Children's Online Privacy Protection Act

The FTC staff has posted revisions to three Frequently Asked Questions (“FAQs”) related to obtaining verifiable parental consent under its COPPA Rule. For a comparison of the old and new FAQs, click here.

Although the changes (which include a new FAQ H.16) may appear substantial, they mostly reaffirm the
Continue Reading FTC Staff Updates COPPA FAQs on Verifiable Parental Consent Methods

Last weekend at South by Southwest (“SXSW”) Interactive, a panel promoted the notion that it is in fact possible to harmonize innovation with kids’ privacy in the app space, but that doing so involves “a lot of work.”  In particular, the panel suggested that it takes a conscious desire on the part of app developers to create brands and interfaces that build in transparency, with the specific purpose of inspiring parent trust.  The panel featured Lorraine Akemann, Co-Founder of Moms with Apps; Elana Zeide, Privacy Research Fellow at New York University’s Information Law Institute; and moderator Sara Kloek, Director of Outreach at the Association for Competitive Technology.  It was one of the few privacy events at SXSW Interactive focused on children.Continue Reading Covington at #SXSW: Can Innovation and Kids’ Privacy Coexist?

The FTC has denied AssertID’s request to recognize a new method for obtaining verifiable parental consent for the online collection, use, and disclosure of personal information from children under 13.  The application was the first of its kind to be filed since the FTC added a voluntary parental consent approval process

Continue Reading FTC Denies First Request For More Flexible Parental Consent Methods

The Federal Trade Commission (“FTC”) recently released an additional question and answer as part of its revised COPPA FAQs, which provide guidance on the FTC staff’s interpretations of the rule implementing the Children’s Online Privacy Protection Act (“COPPA”).  As we previously reported, the FTC published substantial revisions to the COPPA FAQs in April in order to account for recent changes to the COPPA rule

New FAQ #80 addresses whether operators must obtain parental consent before sending push notifications.  According to the new FAQ, the “information you collect from the child’s device used to send push notifications is online contact information – it permits you to contact the user outside the confines of your app – and is therefore personal information under the Rule.”  As a result, the FTC explains that the operator will need to obtain parental consent before collecting information from a child’s device in order to send push notifications, unless an exception to COPPA’s parental consent regime applies.  The multiple-contact exception may excuse the operator from the parental consent requirement if the child has consented to receiving push notifications, the operator provides parents with direct notice of the collection and an opportunity to opt out, and the information used to send the push notifications is not combined with other personal information collected from the child.Continue Reading FTC Releases Additional COPPA FAQ to Address Push Notifications

The Federal Trade Commission has sent letters to more than 90 different companies who develop mobile apps that the FTC claims may be directed to children.  The letters emphasize that the FTC has not evaluated the apps or the companies’ practices to determine if they comply with the current or revised

Continue Reading FTC Reminds Mobile App Developers To Comply With Revised Children’s Privacy Requirements By July 1

The Federal Trade Commission has released its much anticipated revised COPPA FAQs.  Although these FAQs are not legally binding, they provide informal guidance to industry on staff’s interpretations of the COPPA Rule. 

For the most part, the FAQs reiterate past guidance and emphasize key provisions of the new COPPA Rule and its Statement of Basis and Purpose.  However, here are 5 key things that the revised COPPA FAQs clarify:

  1. Operators are not legally required to obtain parental consent for certain information that was collected before the effective date of the new COPPA Rule and that was not considered “personal information” under the original COPPA Rule.  Specifically, parental consent is not required for the following categories of information that were collected before July 1, 2013:  (1) photos, videos, and audio files containing a child’s image or voice; (2) screen or user names that function as online contact information (unless the operator combines them with new information after July 1, 2013); and (3) persistent identifiers (unless the operator continues to collect the persistent identifiers or combines them with new information after July 1, 2013).  (FAQ 4)
  2. Operators of child-directed sites and online services that do not target children as their primary audience may not block children from participating in the site or service altogether, although the operator may offer different activities to users based on age. (FAQ 38) This would seem to allow an operator to block the child from all interactive features that could enable the sharing of personal information, as long as the child can continue to use portions of the site that do not require or enable the sharing of personal information. 
  3. Third-party services that are integrated on child-directed sites will be deemed to have “actual knowledge” if, in the future, a formal industry standard or agreed-upon convention is developed under which sites or services signal their child-directed nature to integrated third parties.  However, the mere collection of a URL from a child-directed site or service is unlikely to constitute actual knowledge.  (FAQ 39)  This guidance builds on a blog post published by the FTC’s Chief Technologist, Steve Bellovin.
  4. An operator of a child-directed site or service does not need to notify parents or obtain parental consent before collecting pictures from children, as long as it either blurs the child’s facial features or prescreens and deletes photos of children before posting them online.  (FAQs 43-45)  (But don’t forget to scrub for metadata as well — photo metadata that contains precise geolocation information may trigger the COPPA Rule.)
  5. A third party who is integrated on a child-directed site may rely on the “support for internal operations” exception to support the third-party’s own internal operations.  There actually was text in the final COPPA Rule’s Statement of Basis and Purpose supporting this point, but the revised COPPA FAQs make this point crystal clear.  (FAQ 77)

In addition, the COPPA FAQs clarify how the COPPA Rule applies in the classroom:Continue Reading FTC Releases Revised COPPA FAQs: Here’s What’s New

Path, a social networking mobile app, has agreed to enter into a settlement with the Federal Trade Commission (“FTC”) regarding charges that the company deceived consumers by collecting contact information from users’ mobile address books without notice and consent.  The agreement also resolves charges that the company violated the Children’s Online Privacy Protection Act (“COPPA”) by collecting personal information from children under  13 years old without parental notice and consent.  Path did not admit any liability by entering into the consent decree, which is for settlement purposes only.

The FTC alleged that the Path application included an “Add Friends” feature that allowed users to make new connections within the app.  Users were given three options when using the “Add Friends” functionality:  “Find friends from your contacts,” “Find Friends from Facebook,” or “Invite friends to join Path by email or SMS.”  Regardless of which option was chosen, Path automatically collected and stored contact information from the address book on the user’s mobile phone.  The FTC argued that this practice was contrary to representations made in the company’s privacy policy that only certain technical information, such as IP address, browser type, and site activity information, was automatically collected from the user.  Under the settlement, Path agreed to implement a comprehensive privacy program and obtain biennial, independent privacy assessments for the next twenty years. Continue Reading FTC Settles Deception, COPPA Charges Against Social Networking App Path

Yesterday, two Federal Trade Commission (“FTC”) attorneys addressed several key issues raised by the Commissions’ revised final rule implementing the Children’s Online Privacy Protection Act (“COPPA”).  Speaking at a webinar sponsored by the International Association of Privacy Professionals, Mamie Kresses and Phyllis Marcus, both senior attorneys at the FTC who focus on COPPA issues, discussed when a third-party service obtains “actual knowledge” that it is integrated on a website or service directed to children, whether the final rule’s “primary audience” distinction in the definition of child-directed sites expands the scope of COPPA-covered entities, and how certain COPPA provisions apply to companies that collect persistent identifiers only for support for internal operations.  Ms. Kresses and Ms. Marcus also emphasized that, under the revised final rule, “more companies will have to have the COPPA moment,” where they reassess their online offerings to determine whether they are child-directed and therefore subject to COPPA.  In order to address the many issues raised by the revised final rule, industry can expect further guidance from the FTC leading up to the July 1, 2013 effective date, including updates to the COPPA Frequently Asked Questions on the FTC’s website.

Actual Knowledge for Third Party Services

Under the revised final rule, third party services, such as plug-ins and ad networks, are subject to COPPA if they have actual knowledge that they are collecting information on a website or service directed to children.  In order to address uncertainty about when a third party will be deemed to have obtained “actual knowledge,” the FTC’s Statement of Basis and Purpose for the revised COPPA rule suggests that actual knowledge may be obtained when (1) a child directed content provider directly communicates the child-directed nature of its content to the third party service, or (2) a representative of the online service recognizes the child-directed nature of the content.Continue Reading FTC Attorneys Offer Guidance On New COPPA Rule

The U.S. took the lead in legislating privacy rights for children and parents in the Children’s Online Privacy Protection Act more than a decade ago.  Now the European Union has proposed including privacy protections for children in the Data Protection Regulation under discussion, and Latin American countries have included regulation
Continue Reading The International Privacy Rights of the Child: A Computers, Freedom & Privacy Mini-Conference