Search results for: coppa

In late December 2014, the FTC staff sent China-based mobile app developer BabyBus a letter warning the company that several of its apps may violate the FTC’s Children’s Online Privacy Protection Act (COPPA) Rule. Staff alleged that the apps are marketed for young children and “use cartoon characters to teach children letters, counting, shapes, music, and matching.” The FTC claimed the company must comply with the COPPA Rule’s notice, verifiable parental consent, and other requirements because some of the apps collect precise geolocation information that is shared with third parties, such as advertising networks or analytics companies. The letter warned that staff will review the apps again and encouraged the developer to take steps to comply with COPPA.
Continue Reading FTC Warns Foreign Mobile-App Developer To Comply With COPPA

The Federal Trade Commission (“FTC”) recently reiterated its support for the use of “common consent” mechanisms that permit multiple operators to use a single system for providing notices and obtaining verifiable consent under the Children’s Online Privacy Protection Act (“COPPA”). COPPA generally requires operators of websites or online services that
Continue Reading FTC Denies AgeCheq Parental Consent Application But Trumpets General Support for COPPA Common Consent Mechanisms

Making good on its warnings that mobile apps will be an enforcement priority under the revised Children’s Online Privacy Protection Act (“COPPA”) Rule, the FTC has announced two settlements with mobile app developers:

  1. TinyCo., the developer of several child-directed mobile apps, will pay $300,000 to settle charges that it violated


Continue Reading What the FTC’s Latest COPPA Settlements Mean for Mobile Apps

The FTC staff has posted revisions to three Frequently Asked Questions (“FAQs”) related to obtaining verifiable parental consent under its COPPA Rule. For a comparison of the old and new FAQs, click here.

Although the changes (which include a new FAQ H.16) may appear substantial, they mostly reaffirm the
Continue Reading FTC Staff Updates COPPA FAQs on Verifiable Parental Consent Methods

The staff of the Federal Trade Commission (“FTC”) has released updated guidance on how the Children’s Online Privacy Protection Act (“COPPA”) and its implementing regulations apply to schools and educational online services through revisions to the Frequently Asked Questions (“FAQS”) that are published on the FTC website.  For a comparison between the old and new school FAQs, please click here.  The FAQs constitute informal guidance, but they are useful for understanding how FTC staff interprets COPPA’s application in different contexts.  Here is a brief summary:

  • The revised FAQs do not change the circumstances under which schools can provide verifiable parental consent on behalf of parents, that is, when an operator collects personal information from students “for the use and benefit of the school, and for no other commercial purposes.”  Examples of prohibited commercial purposes include online behavioral advertising and “building user profiles for commercial purposes not related to the provision of the online service” to the school.
  • While the prior FAQs noted that, in such circumstances, operators should provide schools with robust notice about their data collection, use, and sharing practices, the revised FAQs suggest that these disclosures should track the direct notice requirements outlined in the COPPA Rule.  In COPPA FAQ M.1, FTC staff explains that “the operator must provide the school with all the required notices.”

Continue Reading FTC Staff Updates Guidance on “COPPA and Schools” Through Revised FAQs

The Center for Digital Democracy (“CDD”) recently filed requests for investigation with the Federal Trade Commission (“FTC”) claiming that Marvel Entertainment and Sanrio Digital failed to comply with the Children’s Online Privacy Protection Act’s (“COPPA”) notice and consent requirements. 

  • Marvel.  The Marvel filing alleges that Marvelkids.com is a child-directed


Continue Reading Center for Digital Democracy Requests COPPA Investigations of Marvel and Sanrio Digital

The Federal Trade Commission (“FTC”) recently approved a new method of verifiable parental consent — knowledge-based authentication (“KBA”) — as consistent with the requirements of the Children’s Online Privacy Protection Act (“COPPA”).  COPPA generally requires operators of websites or online services that are directed to children under 13 or that

Continue Reading FTC Approves New COPPA Parental Consent Method

Yesterday, the FTC staff released its latest round of updated Frequently Asked Questions (“FAQs”) for its Rule implementing the Children’s Online Privacy Protection Act (“COPPA Rule”).  These new FAQs address the circumstances in which third parties may obtain “actual knowledge” that they are collecting personal information from a child-directed site or service and whether parental consent is needed for child-directed sites and apps that enable user-generated content to be emailed or shared via social media. 

As we previously reported, the FTC enacted sweeping changes to the COPPA Rule in December 2012 that became effective July 1, 2013.  In the last several months, the FTC staff have provided several updates to the informal FAQs. 

“Actual Knowledge” Standard for Third Parties

Third parties such as plugins and ad networks are liable under the new COPPA Rule only if they have actual knowledge that they are collecting personal information from a child under 13 years old or through sites and services that are directed to such children.  Most of the new FAQs try to resolve lingering questions about when a third party has “actual knowledge”:

  1. Third parties can designate specific employees as the points of contact to receive COPPA notices, rather than having actual knowledge imputed to the entire company through any employee.
  2. The third party will not be deemed to have “actual knowledge” — and will have no duty to investigate — if it simply receives a list of URLs of purportedly child-directed websites from which it is collecting personal information. 
  3. If the third party receives “screenshots or other forms of concrete information” about sites on which the third party’s service are integrated, such information could provide actual knowledge:
    • If, based on the screenshots or other concrete information, the third party is “uncertain” whether a site or service is child directed, it ordinarily may rely on representations from the first-party site about whether the site is child-directed.  These representations could be provided in the form of a technological COPPA signal or “flag,” which industry has been working to develop since the idea was proposed by the FTC’s Chief Technologist in a blog post earlier this year. 
    • If, based on the screenshots or other concrete information, it is clear that the site or service is child directed, then any representations made by the first-party site would be overridden and the third party would be deemed to have actual knowledge.

Continue Reading FTC Releases Updated Guidance on New COPPA Rule

The Federal Trade Commission (“FTC”) recently released an additional question and answer as part of its revised COPPA FAQs, which provide guidance on the FTC staff’s interpretations of the rule implementing the Children’s Online Privacy Protection Act (“COPPA”).  As we previously reported, the FTC published substantial revisions to the COPPA FAQs in April in order to account for recent changes to the COPPA rule

New FAQ #80 addresses whether operators must obtain parental consent before sending push notifications.  According to the new FAQ, the “information you collect from the child’s device used to send push notifications is online contact information – it permits you to contact the user outside the confines of your app – and is therefore personal information under the Rule.”  As a result, the FTC explains that the operator will need to obtain parental consent before collecting information from a child’s device in order to send push notifications, unless an exception to COPPA’s parental consent regime applies.  The multiple-contact exception may excuse the operator from the parental consent requirement if the child has consented to receiving push notifications, the operator provides parents with direct notice of the collection and an opportunity to opt out, and the information used to send the push notifications is not combined with other personal information collected from the child.Continue Reading FTC Releases Additional COPPA FAQ to Address Push Notifications

The Federal Trade Commission (FTC) has voted unanimously to retain the July 1, 2013 effective date for its revisions to the rule implementing the Children’s Online Privacy Protection Act (COPPA).  As we previously wrote, the FTC adopted significant revisions to the COPPA rule in December 2012 and established a July

Continue Reading FTC Votes To Retain July 1 Compliance Date for Revised COPPA Rule