Online privacy and information security are areas of ever-increasing concern for the FTC, prosecutors, plaintiff's lawyers, and consumer advocates. There are now a smattering of laws and regulations that operators of websites, applications and advertisers must now comply with relating to these issues. In particular, anyone who operates a website designed for kids or a website geared to a general audience but that is aware that it is collecting information from someone under 13 should understand and comply with the Children's Online Privacy Protection Act, the FTC's rules, and the FTC's guidance.
|Photo credit: Mike Licht, NotionsCapital.com / Foter.com / CC BY|
The Children's Online Privacy Protection Act became law almost 15 years ago, but on July 1, 2013, the Federal Trade Commission's revisions to the Children’s Online Privacy Protection (COPPA) Rule, which are designed to modernize the Rule, will become effective. Therefore, affected website operators should consider whether revisions to their policies and practices are appropriate.
What Is the Children's Online Privacy Protection Act Rule?
The COPPA Rule requires operators of websites or online services directed to children under 13 years of age (and operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age, even if not by design) to provide notice to parents and obtain verifiable parental consent prior to collecting, using, or disclosing personal information from children under 13 years of age. The Rule also requires operators to keep secure the information they collect from children, and prohibits them from conditioning children’s participation in activities on the collection of more personal information than is reasonably necessary to participate in such activities.
What Revisions Take Effect on July 1, 2013?The lengthy revisions are designed to achieve the following:
- Modify the definition of "operator" to make clear that the Rule covers an operator of a child-directed site or service where it integrates outside services, such as plugins or advertising networks, that collect personal information from its visitors;
- Modify the definition of "Web site or online service directed to children" to clarify that the Rule covers a plug-in or ad network when it has actual knowledge that it is collecting personal information through a child-directed Web site or online service;
- Modify the definition of "Web site or online service directed to children" to allow a subset of child-directed sites and services to differentiate among users, and requiring such properties to provide notice and obtain parental consent only for users who self-identify as under age 13;
- Modify the definition of "personal information" to include geolocation information and persistent identifiers that can be used to recognize a user over time and across different Web sites or online services;
- Modify the definition of "support for internal operations" to expand the list of defined activities;
- Streamline and clarify the direct parental notice requirements to ensure that key information is presented to parents in a succinct ‘‘just-in-time’’ notice;
- Expand the non-exhaustive list of acceptable methods for obtaining prior verifiable parental consent;
- Create three new exceptions to the Rule’s notice and consent requirements;
- Strengthen data security protections by requiring operators to take reasonable steps to release children’s personal information only to third parties who are capable of maintaining the confidentiality, security, and integrity of the information;
- Require reasonable data retention and deletion procedures;
- Strengthen the FTC’s oversight of self-regulatory "safe harbor" programs; and
- Institute voluntary pre-approval mechanisms for new consent methods and for activities that support the internal operations of a Web site or online service.