In the eighteen years since the Children’s Online Privacy Protection Act of 1998’s (“COPPA”) enactment, children have been accessing the Internet in greater and greater numbers and through means not even available when COPPA first came into existence. In response to this changing landscape, the Federal Trade Commission (“FTC”) updated its regulatory rules under COPPA in 2013. If your website or application collects personal information from children under the age of thirteen, or allows others to collect such information, you need to comply with COPPA compliance rules and the FTC’s regulations.
The key requirements of COPPA have remained the same—businesses operating websites or mobile apps (operators) that are directed to, or knowingly collect information from, children under thirteen must give notice to parents and obtain their verifiable consent prior to collecting, using, or disclosing a child’s personal information. Furthermore, operators are required to keep collected information secure and cannot request that a child disclose more information than is reasonably necessary for participation in an activity. There are, however, key changes to the FTC’s rules that you should be aware of. Some of these changes include clarification of who an “operator” is, a broadened definition of “personal information,” and updated and expanded notice requirements and means of obtaining consent. Some of these changes may affect the way you operate your online business.
One such change expands who an “operator” is under COPPA. In addition to those previously considered operators, the new rules now make clear that an operator also includes the owner of a child-directed site or app that allows a third party (such as a plug-in or advertising network) to collect personal information from children under thirteen. This means that even if you are not collecting personal information from children under thirteen, but you allow a third party to do so from your child-directed site or app, you must comply with COPPA. Likewise, the operator of a plug-in or advertising network collecting personal information from a website or app directed to children under thirteen must be COPPA compliant. To help companies navigate the new COPPA rules, the FTC has published a helpful “Six-Step Compliance Plan” answering some basic questions.
The new FTC rules
The new FTC rules also expanded the definition of “personal information.” In addition to first and last name, home or other physical address, online contact information, screen or user name, telephone number, and social security number, you may not collect geolocation information, photos, videos, or audio files containing the child’s image or voice without first obtaining verifiable parental consent. Likewise, persistent identifiers (such as cookies, IP addresses, and mobile IDs) that can identify a user over time and across websites or online services are now considered personal information and parental consent is required before collecting such information. There are some exceptions to the rule requiring parental consent, but they are limited.
The new rules also update and expand the disclosures that must be made to parents before personal information is collected and how businesses can obtain verifiable consent. Key facts must be included in the request for parental consent. These include, what information is being collected, how information will be used, and a statement that parental consent is required. Additionally, the new rules offer more ways for businesses to obtain verifiable parental consent. Business can now obtain consent through electronically scanned parental consent forms, video conferencing, government-issued identification, and alternative payment systems (provided they meet certain criteria). While the new rules set out several methods for obtaining parental consent, they also permit interested parties to propose new methods to the FTC for approval. For more information about providing notice, receiving verifiable consent, and other requirements under the new rules, visit the FTC’s COPPA FAQ page.
These are just some of the important changes under the new FTC rules governing COPPA. While technology and connectivity are changing every day, it is important to keep compliance with government regulations in mind to keep your business healthy for years to come. If you have any questions about whether COPPA applies to you and whether you are in compliance, you should consult with an attorney experienced in this area of the law who can help ensure that your business is compliant while allowing it to remain innovative and cutting edge.