Do you target children or a youth demographic online? Perhaps you’ve developed or are marketing a mobile app that appeals to a youth market? If so, you should be aware of the Children’s Online Privacy Protection Act (COPPA) – a federal ruling enforced by the Federal Trade Commission (FTC) that gives parents control over what personal information websites can collect from children under the age of 13.
The COPPA Rule recently underwent an important overhaul of which online marketers need to be aware. The revised rule (which goes into effect in July 2013) put additional protections in place and streamlines other procedures that companies covered by the rule must follow.
If you run a website or mobile app designed for children or collect any kind of information from someone you know is under 13, here’s what you need to know about the revisions to COPPA:
Key COPPA principles remain unchanged
Most of the key requirements of COPPA haven’t changed. You must still give notice to parents and get their verifiable consent before collecting, using or disclosing personal information from children under 13. You must keep collected data secure and you can’t request that a child disclose more information than is reasonably necessary in exchange for participation in an activity.
Expansion of who is covered by COPPA – Plug-Ins and advertising come under the spotlight
If you operate a child-directed website and you allow outside services—including plug-ins (like YouTube videos) or advertising networks—to collect personal information from visitors, you will be required to comply with COPPA. This means you will need to provide notice and get parental consent for any user that identifies themselves as under 13, before the third party can collect the child’s information. In effect, as the site owner or operator, the FTC will now hold you liable for any personal information requests made by these third parties.
According to the FTC, this “close(s) a loophole that allowed kid-directed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent.”
In addition, plug-in or ad network operators who have actual knowledge that they are collecting personal information through a child-directed website or service must also comply with COPPA.
What constitutes personal information has changed
Under the new Rule, the types of personal information that cannot be collected from children under 13 (without parental consent) has expanded to include geolocation information, as well as photos, video and audio that contain a child’s image.
In addition, persistent identifiers (such as cookies, IP addresses and mobile IDs) that can be used to recognize a user over time and across different websites or online services are also now considered personal information and parental consent must be obtained before collecting this data. If, however, you use persistent identifiers solely to support the internal operations of your site or service, rather than for marketing purposes, parental consent is not required.
Certain information collection is now permitted in “support for internal operations”
COPPA now allows businesses to apply for formal approval to collect certain information if it is used in “support for internal operations.” Permitted activities include contextual advertising, frequency capping, site analysis and more. However, you can’t use the information collected to contact a specific person through behavioral advertising or to amass a profile on that person for any other purpose – without parental consent.
Changes to how businesses get parental consent
COPPA has always required that parental consent must be requested via email or postal mail. The new Rule requires that key information (such as how the information will be used) is displayed up front in that notice so that parents can get the details they need quickly.
The new Rule also offers more ways for businesses to get the “OK” from parents (for more details of what was previously acceptable read the Direct Notice to Parents section of the FTC’s How to Comply with COPPA). These include scans of parental consent forms, videoconferencing, use of a government-issued ID and more.
Stronger provisions to keep kids info secure and confidential
Before releasing information to service providers and third parties, site operators must take reasonable steps to make sure these companies are capable of maintaining the confidentiality, security and integrity of that information – with assurances that they’ll follow through. In addition, you are now only allowed to retain kids’ personal information for as long as is reasonably necessary, and must ensure that it is disposed of securely.
Safe harbor programs to get more oversight
COPPA previously allowed industry groups to create self-regulatory programs that governed member-compliance with COPPA. The new Rule strengthens the FTC’s oversight of these programs with new auditing capabilities.
More Information
For more information about all these changes, read the FTC’s December, 2012 press release and refer to the site’s Child Privacy Guide for more tips and insights.
It is highly recommended that you discuss any concerns you have about COPPA compliance with a lawyer. The new rules are complex and have consequences beyond the content that you create or originate on your business website of online service. In addition, you can also email your questions to CoppaHotLine@ftc.gov.
Check out these related articles too:
- Marketing to Children: Where is the Line and Who Enforces it?
- 5 Legal Issues to Consider when Developing and Marketing a Mobile App
- 7 Considerations for Crafting an Online Privacy Policy