On July 1, 2013, the Federal Trade Commission’s amendments to the Children’s Online Privacy Protection Act Rule (COPPA) became effective.[1] The amendments are aimed at maintaining effective child privacy controls given the rapid technological changes that have occurred since the Commission issued the original COPPA rules in 1999.[2] In practice, the Commission’s changes have expanded the breadth of COPPA and may require immediate action from providers of online services. As with the original version of COPPA, compliance with the amended rule is essential as any violation is treated as an unfair or deceptive act,[3] and subject to penalties of up to sixteen thousand dollars ($16,000) per violation.[4]
In addition to other changes, the Commission’s revisions in three areas in particular are most likely to jeopardize a website or online service operators compliance with COPPA:
(1) The Commission has expanded its definition of “personal information,” and operators are now required to receive parental consent before collecting a greater number of types of data;
(2) the Commission has expanded its definition of “operator” to cover third-party operators, such as ad networks or plug-in developers, when the third-party operators have actual knowledge that they are collecting information from children;
(3) the Commission has modified the procedures it requires operators to follow when notifying parents of the personal information that the operator’s online service collects.
Personal Information
The amended COPPA Rule expands the definition of “personal information” to include the following.
(1) A screen or user name, where the user name serves as online contact information that is substantially similar to an email address.[5] The Commission stated that the definition does not include “single log-in identifiers that permit children to transition between devices,” or anonymous user names that allow for uses such as content personalization, public display on a web site, or filtered chat.[6]
(2) A persistent identifier that can be used over time and across different websites such as cookies, IP addresses or serial numbers.[7] However, the commission has created an exception to this rule for persistent identifier that support the internal operations of the website. This exception extends to the internal operations of affiliated websites that are clearly designated as such.[8]
(3) Any photographs, videos, or audio files that contain a child’s image or voice. Previously, COPPA had only banned these files if they were combined with some other identifier.[9]
(4) Geolocation information sufficient to identify the street name, city name, or town name of the child.[10] However, the Commission does not require a website operator to notify parents and obtain their consent before collecting “coarse geolocation information, tantamount to collecting a ZIP code,” but not any more specific information.[11]
Expansion of COPPA to Third Party Operators
The Commission’s expansion of the definition of “operator” expands the potential liability of operators in two ways. First, the amended language expands the universe of companies that can be considered operators to include third-party operators. Under the amended language, if a third-party operator has actual knowledge that it is collecting personal information directly from users of a child directed site or service, then the third-party operator is bound by COPPA.[12] The Commission has explained that this “actual knowledge” standard is met when either: “(1) [a] child-directed content provider… directly communicates the child-directed nature of its content to the other online service; or (2) a representative of the online service recognizes the child-directed nature of the content.”[13] Second, The revised rule holds operators of child directed websites strictly liable for unauthorized disclosures of personal information to third-party operators (such as advertising networks, or downloadable plug-ins).[14]
Modification of Parental Notice Procedure
COPPA stipulates that operators of child-directed online services must provide two forms of notice concerning their collection of personal information: (1) indirect notice (a privacy policy), and (2) direct notice. Both of these forms of notice have been extensively modified by the amendments.
(1) While the original rules required operators to provide wide-ranging categories of information in their privacy policy, the amended rules require a shorter and more streamlined approach. The privacy policy must state: (i) contact information for all operators and third-parties, (ii) a description of what information the operator collects from children, and (iii) the procedure for parents to review their child’s personal information as well as the process for deleting the data.[15]
(2) In its amended form, COPPA now provides a detailed road map of the information that must be included in the direct notice that is sent to the child’s parents.[16] There are four instances were a direct notice is required or appropriate under the rule.
(i) Where an operator seeks to obtain a parent’s verifiable consent prior to the collection, use, or disclosure of a child’s personal information.
(ii) Where an operator voluntarily seeks to provide notice to a parent of a child’s online activities that do not involve the collection, use or disclosure of personal information.
(iii) Where an operator intends to communicate with the child multiple times via the child’s online contact information and collects no other information.
(iv) Where the operator’s purpose for collecting a child’s and a parent’s name and online contact information is to protect a child’s safety and the information is not used or disclosed for any other purpose.[17]
The amended rule provides a detailed list of the information that must be included within the notice that varies based on the purpose (above i, ii, iii, or iv) of the notice. In addition, this list of required information can be found in Complying with COPPA: Frequently Asked Questions distributed by the Commission, at (C)(11).
Conclusion
The amendments to COPPA subject many new companies to the rule and expand the areas of potential liability for those companies that are already subject to it. In addition to the amendments addressed above, the new COPPA rules require other changes as well. Under COPPA, the Commission has successfully prosecuted a number of companies and imposed significant penalties on those companies that failed to comply with the rule’s requirements. Therefore, any organization that collects personal information from child-directed online services as well as online services that may attract children under the age of 13 should carefully evaluate their privacy policies to ensure that they are in compliance with the amendments to COPPA.
Additional Information
For additional information, please contact:
Jeffrey Kosc at 317.685.6185 or jkosc@beneschlaw.com,
Michael Stovsky at 216.363.4626 or mstovsky@beneschlaw.com or
Mark Avsec at 216.363.4151 or mavsec@beneschlaw.com
[1] Children’s Online Privacy Protection Rule, 78 Fed. Reg. 3972 (Jan. 17, 2013) (to be codified at 16 C.F.R. pt. 312).
[2] Id.
[3] Id. at 4012 (to be codified at 16 C.F.R. § 312.9.
[4]15 U.S.C.S § 45(m)(1)(A) (LexisNexis 2013). But see F.T.C., Complying with COPPA: Frequently Asked Questions, (B)(2)(June 6, 2013), http://business.ftc.gov/documents/Complying-with-COPPA-Frequently-Asked-Questions (stating that “[a] court can hold operators who violate the Rule liable for civil penalties of up to $16,000 per violation”).
[5] 78 Fed. Reg. at 4009 (to be codified at 16 C.F.R. § 312.2).
[6] 78 Fed. Reg. at 3979.
[7] 78 Fed. Reg. at 4009 (to be codified at 16 C.F.R. § 312.2).
[8] Id. at 3980.
[9] Id. at 3981.
[10] Id. at 4009 (to be codified at 16 C.F.R. § 312.2).
[11] F.T.C., Complying with COPPA: Frequently Asked Questions, (F)(3)(June 6, 2013), http://business.ftc.gov/documents/Complying-with-COPPA-Frequently-Asked-Questions (stating that “[a] court can hold operators who violate the Rule liable for civil penalties of up to $16,000 per violation”).
[12] 78 Fed. Reg. at 4009 (to be codified at 16 C.F.R. § 312.2).
[13] Id. at 3978.
[14] Id. at 4009 (to be codified at 16 C.F.R. § 312.2); Id. at 3975-77.
[15] Id. at 4011 (to be codified at 16 C.F.R. § 312.4(d)); F.T.C. supra note 12, at (C)(2).
[16] F.T.C. supra note 12, at (C)(11).
[17] 78 Fed. Reg. at 4010-11 (to be codified at 16 C.F.R. § 312.4(c)).