Amended Rule Effective Date: July 1, 2013

The Federal Trade Commission (FTC) has recently amended the Children’s Online Privacy Protection Rules (COPPA) in order to further control and monitor the collection of personal information from children and to create a safer and more secure online experience for them.  Most of the revisions reflect evolving technology and the need to have a rule that addresses the changing online environment.

BACKGROUND

In general, COPPA, which is enforced by the FTC and which became effective in April, 2000, applies to operators of websites or online services that collect personal information on children under the age of thirteen (13) or operators that have actual knowledge that personal information from children is being collected through their website or online services.  The Rule requires that notice be provided to parents, and that parental consent be verified, before the operators can collect, use or disclose personal information on children.  In addition, operators must develop procedures to ensure that any information they collect is kept secure and the Rule prohibits operators from requesting more personal information from children than is reasonably necessary to participate in the activities being offered.

SUMMARY OF CHANGES

Definitional Changes

There are a number of nuanced changes and additions to the definitions of key terms used in the Rule.

Collection of Personal Information

The FTC clarified that personal information is collected not only when the operator requires the information, but also when the operator merely prompts or encourages a child to voluntarily provide personal information.  In other words, both situations may be a trigger to first obtain parental consent before the information is collected.
The current rule allows an exception to the parental notice and consent requirement if the operator deletes 100% of any individually identifiable information from postings by children before those postings are made public.  The 100% standard is being replaced by a “reasonable measures” standard.  If an operator takes reasonable measures to delete all or virtually all personal information before a child’s postings are made public and also deletes the information from its records, the exception will apply.
The FTC has clarified that the collection of personal information includes all means of passively collecting the information regardless of the technology used.  In other words, collection of information is not limited to the use of an identifying code linked to an individual, such as a cookie.

Online Contact Information

Currently, the Rule defines online contact information as an “email address or any other substantially similar identifier that permits direct contact with a person online.”  The revisions enhance this definition by identifying other commonly used identifiers, such as instant messaging (IM) user identifiers, voice over Internet protocol (VOIP) identifiers, video chat user identities and any other substantially similar identifiers that permit direct contact with a person online.

Strict Liability of Collection of Personal Information Collected by Third Parties

In one of the more significant changes, operators of sites with child-directed content will be strictly liable if they allow other online services to collect personal information through their site.  Strict liability means that no mitigating factors are considered.  If a child’s personal information is collected by a third party through an operator’s website in the manner discussed in this section without the prior notice and consent of the parent, the operator may be in violation of the rule even though the operator is not the party that actually collected the information.  However, to be liable the operator must have actual knowledge that the other party is collecting the personal information through the operator’s child-directed site as a representative of, or for the benefit of the operator. The FTC has provided some examples of when an operator would have actual knowledge that the third party is collecting personal information, which include when:

  1. a child-directed content provider directly communicates the child-directed nature of its content to the other online service;  or
  2. a representative of the online service recognizes the child-directed nature of the content.

The FTC was concerned that operators could circumvent the provisions of COPPA by not collecting a child’s personal information directly on their sites, but then allowing the collection of this data to be done on their behalf by third parties, such as advertising networks or through downloadable plug-ins.  However, the FTC noted that it does not intend that this new language encompass platforms like Google Play or the App Store because these stores merely offer the public access to someone else’s child-directed content. Specifically, the new language states that personal information is collected or maintained on behalf of an operator when it is collected or maintained by an agent or service provider of the operator or the operator benefits by allowing another person to collect personal information from a child directly from the users of such operator’s website or online service.

Screen or User Names

The FTC has clarified that a screen name or user name is considered personal information when it’s used for functions other than, or in addition to, support for the internal operations of the website or online service.  Specifically, a screen name or user name is considered personal information when it functions in the same manner as online contact information.
Persistent identifiers are also considered personal information when they are associated with individually identifiable information. In the same manner as a screen name or user name, persistent identifiers can be used to recognize a user over time or across different websites or online services  and are used for functions other than, or in addition to, support for internal operations of the website or online service.  Operators will need to obtain parental consent for the collection of persistent identifiers when they are used to track children over time and across sites and services.  On the other hand, persistent identifiers may be used without having to obtain parental consent if they are used for functions related to site maintenance and analysis and network communications as long as none of the information collected is disclosed to contact a specific individual, including through the use of behavioral advertising.

