When it comes to information that companies collect online from kids under 13, parents should be in control. That’s the thinking behind the Children’s Online Privacy Protection Act and the COPPA Rule. The Rule has been in place for years, but the Federal Trade Commission, the nation’s consumer protection agency, has revised COPPA to keep pace with technology.
If your company has been complying with COPPA, the basics still apply. You still have to give notice to parents and get their verifiable consent before you collect, use, or disclose personal information from children under 13. You still have to keep kids’ information secure. And the revised COPPA Rule retains safe harbor provisions so that groups can submit programs for FTC approval. But five key changes to COPPA take effect July 1, 2013. Here’s what your business needs to know.
I’m Peder Magee, an attorney with the FTC. So what’s new about COPPA? The first important change is that the FTC has revised some definitions to expand who’s covered by COPPA – and the kinds of information that require companies to comply with the Rule.
The Rule has always applied if you operate a website, an online service, or an app directed to children under 13. It also applies if you have a site, a service, or an app directed to a general audience, and you have actual knowledge that you’re collecting personal information online from kids in that under-13 age group.
Revisions to the Rule make it clear that COPPA also covers an operator of a child-directed site or service where it allows outside services — like plug-ins or advertising networks — to collect personal information from visitors. In addition, if a plug-in or ad network has actual knowledge that it’s collecting personal information through a child-directed site or service, the plug-in or ad network is covered by COPPA, too.
The upshot: The Rule applies to companies that may be new to COPPA compliance.
The FTC also has revised the definition of the types of information COPPA covers. The Rule has always applied if companies collect certain kinds of personal information from kids under 13 – like their first and last name, a home address, a phone number, an email address, online contact information, or a screen or user name that functions as online contact information.
But the FTC has clarified that definition. The COPPA Rule covers geolocation information that can identify a street name and the city or town. And we’ve expanded the Rule to include photos, videos, and audio files that contain a kid’s image or voice as well.
Something else covered under the revised COPPA Rule: persistent identifiers that can be used to recognize a user over time and across different sites or online services. But there’s a notable exception here: COPPA’s parental notice and consent requirements don’t apply if the identifier is used just to support your site’s internal operations. Take a look at the Rule for more about the meaning of “internal operations” in this context.
The third change involves new ways to get the parental consent COPPA requires. In addition to the methods already in the Rule – including FTC-approved safe harbor programs – COPPA now gives businesses more ways to get a parent’s OK. For example, electronic scans of signed consent forms, videoconferencing, the use of government-issued IDs, and alternative payment systems (assuming they meet the same stringent criteria as credit cards). The sliding scale mechanism of parental consent — often called “email plus” — is still an acceptable method for operators that collect personal information just for their own internal use. Technology changes quickly, so to encourage innovation in this area, the revised Rule sets up a voluntary process for businesses to get FTC approval for other methods of parental consent.
The fourth change strengthens provisions for keeping kids' information confidential and secure. Under the revised Rule, operators must take reasonable steps to make sure that before releasing information to service providers or other third parties, those companies are capable of maintaining the confidentiality, security, and integrity of the information. It’s not enough if they just talk the talk. You also need to get assurances they’ll follow through. Under COPPA, you can retain kids’ personal information only as long as it’s reasonably necessary. And when you dispose of it, you have to take reasonable steps to protect against unauthorized access.
The fifth change to COPPA deals with additional monitoring of self-regulatory safe harbors. The new Rule strengthens the FTC's oversight of safe harbor programs. It requires them to audit members and report the combined results of those audits to the FTC every year.
That’s just a brief recap of changes to COPPA. For compliance resources, visit the Children’s Privacy page on the FTC Business Center at business dot ftc dot gov. For more how-to guidance, read the Children’s Online Privacy Protection Rule: What Your Business Needs to Know and Complying with COPPA: Frequently Asked Questions. Have a question that’s not answered there? Send us an email at CoppaHotLine at ftc dot gov.