Operational Requirements of the Recent Amendments to COPPA

Notices

Direct Notice to a Parent

The FTC has reorganized and standardized the information for the direct notice requirement to identify the exact items of information that an operator must provide in each type of direct notice. In addition, each type of notice must provide a hyperlink to the operator’s online notice of information practices. There is also a new direct notice that can be used in situations where an operator voluntarily chooses to collect a parent’s online contact information from a child in order to provide parental notice about a child’s participation in a website or online service that doesn’t otherwise collect, use or disclose the child’s personal information.

Notice on the Website or Online Service

Operators who collect, use or disclose information from a child on a website or online service must provide in their online disclosure a list of other operators who, through the website or online service, are collecting or maintaining the child’s personal information. The operator must also list contact information for at least one operator who will be responsible for responding to parents’ inquiries. In addition, the FTC has simplified the other content of this onsite notice to require the operator to disclose:

1. what information the operator collects from children, including whether the website or online service enables a child to make personal information publicly available;
2. how the operator uses such information; and
3. the operator’s disclosure practices for the personal information.

Operators no longer need to include the statement that the operator may not condition a child’s participation in an activity on the child’s disclosing more personal information than is reasonably necessary to participate in the activity. If the operator has a separate children’s area of its website, this notice must be posted on the app’s home page or the landing screen.

Parental Consent

In addition to the methods identified in the current Rule, operators may use any of the following methods to verify parental consent:

1. electronically scanned versions of signed parental consent forms;
2. video verifications;
3. government-issued IDs, such as a driver’s license or the last four digits of the parent’s social security number;
4. a credit card or debit card when it is used in conjunction with an actual monetary transaction;
5. alternative online payment systems that provide discrete transaction information to the primary account holder; and
6. electronic or digital signatures on parental consent forms.

Operators are permitted to design other methods to verify parental consent and submit an application for approval from the FTC. The Commission will publish the application in the Federal Register for public comment and approve or deny the request within 120 days of filing.
There are a few narrow exceptions in the current Rule that allow an operator to collect limited pieces of personal information from children prior to, or sometimes without, obtaining parental consent. These exceptions permit operators to communicate with a child to initiate the parental consent process, respond to the child once or multiple times, and to protect the safety of the child or the integrity of the website. One other exception has been added under the new Rule to permit the collection of a parent’s online contact information to provide voluntary notice to, and subsequently update the parent about, the child’s participation in a website or online service that does not collect, use or disclose the child’s personal information and where the parent’s contact information is not used or disclosed for any other purpose.

Confidentiality, Security and Integrity of Personal Information Collected from Children

Operators who release children’s personal information to service providers and third parties must inquire about these entities’ data security capabilities and, either by contract or otherwise, received assurances about how they will treat the personal information they receive. Operators must establish and maintain reasonable procedures to safeguard the personal information of children and take reasonable steps to release personal information only to service providers who are capable of and provide assurances that they will also safeguard the information.

Data Retention and Deletion Requirements

Operators must establish and maintain reasonable procedures to protect the confidentiality, security and integrity of the personal information they collect from children. Operators also must anticipate the reasonable lifetime of the personal information they collect from children and apply the same concepts of data security to its disposal as they are required to do with its collection and maintenance.
For access to the full text of the new Rule, use: https://www.federalregister.gov/articles/2013/01/17/2012-31341/childrens-online-privacy-protection-rule