

The FAQ also discusses what happens when the third-party does not know the source of personal information. In that case, the FAQ continues, if the entity, for example, converted data about websites visited into interest categories (e.g., sports enthusiast) and no longer has any indication where the data originally came from, it may continue using the interest categories without giving notice or obtaining parental consent. Or, for example, if the entity had collected a persistent identifier from a user on the child-directed website, but has not associated it with that website, continued use of the identifier is permissible without giving notice or getting parental consent.

The FAQ revisions also include several new points of guidance for when ad networks can be said to have “actual knowledge” of the child-directed nature of websites or services and/or that they have collected personal information directly from users of such sites/services. Though these situations can be highly fact-specific, the FTC points to two cases where it believes the actual knowledge standard is likely be met: where a child-directed content provider (which is strictly liable for any collection) directly communicates the child-directed nature of its content to the ad network; and where a representative of the ad network directly recognizes the child-directed nature of the content.

Under the first scenario, any direct communication the ad network has with the child-directed site or service that indicates its child-directed nature will give rise to actual knowledge. In addition, if a formal industry standard or convention ever evolves through which sites or services signal their child-directed status, that would also give rise to actual knowledge.

Whether an ad-network representative “recognizes” the child-directed nature of content will be particularly fact-dependent, but it reduces the likelihood that an ad network would be deemed to have gained actual knowledge attributable to the business as a whole through its employees, if the ad network prominently discloses on its site or service methods by which it can be contacted with COPPA information.

In a related FAQ, the FTC addresses the prospect of an ad network participating in a system in which first-party sites signal their child-directed status (e.g., by signaling from the embedding webpage to ad networks). In that case, such a signal would result in actual knowledge, but the ad network also gains the benefit by being able to know when sites signal they are “not child-directed.” However, while ad networks “may ordinarily rely on such a representation,” such reliance is advisable only if the first-party affirmatively signals its site or service is “not child-directed” – the ad network may not set that option for the first-party as a default.

The FAQ cautions that even under such a signaling system, ad networks may still be charged with gaining other additional information resulting in actual knowledge of the child-directed nature of a website or service despite a contradictory representation by the site. But, the FAQ continues, if that additional information is “inconclusive,” the ad network should still be able to rely on a specific affirmative representation made through a system of “child-directed” and “not child-directed” signals.

A new FAQ also clarifies that where an ad network receives from a parents’ organization, advocacy group, or other outside entity a list of websites or services claimed to be child-directed, the ad network would not likely be deemed to have “actual knowledge” based solely on that list. Ad networks also have no duty to investigate upon receipt of such a list. On the other hand, if the ad network is provided screen shots or other forms of concrete information as to the child-directed nature of a site or service, that would give rise to actual knowledge. The FAQ suggests that if an ad network receives a list or other information that creates uncertainty about a website or service being potentially child-directed, the ad network should still be able to rely on specific affirmative representations from a site or service that it is not child-directed (however, mere acceptance of a standard provision in, e.g., an ad network’s terms of service that a first-party agrees it is not child directed will not be a “specific affirmative representation” for this purpose).

Finally, there is a new FAQ that addresses “share buttons” embedded in child-directed apps or plug-ins that allow sending emails or otherwise posting information, such as via social networks. In that case, the FTC explains, the app/plug-in operator must obtain verifiable parental consent unless an exception applies, and that is true, even if the app/plug-in does not itself collect or share personal information.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Wright Tremaine LLP | Attorney Advertising

Written by:

Davis Wright Tremaine LLP

Davis Wright Tremaine LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.