The Federal Trade Commission has released its much anticipated revised COPPA FAQs. Although these FAQs are not legally binding, they provide informal guidance to industry on staff’s interpretations of the COPPA Rule.
For the most part, the FAQs reiterate past guidance and emphasize key provisions of the new COPPA Rule and its Statement of Basis and Purpose. However, here are 5 key things that the revised COPPA FAQs clarify:
- Operators are not legally required to obtain parental consent for certain information that was collected before the effective date of the new COPPA Rule and that was not considered “personal information” under the original COPPA Rule. Specifically, parental consent is not required for the following categories of information that were collected before July 1, 2013: (1) photos, videos, and audio files containing a child’s image or voice; (2) screen or user names that function as online contact information (unless the operator combines them with new information after July 1, 2013); and (3) persistent identifiers (unless the operator continues to collect the persistent identifiers or combines them with new information after July 1, 2013). (FAQ 4)
- Operators of child-directed sites and online services that do not target children as their primary audience may not block children from participating in the site or service altogether, although the operator may offer different activities to users based on age. (FAQ 38) This would seem to allow an operator to block the child from all interactive features that could enable the sharing of personal information, as long as the child can continue to use portions of the site that do not require or enable the sharing of personal information.
- Third-party services that are integrated on child-directed sites will be deemed to have “actual knowledge” if, in the future, a formal industry standard or agreed-upon convention is developed under which sites or services signal their child-directed nature to integrated third parties. However, the mere collection of a URL from a child-directed site or service is unlikely to constitute actual knowledge. (FAQ 39) This guidance builds on a blog post published by the FTC’s Chief Technologist, Steve Bellovin.
- An operator of a child-directed site or service does not need to notify parents or obtain parental consent before collecting pictures from children, as long as it either blurs the child’s facial features or prescreens and deletes photos of children before posting them online. (FAQs 43-45) (But don’t forget to scrub for metadata as well — photo metadata that contains precise geolocation information may trigger the COPPA Rule.)
- A third party who is integrated on a child-directed site may rely on the “support for internal operations” exception to support the third-party’s own internal operations. There actually was text in the final COPPA Rule’s Statement of Basis and Purpose supporting this point, but the revised COPPA FAQs make this point crystal clear. (FAQ 77)
In addition, the COPPA FAQs clarify how the COPPA Rule applies in the classroom:
- COPPA FAQ 86 emphasizes that operators who collect, use, or disclose children’s personal information in the school setting “must provide a complete and accurate disclosure regarding what data is collected from children, how it will be used, and with whom it will be shared.”
- COPPA FAQ 87 reiterates that, even if an operator has contracted with a school to provide online services, it must provide parents notice and obtain parental consent if it will use children’s personal information for its own commercial purposes in addition to providing the agreed-upon services to the school.
- COPPA FAQ 88 sets forth a number of questions that schools should ask their service providers, including whether the operator uses or shares information for commercial purposes that are unrelated to the services requested by the school (such as online behavioral advertising or building user profiles for unrelated commercial purposes).
The revised COPPA Rule takes effect on July 1, 2013. Approximately twenty industry organizations have asked the FTC to grant a six-month extension of this deadline so that industry has adequate time to implement unanticipated changes that were adopted in the final COPPA Rule and to incorporate the additional guidance outlined in the revised COPPA FAQs. A coalition of consumer groups, in contrast, have argued that no additional time is needed. Speaking at a seminar hosted by the International Association of Privacy Professionals earlier yesterday, Peder Magee, a senior attorney in the FTC’s Division of Privacy and Identity Protection, declined to comment on whether the extension requests were likely to be granted.