The Children’s Online Privacy Protection Act of 1998 (COPPA), which provides a number of rules and regulations with respect to children’s online privacy, recently got an overhaul. The Federal Trade Commission (FTC) amended COPPA in December of 2012 and those amendments are scheduled to take effect starting July 1, 2013.
So what exactly is COPPA? Well, in essence, the Rule allows parents to have control over the information that online websites and mobile applications collect from children who are under 13 years of age. Given the amount of constant change that takes place in the world of technology, the FTC found it necessary to ensure that the COPPA rules keep up with such changes. In a press release issued by the FTC, Chairman Jon Leibowitz said, “I am confident that the amendments to the COPPA Rule strike the right balance between protecting innovation that will provide rich and engaging content for children, and ensuring that parents are informed and involved in their children’s online activities.”
As it stands now, those website and online services operators who are covered by the Rule are required to do the following:
- Describe their information collection practices with regard to kids in a clear and comprehensive posting that is located directly on the website
- Give direct notice to and receive verifiable consent from parents prior to collecting a child’s personal information online
- Provide parents with a choice that will allow them to consent to the website’s collection and internal use of their child’s information, but will prohibit the site operator from sharing that information with outside third parties (unless it’s been made clear to the parents that disclosure is an essential part of the online site)
- Allow parents to review and/or delete their child’s information by ensuring that parents have access to it, and give them the option to keep their child’s personal information from being used or collected in the future
- Keep the information that is collected from children confidential and secure and take additional steps to ensure that any third parties who are permitted to receive such information will do the same
- Only keep a child’s personal information for as long as necessary and then delete it as appropriate to protect against unauthorized use/access
Sounds good as is, right? Well, the amendments take things a step further.
The FTC’s amendments have made changes to the list of various types of personal information that cannot be collected without parental consent and notice. More specifically, the Commission has made it clear that this list will now include photographs and videos of children, as well as geolocation data. It should be noted that those website operators who have previously collected geolocation information without having first obtained parental consent will have seek that consent immediately. However, those operators who have gathered photographs and/or videos prior to the effective date of the amendment will not be required to obtain consent.
The amendments also provide web companies with a more streamlined process for obtaining parental consent. Originally, the Rule required that parental consent be requested by either email or regular mail. However, under the new Rule, the companies can get parental consent through the use of scanned forms, videoconferencing, government-issued IDs and other options.
Another significant change that was made to the Rules closed a loophole that previously permitted child-related mobile apps and websites to allow third parties to gather children’s personal info through the use of plug-ins without notice to parents. Now, site operators who allow such outside services and/or advertising networks to gather personal information from their users can be held liable for the requests made by those third parties. Furthermore, in certain instances, some of those third parties that are aware that they’re collecting info from a child-related site will be required to comply with COPPA Rules as well.
The FTC also extended COPPA Rule coverage to include persistent identifiers, like IP addresses and mobile device IDs. Such identifiers will now be considered “personal information” and accordingly, parental consent will have to be sought prior to collecting such data, with one exception–those operators who use the identifiers to support their own operations and not as a marketing tool will not be required to get parental consent.
Under the original Rule, screen names or user names were only considered to be personal information if they revealed a person’s email address. Now, under the new Rules, both screen and user names will be personal information whenever they act in the same way as online contact information. That means if the names include email address or any other “substantially similar identifier that permits direct contact with a person online,” consent will be required.
Some companies are really concerned about the amendments, particularly smaller companies who have already had to delay various child-related projects anyway. But what about the big players, like Disney? Without a doubt, the amendments will bring about an added expense for businesses and violators will pay–up to $16,000 per violation. There have been hints that smaller companies that make a good faith effort to comply might be given a grace period, but they were already given at least six months to prepare for the changes. Still, the issue for a number of companies will be their interpretation of the Rules. How will they know if they’re doing the right thing? Guess we’ll have to wait and see how this plays out.
For more information on COPPA and online privacy issues see:
- Children’s Privacy (by the FTC)
- Complying with COPPA (by the FTC)
- Electronic Information Privacy Center
- Children’s Internet Protection Act (by the FCC)
- Protecting Our Kids (by Solano County CA District Attorney)