Photographs, Videos and Audio Files

Personal information will now include photograph, video and audio files if the file contains a child’s image or voice regardless of whether the file is combined with other information that permits physical or online contacting.  The FTC believes that is appropriate to require operators who offer young children the opportunity to upload these sorts of files to first obtain parental consent.

Geolocation Information

The FTC has clarified that geolocation information collected from children is considered personal information and requires prior parental consent.

Web Site or Online Services Directed to Children

The preamble to the new Rule takes considerable time discussing how it defines a website or online service as one that is directed to children.  The new rule clarifies that the FTC will look at a variety of factors when making this determination including those items identified in the current Rule plus musical content, the presence of child celebrities, and celebrities who appeal to children.  If a website or online service is directed to children the operator must obtain parental consent before collecting personal information.  In some cases, the operator may be permitted to age-screen to differentiate among those users that are under 13 and those that are over 13.  If the operator meets these requirements, the operator would only need to obtain parental consent for anyone who has self-identified themselves as being under age 13.

OPERATIONAL REQUIREMENTS

Notices

Direct Notice to a Parent

The FTC has reorganized and standardized the information for the direct notice requirement to identify the exact items of information that an operator must provide in each type of direct notice. In addition, each type of notice must provide a hyperlink to the operator’s online notice of information practices.  There is also a new direct notice that can be used in situations where an operator voluntarily chooses to collect a parent’s online contact information from a child in order to provide parental notice about a child’s participation in a website or online service that doesn’t otherwise collect, use or disclose the child’s personal information.

Notice on the Website or Online Service

Operators who collect, use or disclose information from a child on a website or online service must provide in their online disclosure a list of other operators who, through the website or online service, are collecting or maintaining the child’s personal information.  The operator must also list contact information for at least one operator who will be responsible for responding to parents’ inquiries.  In addition, the FTC has simplified the other content of this onsite notice to require the operator to disclose:

  1. what information the operator collects from children, including whether the website or online service enables a child to make personal information publicly available;
  2. how the operator uses such information; and
  3. the operator’s disclosure practices for the personal information.

Operators no longer need to include the statement that the operator may not condition a child’s participation in an activity on the child’s disclosing more personal information than is reasonably necessary to participate in the activity.  If the operator has a separate children’s area of its website, this notice must be posted on the app’s home page or the landing screen.

Parental Consent

In addition to the methods identified in the current Rule, operators may use any of the following methods to verify parental consent:

  1. electronically scanned versions of signed parental consent forms;
  2. video verifications;
  3. government-issued IDs, such as a driver’s license or the last four digits of the parent’s social security number;
  4. a credit card or debit card when it is used in conjunction with an actual monetary transaction;
  5. alternative online payment systems that provide discrete transaction information to the primary account holder; and
  6. electronic or digital signatures on parental consent forms.

Operators are permitted to design other methods to verify parental consent and submit an application for approval from the FTC.  The Commission will publish the application in the Federal Register for public comment and approve or deny the request within 120 days of filing.
There are a few narrow exceptions in the current Rule that allow an operator to collect limited pieces of personal information from children prior to, or sometimes without, obtaining parental consent.  These exceptions permit operators to communicate with a child to initiate the parental consent process, respond to the child once or multiple times, and to protect the safety of the child or the integrity of the website.  One other exception has been added under the new Rule to permit the collection of a parent’s online contact information to provide voluntary notice to, and subsequently update the parent about, the child’s participation in a website or online service that does not collect, use or disclose the child’s personal information and where the parent’s contact information is not used or disclosed for any other purpose.

Confidentiality, Security and Integrity of Personal Information Collected from Children

Operators who release children’s personal information to service providers and third parties must inquire about these entities’ data security capabilities and, either by contract or otherwise, received assurances about how they will treat the personal information they receive. Operators must establish and maintain reasonable procedures to safeguard the personal information of children and take reasonable steps to release personal information only to service providers who are capable of and provide assurances that they will also safeguard the information.

Data Retention and Deletion Requirements

Operators must establish and maintain reasonable procedures to protect the confidentiality, security and integrity of the personal information they collect from children. Operators also must anticipate the reasonable lifetime of the personal information they collect from children and apply the same concepts of data security to its disposal as they are required to do with its collection and maintenance.
For access to the full text of the new Rule, use: https://www.federalregister.gov/articles/2013/01/17/2012-31341/childrens-online-privacy-protection-rule