FTC Updated COPPA Regs In Effect, Warning Letter Issued

The Children’s Online Privacy Protection Act (COPPA) generally provides that websites that target children must obtain parental consent before collecting personal information from children under the age of 13.  Website operators covered by COPPA must:

  1. Post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children;
  2. Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children;
  3. Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents);
  4. Provide parents access to their child’s personal information to review and/or have the information deleted;
  5. Give parents the opportunity to prevent further use or online collection of a child’s personal information;
  6. Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; and
  7. Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the  information using reasonable measures to protect against its unauthorized access or use.

The Federal Trade Commission’s has updated its regulations under COPPA which went into on July 1st.  The FTC already has issued warning letters under the revised rules to app developers.

See following post with source documents on COPPA, the amended regulations etc.

1.  Definitions

The new rules make clear that a site is directed at children when it has a “disproportionately large” percentage of children in its audience would now be “directed to children.”  The amended rule also changes what is personal information to include:

  • First and last name;
  • A home or other physical address including street name and name of a city or town;
  • Online contact information;
  • A screen or user name that functions as online contact information;
  • A telephone number;
  • A social security number;
  • A persistent identifier that can be used to recognize a user over time and across different Web sites or online services;
  • A photograph, video, or audio file, where such file contains a child’s image or voice;
  • Geolocation information sufficient to identify street name and name of a city or town; or
  • Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above.

2.  Changes to what operators need to tell parents.  In the notice that operators must send directly to parents before collecting personal info from their kids, the new Rule puts key information up front.  That “just in time” notice makes it easier for Moms or Dads to get the details they need, when they need them.  The Rule also streamlines what operators have to put in their online privacy policies about their information practices.  An added benefit:  To-the-point privacy policies are easier to read on smaller screens.

3.  New ways companies can get parental consent.  In addition to the already approved methods, the new Rule offers more ways businesses can get parents’ OK: electronic scans of signed parental consent forms, videoconferencing, use of government-issued ID, and alternative payment systems (assuming they meet the same stringent criteria as credit cards).  The sliding scale mechanism of parental consent — often called “email plus” — remains an acceptable method for operators collecting personal info just for internal use.  To encourage innovation in this area, the new Rule establishes a voluntary 120-day notice and comment process for businesses to get FTC approval for other methods.  In addition, operators that participate in an FTC-approved safe harbor program can use a method allowed under that program.

4.  Stronger provisions to keep kids’ information confidential and secure.  Under the new Rule, operators must take reasonable steps to make sure that before releasing information to service providers and third parties, those companies are capable of maintaining the confidentiality, security, and integrity of the information — and that they give assurances they’ll follow through. The Rule also requires that operators retain kids’ personal information for only as long as is reasonably necessary and that when they dispose of it, they’ll take reasonable measures to protect against unauthorized access.

5.  Additional monitoring of self-regulatory safe harbors.  The new Rule strengthens the FTC’s oversight of safe harbor programs, requiring them to audit their members and report the combined results of those audits annually to the FTC.

FTC Safe Harbor Programs include: