Children’s Online Privacy Protection Act – Need to Know Changes

Kristin Krause Cohen, Division of Privacy and Identity Protection, Federal Trade Commission

The Children’s Online Privacy Protection Act (COPPA) provides parents with the right to control the collection of personal information from their children online.[i] While the Federal Trade Commission (FTC) is the primary enforcer of COPPA, Congress has also made clear that states have jurisdiction to bring civil actions on behalf of the residents of their states for COPPA Rule violations,[ii] and both Texas and New Jersey have done so.[iii] The FTC recently amended the COPPA Rule to make several important amendments, and this article provides a summary of the key changes as states consider potential enforcement.

Congress passed COPPA in 1998 to prohibit certain unfair or deceptive acts and practices in connection with the collection, use and disclosure of personal information online from children younger than 13 years of age. COPPA was intended to: (1) enhance parental involvement in their children’s online activities to protect children’s privacy in the online environment; (2) protect the safety of children at public places online where children may disclose identifying information; (3) maintain the security of children’s personal information collected online; and (4) limit the collection of personal information from children without parental consent.[iv] The Act required the FTC to issue an implementing Rule, which became effective in April 2000.[v]

The FTC’s COPPA Rule requires an operator of an online site or service directed to children, or an operator with actual knowledge it is collecting personal information from children, to take certain steps prior to collecting, using, and/or disclosing children’s personal information.[vi] These steps include posting a privacy policy and directly notifying parents about the website operator’s information practices.[vii] Additionally, subject to certain exceptions, an operator must obtain verifiable parental consent prior to collecting, using, or disclosing personal information from children.[viii] Finally, if the operator maintains children’s personal information, it must keep that information secure and let parents access and delete their child’s information.[ix]

In 2010, in response to rapidly evolving technology and changes in the way children use and access the Internet, including the increased use of mobile devices and social networking, the FTC initiated a review of its COPPA Rule. This rule review culminated in the FTC issuing amendments to the Rule, which became effective on July 1, 2013.[x] In general, the Amended Rule:

  • expands the definition of personal information to cover photos, videos, and audio files containing a child’s image or voice, geolocation information sufficient to identify street name and name of a city or town, and persistent identifiers that can be used to recognize a user over time and across different websites and online services;
  • makes operators of websites and online services directed to children responsible for information collection on their sites and services by third parties, such as plug-ins and advertising networks;
  • requires those third parties to comply with COPPA where they have actual knowledge they are collecting personal information on websites and online services directed to children;
  • allows certain child-directed sites to use an age screen and only provide COPPA protections to those users identifying as younger than 13;
  • provides specifics about what needs to go into direct notices to parents and privacy policies, in order to ensure parents have the most relevant information when they need it; and
  • strengthens the data security requirements of the Rule, and requires covered operators to adopt reasonable procedures for data retention and deletion.

Below I discuss each of these changes in more detail.

Personal Information Definition: One of the most significant changes to the COPPA Rule involves the change to the definition of personal information. Specifically, the revised definition (1) clarified that geolocation information sufficient to identify street name and name of a city or town is covered; and (2) added photographs, videos, and audio files containing a child’s image or voice as well as certain persistent identifiers, such as a customer number held in a cookie or an IP address, to the categories of information covered by the Rule.[xi]

In recognition of the fact that persistent identifiers serve a myriad of functions, many of which do not affect the privacy or safety of children online, the Amended Rule provides for a specific exception to the verifiable parental consent requirement where a persistent identifier is used solely for the support of the internal operations of the website or online service.[xii] The types of activities covered by this exception include contextual advertising, authentication, network communications, and analytics.[xiii] Importantly, however, this exception only applies where the information collected is not used or disclosed to contact a specific individual, including through behavioral advertising, to amass a profile on a specific individual, or for any other purpose.

Third Parties: The Amended COPPA Rule also makes clear that operators of child-directed sites and services are not only responsible for obtaining parental consent for their own online collection of personal information from children, but also for that of third parties, such as advertising networks and social plug-ins, operating on their site.[xiv] Moreover, those third parties that obtain actual knowledge that they are collecting personal information from websites and online services directed to children or from a specific child are also responsible for complying with COPPA.[xv]

Mixed-Audience Sites: The Amended Rule also recognizes a new category of website or online service directed to children known as a mixed-audience site. These are online sites or services that meet the criteria set forth in the Rule for being a website or online service directed to children, but where children are not the primary audience.[xvi] For example, a website may primarily target parents or young teens but also have a younger than 13 audience. The Rule now permits operators of these sites or services to age screen users if they (1) do not collect personal information from any user prior to collecting age information, and (2) prevent the collection, use, or disclosure of personal information from users who identify themselves as younger than age 13 without first complying with the Rule’s parental consent provisions.

Direct Notices and Privacy Policies: The Amended Rule endeavors to provide operators with more guidance about what needs to go in their direct notices to parents, to ensure parents are given the information they need when they need it – at the time they are providing consent. The Rule also streamlines what must go into the operator’s privacy policy, making it easier for users to read, especially on smaller screens.[xvii]

Data Security and Retention: While COPPA has always had a data security provision, the Amended Rule made two important changes. The first change is to specifically require that covered operators only release information to service providers and other third parties who are capable of keeping the information secure, and that they receive assurances that they will do so.[xviii] The Amended Rule also has an added requirement that operators retain personal information collected online from a child only for as long as is reasonably necessary to fulfill the purpose for which the information was collected.[xix]

The FTC is committed to providing consumer and business guidance, and to that end there are many resources available to provide more specific guidance on the COPPA Rule at the FTC’s business center. This site has links to the Amended Rule, a list of “Frequently Asked Questions,” and other guidance documents, including Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business and a 6-minute video that outlines the Amended Rule. Questions about the COPPA Rule can be emailed to coppahotline@ftc.gov.


[i] 15 U.S.C. § 6501-6506.

[ii] Id. §6504.

[iii] See https://www.oag.state.tx.us/oagnews/release.php?id=2288 (Dec. 2007), and http://www.nj.gov/oag/newsreleases12/pr20120606a.html (June 2012).

[iv] See 144 Cong. Rec. S12741 (Oct. 7, 1998) (Statement of Sen. Bryan).

[v] 64 Fed. Reg. 59888 (Nov. 3, 1999).

[vi] 16 C.F.R. Part 312.

[vii] Id.§ 312.4.

[viii] Id.§ 312.5.

[ix] Id. § 312.6, 312.8.

[x] 78 Fed. Reg. 3972 (Jan. 17, 2013).

[xi] 16 C.F.R. § 312.2 (definition of personal information).

[xii] Id. §312.5(c)(7).

[xiii] Id. § 312.2 (definition of Support for the internal operations of the Web site or online service).

[xiv] Id. § 312.2 (definition of Operator).

[xv] Id. § 312.2 (definition of Website or online service directed to children, part (2)); Id. § 312.3.

[xvi] Id. §312.2 (definition of Website or online service directed to children, part (3)).

[xvii] Id. § 312.4.

[xviii] Id. § 312.8.

[xix] Id. § 312.10.

red logo

Kristin Krause Cohen, Division of Privacy and Identity Protection, Federal Trade Commission
Kristin Krause Cohen, Division of Privacy and Identity Protection, Federal Trade Commission

ARCHIVE

SAVE THE DATE

Trial Advocacy Training for OAG-RI

August 4 - 7, 2014
Providence, RI
Contact: Bill Malloy

Intellectual Property Theft Training Seminar: Georgetown, TX

August 4, 2014
Georgetown Communications and Training Building
Contact: Judy McKee

Advanced Trial Techniques and Investigator Training for OAG-FL

August 5 - 8, 2014
Tampa, FL
Contact: Bill Malloy

Intellectual Property Theft Training Seminar: Nashville, TN

August 11, 2014
ROCIC James T. Rogers Training Room
Contact: Judy McKee

Moving into Management for OAG-MO

August 21 - 22, 2014
Jefferson City, MO
Contact: Bill Malloy

Intellectual Property Theft Training Seminar: Sacramento, CA

August 29, 2014
CA DOJ Advanced Training Center
Contact: Judy McKee