Comprehensive new COPPA regulations fall under the enforcing arm of the Federal Trade Commission (FTC), and the COPPA amendments are designed to strengthen online privacy protection for children under 13 and bolster parents’ control over their children’s online activities. The following are important changes to note for web operators:
- COPPA now applies to a broader range of online entities, and not merely website operators;
- Key definitions such as “personal information,” and “website or online service directed to children,” are substantially expanded;
- The parental notice and consent requirements are becoming more burdensome;
- Data solely for internal use is subject to some exceptions;
- And, safe harbor members are now subject to annual comprehensive audit.
Now in greater detail:
1. COPPA Applies to a Large Group of Online Actors, not just the Website Operators
COPPA now applies to:
- Mobile apps that send or receive information online (like network-connected games, social networking apps, or apps that deliver behaviorally-targeted ads)
- Internet-enabled gaming platforms
- Advertising networks
- Internet-enabled location-based services
- Voice-over internet protocol services
2. A Broader Definition of “Personally Identifiable Information”
The definition of “personally identifiable information” has included names, home and email addresses, since 2000. But now, it also includes photo, video, or audio of a child, his or her geo-location data and even IP address.
Even screen or user names that “function as online contact information, and persistent identifiers, such as cookies” fall into the “personally identifiable information” definition.
3. The “Actual Knowledge” Standard
Only those online entities which have “actual knowledge” that one of their users is under 13 must comply with the COPPA requirements.
The actual knowledge standard will likely be met in most cases when either (1) you collect your users’ date of birth or (2) the underlying website operator qualifies as a Child-Directed Content Provider (see below).
Therefore, websites, other than Child-Directed Content Provider, that refuse access to their website to those users that self-identify as being older than 13 will probably be in the clear.
4. Child-Directed Content Provider Includes Related Third Parties
A website or third party service-provider that targets children as its primary audience is deemed a Child-Directed Content Provider. Also, third parties that have actual knowledge that the primary websites are directed to children are themselves deemed to be online services directed to children.
A website or third party service-provider will most likely avoid COPPA regulation if (1) it does not target children as its primary audience and (2) an age-screen mechanism is in place on the primary site, before personal information is collected.
5. Parental Actual Consent
COPPA requires exacting actual parental consent before collecting data from children below 13.
Acceptable Actual Consent methods include having the parent perform any of the following actions:
- Sign a consent form and send it back to you via fax, mail, or electronic scan;
- Use a credit card, debit card, or other online payment system that provides notification of each separate transaction to the account holder;
- Call a toll-free number staffed by trained personnel;
- Connect to trained personnel via a video conference; or
- Provide a copy of a form of government issued ID that you check against a database, as long as you delete the identification from your records when you finish the verification process.
6. Internal Use Data (e.g., Cookies) Subject to Looser Requirements
The regulations note that: “[N]o parental notice and consent is required when an operator collects a persistent identifier for the sole purpose of supporting the website or online service’s internal operations, such as contextual advertising, frequency capping, legal compliance, site analysis, and network communications.”
Another notable exception to the extraneous parental consent requirement consists of using the children’s personal information for internal use only (which is narrowly defined). In such case, the operator would only need to obtain parental consent via e-mail from the parent. This remains burdensome but less so than the consent requirement that they would otherwise need to obtain.
7. “One Entity Rule” Puts the Responsibility on The Primary Operators
Although your affiliates, advertisers, and other plugins-owners found on your site, have a duty to comply with COPPA, the new amendments put the responsibility on the primary operator (the underlying website or mobile app.) to obtain parental consent when personal information is collected through the primary operator’s site. That means that a website is responsible to receive consent from a user’s parent, not only as to its own data collection, but also as to the collection of its affiliates or any other third parties collecting information on its site.
Note also that the primary operator is under such duty even if the primary website does not itself collect any user information.
Thus, the loophole that previously allowed avoiding parental consent obligations by outsourcing data collection to third parties has been effectively closed.
8. The Primary Operator Must Tell Parents Who Collects Their children’s Personal Information
The primary operator must list all other operators that collect children’s personal information through its website or app.
- That you won’t require a child to disclose more information than is reasonably necessary to participate in an activity;
- That they can review their child’s personal information, direct you to delete it, and refuse to allow any further collection or use of the child’s information;
- That they can agree to the collection and use of their child’s information, but still not allow disclosure to third parties unless that’s part of the service (for example, social networking); and
- The procedures to follow to exercise their rights.
10. Safe Harbors Provisions
Safe harbor program members are now subject to comprehensive annual audits, unlike in the past where “periodical reviews” had no set date. One safe harbor program, the Children’s Advertising Review Unit (CARU), counts Marvel Entertainment and the Dannon Company, Inc., as members.
Although the breadth of the new COPPA regulations is intimidating and requires time and effort (60 hours per company according to FTC estimates), coming into compliance is doable. And although the price tag for non-compliance is hefty ($16,000 and up per violation), the FTC has already signaled that good faith efforts to comply will be well-received, at least for the first few months.