By J. Bradford Currier, Marc Martin, and David Tallman
Providers of online services, websites, and applications directed at children will need to reexamine their policies regarding the collection of information from children in light of new privacy rules issued by the Federal Trade Commission and recently published in the Federal Register. The rules impose new obligations under the Children’s Online Privacy Protection Act (“COPPA”), which generally requires online services and websites to notify parents and obtain parental consent before collecting, using, or disclosing personal information from children under 13 years of age. The revised regulations were announced late last month and represent the result of more than a year-long examination of COPPA by the FTC that produced hundreds of comments from stakeholders. The COPPA revisions are just the latest step for the FTC regarding children’s privacy, which has been the focus of increased enforcement action and staff reports over recent years.
The new regulations revise the COPPA rules in five key areas:
(1) Definition Changes: The new rules expand the definition of online “operators” subject to COPPA to include child-directed sites or services that use third parties, such as plug-ins or advertising networks, to collect personal information from children. However, the FTC clarified that this change is not intended to extend liability to platforms that merely offer access to child-directed apps (such as online application storefronts). In addition, the definition of “personal information” for which parental consent must be obtained now will include location information, as well as photos, videos, and audio files that contain a child’s image or voice.
(2) Permitted Operations: The new rules permit the collection of a child’s personal information through the use of “persistent identifiers,” which recognize users over time and across different websites, for the sole purpose of supporting the online service’s internal operations (e.g., contextual advertising, frequency capping, legal compliance, site analysis, and network communications). Such information, however, cannot be used to contact a specific user, amass a profile on that person, or for any other purpose. Operators also may allow children to participate in interactive communities without parental consent, so long as they take reasonable measures to delete a child’s personal information before it is made public.
(3) “Age Screens”: The new rules distinguish between online services and websites whose primary target audience is children and those directed to a broader audience. While online services and websites whose primary target audience is children must continue to presume that all of their users are children subject to COPPA, the online services and websites directed to a broader audience may implement procedures to “age screen” users and obtain consent only for users who self-identify as under 13 years of age.
(5) Increased Security Measures: The new rules require websites and services to take reasonable steps to ensure that children’s personal information is released only to service providers and third parties capable of maintaining the confidentiality, security, and integrity of such information. The new rules allow the retention of children’s personal information only for as long as reasonably necessary to provide the service and also require operators to securely dispose of the information.
The revised COPPA regulations have drawn a mixed reaction. Some stakeholders have praised the FTC for striking an appropriate balance between privacy and innovation, while others have suggested that increased compliance costs will lead to a decline in online service and mobile application development. Either way, the new rules reaffirm the importance of COPPA compliance and children’s privacy issues to online services.
The revised COPPA rules will take effect on July 1, 2013.