In one month, on July 1, 2013, the Federal Trade Commission’s most recent amendments to its Children’s Online Privacy Protection Act Rule (“COPPA Rule”) will go into effect. These changes include a variety of requirements intended to keep up with advances in technology and how children interact with mobile apps and websites. The amendments to the COPPA Rule are primarily focused on the collection of personal information from children under the age of 13, and include changes to the types of information covered by the rule, the methods for obtaining parental consent for collection of personal information, and additional restrictions on how that personal information can be shared among companies who use such information in their business. The amendments to the COPPA Rule:
- modify the list of personal information that cannot be collected without parental notice and consent, which includes geolocation information, photos, videos and audio files that contain a child’s image or voice;
- establish a “streamlined” approval process for proposed new methods for obtaining parental consent;
- require parental consent where the app or website allows third parties to collect personal information from children through plug-ins, and in some cases require those third parties to comply with COPPA as well;
- extend COPPA to cover persistent identifiers (such as IP addresses and mobile device IDs) which recognize users over time and across different services or websites;
- increase data security protection by requiring operators of apps and websites to take steps to release children’s personal information only to other companies that can keep that information secure and confidential;
- require that app and website operators adopt reasonable procedures for data retention and deletion; and
- provide increased FTC oversight concerning self-regulatory safe harbor programs.
The new requirements imposed by the amendments will no doubt require some app and website operators to modify their business practices to comply with the COPPA Rule. These amendments close several loopholes and clarify previously gray areas regarding the types of operators, services and personal information that fall within the Rule’s ambit. For apps and websites clearly directed to children under 13, the amendments provide an enhanced set of protections that appear to further COPPA’s overarching goal of creating a safer and more secure online experience for children.
A bit murkier is the effect of the amendments regarding apps and websites that cater to a more general audience. The amended COPPA Rule employs an “actual knowledge” standard, and requires compliance with its requirements when an operator or service provider has actual knowledge that they are collecting personal information through a child-directed app or website. Apps and websites that target a more general audience, where children are not the primary users, are only required to provide notice and obtain parental consent for those users who identify themselves as being younger than 13. Further, third parties (like plug-ins and ad networks) will be deemed to have the requisite “actual knowledge” if the child-directed nature of the content is directly communicated to that third party by the content provider, or if a representative of the third party service “recognizes” the child-directed nature of the content.
Time will tell how these and other issues potentially created by the new amendments to the COPPA Rule will play out. But for now, given the continuing exponential growth in the number of children using computers and mobile devices for education and entertainment, every app and website operator must take notice of the Rule’s new requirements. App and website operators must ensure that their practices, and the practices of the third parties they have integrated or with whom they share user’s personal information, are updated to comply with the new COPPA Rule once it takes effect on July 1.
(This article is cross-posted with the Data Privacy Monitor.)