The Federal Trade Commission has released its revised final rule implementing the Children’s Online Privacy Protection Act (“COPPA”), which governs (1) operators of websites and online services that are directed to children under the age of 13 and (2) operators of general audience websites or online services that have actual knowledge that a user is under 13.
The Commission retained the “e-mail plus” consent method and supported a number of new parental consent methods, streamlined the notice requirements, and encouraged the use of automatic filtering tools. Although the Commission pushed forward with its proposal to define “personal information” to include persistent identifiers, it also broadened the definition of support for internal operations. Below is a summary of the highlights.
The final rule will become effective July 1, 2013.
- “Operator.” Child-directed sites and services that integrate third-party services (such as ad networks or social plug-ins) will be strictly liable for complying with COPPA, even if they do not themselves collect any personal information. A third-party service provider that collects personal information directly from users of a child-directed site or service will be liable for complying with COPPA only where the third party has actual knowledge that the site is child-directed.
- “Support for internal operations.”
- The Commission expanded the definition to include, for example, maintaining or analyzing the functioning of the site or service, performing network communications, personalizing content, serving contextual advertising or frequency capping, and legal or regulatory compliance. The Commission suggested that these categories should be interpreted broadly to include activities such as intellectual property protection, payment and delivery functions, spam protection, optimization, statistical reporting, or de-bugging.
- The term does not, however, cover behaviorally targeted advertising to a specific child. The Commission stated that operators must obtain parental consent for the collection of persistent identifiers where used to track children over time and across sites or services. Operators “also may not use persistent identifiers to amass a profile on an individual child user based on the collection of such identifiers over time and across different websites in order to make decisions or draw insights about that child, whether that information is used at the time of collection or later.” The Commission cautioned that “the term ‘different’ means either sites or services that are unrelated to each other, or sites or services where the affiliate relationship is not clear to the user.”
- “Personal information.” The definition of “personal information” is greatly expanded under the final COPPA Rule:
- Persistent identifiers. The final rule includes persistent identifiers in the definition of “personal information” where they “can be used to recognize a user over time and across different websites or online services.”
- Screen or user names. The definition includes “a screen or user name where it functions in the same manner as online contact information.”
- Photo, video, and audio files. Photos, videos, and audio files containing children’s images or voices constitute “personal information” for purposes of COPPA.
- Geolocation information. The definition includes geolocation information that is “sufficient to identify street name and name of a city or town.”
- “Website or online service directed to children.”
- The multi-factor test that is used to determine whether a site or service is directed to children has been expanded to include musical content, the presence of child celebrities, and celebrities who appeal to children. The FTC emphasized that “no single factor will predominate over another.”
- The Commission adopted a modified version of its proposal for “mixed audience” sites. Explaining that it “did not intend to expand the reach of the Rule to additional sites and services,” the Commission clarified that it first will apply its traditional multi-factor test to determine whether the site or service (or any portion thereof) is directed to children.
- Where the site or service is directed to children, but does not target children as its primary audience, the operator may use an age screen and obtain consent for users who self-identify as under 13 years old.
- Where the site or service is directed to children, but targets children as its primary audience, the operator must presume that all users are children and provide notice and obtain parental consent for every user, even if that user is a teen or an adult.
- “Collects or collection.” Entities that provide interactive forums, such as chat rooms and message boards, can avoid triggering COPPA’s requirements by deleting personal information from children’s posts before they are made public and from their internal records. The Commission adopted its proposal to replace the current “100 %” deletion standard, which requires all personal information to be removed, with a more flexible “reasonable measures” standard. This change encourages entities to use reasonable filtering technologies to delete or prevent the sharing of personal information in user-generated content.
- Direct Notice To the Parent. The Commission adopted its proposal to make the direct notice to the parent more robust. The final COPPA Rule lists specific items that must be contained in the direct notice to the parent, depending on the circumstances under which the notice is being sent.
- Website Privacy Notice. The FTC streamlined what information must be included to encourage shorter website privacy notices. In addition, the FTC retained its multiple operator exception, which permits an operator to designate and provide the contact information for a single operator who is responsible for responding to parent inquiries, as long as the names of all operators collecting or maintaining personal information through the site or service are listed.
- E-mail Plus. The “e-mail plus” parental consent method has been retained as an acceptable consent method for operators collecting personal information for internal use only.
- New Recognized Methods. The Commission added the following parental consent methods to its non-exhaustive list of pre-approved methods: (1) scan-and-send forms; (2) video conferencing consent; (3) government-issued IDs, such as drivers’ license number or last four digits of the parent’s SSN, which are then checked against an available database; and online payment systems in lieu of credit card information, where the system provides the primary account holder notice of each discrete transaction.
- Other Parental Consent Methods. The Commission also spoke favorably about the following parental consent methods, suggesting that these methods, if properly designed, could meet the statutory standard of being a “reasonable effort (taking into consideration available technology)” to obtain the parent’s consent.
- Electronic or Digital Signatures. The Commission stated that “the Rule would not prohibit an operator’s acceptance of a digitally signed consent form where the signature provides other indicia of reliability that the signor is an adult.”
- Common Consent Methods. The Commission acknowledged that common consent methods, such as those offered across a platform, video game console, or a COPPA safe harbor program, can allow multiple operators to efficiently administer notice and consent.
- New Clearance Procedures for Obtaining Approval of New Parental Consent Methods: Companies may now submit detailed descriptions of proposed parental consent methods to the FTC for their approval. The proposals will be published in the Federal Register for public comment. If approved, the company will benefit from a parental consent “safe harbor.”
- New “Support for Internal Operations” Exception: Where an operator collects a persistent identifier for the sole purpose of providing support for its internal operations, the operator will have no notice or consent obligations.
Confidentiality, Security, and Integrity.
The final COPPA Rule imposes new data security requirements for operators who release children’s personal information to third parties. These operators must inquire about the third party’s security capabilities and, either by contract or otherwise, receive assurances from the third party about how children’s personal information will be protected.
Date Retention Limits.
The FTC added a new requirement that website operators only retain data for as long as reasonably necessary to fulfill the purpose for which it was collected.