If you run a website designed for kids or have a website geared to a general audience but collect information from someone you know is under 13*, you must comply with the Federal Trade Commission’s Children’s Online Privacy Protection Act ( COPPA). New provisions came into effect on July 1, 2013 that provide additional protections and mandate new procedures.
According to FTC Chairman Jon Leibowitz, the changes should provide further protections for children. “I am confident that the amendments to the COPPA Rule strike the right balance between protecting innovation that will provide rich and engaging content for children, and ensuring that parents are informed and involved in their children’s online activities.”
The new amendments:
- Modify the list of “personal information” that cannot be collected without parental notice and consent, clarifying that this category includes geolocation information, photographs, and videos
- Offer companies a streamlined, voluntary and transparent approval process for new ways of getting parental consent;
- Close a loophole that allowed kid-directed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent
- Extend coverage in some of those cases so that the third parties doing the additional collection also have to comply with COPPA
- Extend the COPPA Rule to cover persistent identifiers that can recognize users over time and across different websites or online services, such as IP addresses and mobile device IDs
- Strengthen data security protections by requiring that covered website operators and online service providers take reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential
- Require that covered website operators adopt reasonable procedures for data retention and deletion
- Strengthen the FTC’s oversight of self-regulatory safe harbor programs.
- The definition of an operator has been updated to make clear that the Rule covers a child-directed site or service that integrates outside services, such as plug-ins or advertising networks, that collect personal information from its visitors. This definition does not extend liability to platforms, such as Google Play or the App Store, when such platforms merely offer the public access to child-directed apps.
- The definition of collection of personal information has been changed so that operators may allow children to participate in interactive communities without parental consent, so long as the operators take reasonable measures to delete all or virtually all children’s personal information before it is made public.
*According to a notice issued by the Federal Trade Commission an operator has actual knowledge of a user’s age if the site or service asks for – and receives – information from the user that allows it to determine the person’s age. An example cited by the FTC includes, an operator who asks for a date of birth on a site’s registration page has actual knowledge as defined by COPPA if a user responds with a year that suggests they’re under 13. Another example cited by the FTC that an operator may have actual knowledge based on answers to “age identifying” questions like “What grade are you in?” or “What type of school do you go to? (a) elementary; (b) middle; (c) high school; (d) college.”
If you have questions pertaining to COPPA or other legally related issues, we would encourage you to seek out a qualified legal opinion on how this legislation may affect your business. Act-On does not provide legal advice.