December 19, 2012
The new COPPA Rule goes into effect July 1, 2013. For help with navigating the new FTC Rule, visit www.WiredTrust.com.
After almost 14 years, the Federal Trade Commission has announced important changes to the Children's Online Privacy Protection Act ("COPPA"). COPPA governs what commercial Operators may collect from users they "know" are pre-teens (which would include all users if the Operators direct their products to pre-teens). COPPA also covers communication tools made available to pre-teens, subject to the same caveat regarding targeting pre-teens. Once triggered, the Operator must provide applicable notice to, or obtain applicable consent from, the pre-teens' parents or legal guardians.
While COPPA appears straightforward, compliance can be tricky and some leading corporations have faced fines of $1 million or more. Parry Aftab has advised most of the leading children's properties and companies online since its enactment.
While there is much more to it, in essence the new FTC Rule does
In addition to the more substantive changes, the Rule also contains some minor changes. The "safe harbor" of self-regulatory guidelines remains, but the FTC promises greater oversight of Internet safe harbors.
Does it apply to you?
As before, only companies or third parties that have "actual knowledge" that children 12 and under are interacting with their website or digital property will be covered under the new FTC Rule. Schools continue to retain their double exemption, and non-profits don't fall under the FTC's COPPA jurisdiction.
But otherwise, COPPA applies to all Operators. And, COPPA defines an "Operator" as "any person who operates a website located on the Internet or an online service and who collects or maintains personal information from or about the users of or visitors to such website or online service, or on whose behalf such information is collected or maintained, where such website or online service is operated for commercial purposes, including any person offering products or services for sale through that website or online service, involving commerce" when the commerce takes place in the United States and its territories, or involves a party in the United States and any other country. (sec. 1302)
The FTC has now also clarified that more fall within the definition of "Operators" than many assumed. COPPA has a very broad reach. The law now also reaches many more marketing and advertising companies than before.
What personal information is covered by the new COPPA Rule?
The new Rule expands the definition of "personal information" to include many more data points and pieces of information than before. It expands the concept of personal data envisioned in COPPA. COPPA includes "individually identifiable information" as-- a first and last name; a home or other physical address including street name and name of a city or town; an e-mail address; a telephone number; a Social Security number; as well as information about the child or parents of the child that the website collects from the child online and combines with any of the identifiers listed above. The new FTC Rule expands "personal information" to include new technologies like IP addresses, mobile device identifiers that track users over time and over different online services, photos, videos and geolocation information.
Does it only apply to traditional websites?
It applies, as before, to game operators, mobile apps providers, traditional websites, electronic service providers, entertainment service providers, social media companies and most other digital providers that have actual knowledge that preteens are interacting with their property or are targeting preteens or directing their property towards preteens.
The new Rule also clarifies that COPPA applies across digital device platforms to encompass tablets, smartphones, social media, plug-ins and apps directed to young children.
What about parents?
The new Rule relies even more on parental oversight. The FTC recognizes that parents should be the "gatekeepers" for their children's personal identifying information.
The new Rule also encourages innovative ideas in developing ways to engage and inform parents, as well as obtain their consent when required.
At the same time, the FTC expressed continued concern that many mobile apps geared to children's interests collect the young users' personal information without telling children or their parents how marketers, advertisers and other third parties are using their personal data. It recognizes that more governance was required to address the increasingly sophisticated ability of third parties to collect marketing information from Internet users under the age of thirteen in the United States.
What are the enhanced obligations for Operators under the new Rule?
Because regulators were unhappy that certain apps and websites targeted to kids allowed third parties to collect personal information from children through plug-ins without any notice to parents or their consent they have imposed a higher standard for providers allowing access to collected information to others. (This covers financial service providers in ecommerce sites, or digital tool or plug-in providers for a site, etc.)
The providers must now use reasonable means to confirm adequate security practices for their agents and third party providers under the new Rule. Specifically, website operators and online service providers must be careful to take reasonable steps to share children's personal information only with companies that can keep it secure and confidential, or risk prosecution under the new and expanded COPPA. The new law requires a higher level of accountability for breaches of stored information. As before, website operators and providers must adopt reasonable procedures for data retention and deletion.
Has everything changed?
It is important to note that most COPPA provisions are unchanged. Email plus remained in effect. (A provision we fought for.)
The actual knowledge standard remains in determining whether a user is underage, and has not been broadened to include "implied" knowledge.
COPPA still permits a single response from an operator to a pre-teen inquiry, even if the email includes personal identifiers like the child's full name and email address.
Likewise, operators are still permitted to ask for parental contact information in order to notify parents about their child's presence on the website without risking COPPA restrictions.
"WiredTrust is one of the most important leaders in the internet safety industry. We are proud to partner with them to help to educate kids and parents about this important topic."
- Dave Finnegan, Chief Information Bear
Build-a-Bear Workshop Inc.
WiredTrust represents the leading social networking, gaming, and family sites on the Internet as well as many sites designed especially for kids. Entertainment and digital media companies come to us when they encounter problems because they know we see solutions and work closely with them to create the safest sites possible.