Since April of 2000, the Children’s Online Privacy Protection Act (COPPA) has been in effect. The purpose of this law is to give parents greater control over what information their children can access over the Internet. In general, the law requires operators of commercial web sites and online services such as mobile apps, network-connected games, online purchasing, VOIP services, Internet-enabled gaming platforms, and location services to provide notice and obtain parent’s consent before collecting personal information from children under the age of 13.
Effective July 1, 2013, the Federal Trade Commission (FTC), citing changes in technology, updated the COPPA Rule and expanded its definition of who and what is covered under COPPA. It is important to know if your company is covered under the new COPPA Rule, what you’re responsibilities are and how to comply with the revised Rule.
The following are some practical definitions and core elements of the new COPPA Rule. This is not legal advice. We do recommend that you visit the FTC website and consult with legal representation to ensure full compliance.
This fact sheet covers:
Under the previous rule, certain factors were considered when deciding if information was directed to
children. For instance:
Under the revised rule, new factors have been added:
COPPA applies to individually identifiable information about a child that is collected online, such as full name, home address, email address, telephone number, Social Security Number or any other information that would allow someone to identify or contact the child. As well as other identifiable information such as hobbies, interests and information collected through cookies or other types of tracking mechanisms.
Under the revised rule, new factors have been added:
Under the previous rule, operators may be liable for agents or service providers. The new Rule expands liability to cover third parties that collect personal information directly from users of the site or service, if the operator benefits. It is not required but it is recommended to advise third parties of this expanded definition.
There is strict liability: please investigate your company’s practices and make arrangements for COPPA compliance. Violations can result in law enforcement actions, including civil penalties, so compliance is required.
This Rule is not meant for platforms that simply offer access for the public to find content provided for any another company. For example, mobile app market providers are not covered under COPPA.
What happens, if for instance, one of your employees, representatives or content providers realizes that your ads are being placed in a child-directed site? Then you have actual knowledge and you must take the following steps.
Under COPPA, if personal information (PI) is collected from children then you are required to provide a direct and online notice to parents with verifiable parental consent (unless exception prevails).
By streamlining the Rule’s online notice requirements, the FTC hopes to encourage operators to provide clear, concise descriptions of its information practices, which may have the added benefit of being easier to read on smaller screens (e.g., those on smartphones or other Internet-enabled mobile devices).
Be sure to include:
Previously, a link to an online notice was acceptable. Now, parents must be provided with a direct notice of the operator’s personal information collection, use and disclosure practices. Certain requirements must be met depending on how and for what purpose information is collected and used:
The regulations include several exceptions that allow operators to collect a child’s email address without getting the parent’s consent in advance, but direct notice is still required to notify parents of what information has been collected and what their choices are regarding information. These exceptions cover many popular online activities for kids, including contests and online newsletters. Prior parental consent is not required:
There is a new compliance option for sites or services that are “directed to children” but not as a primary audience. You may age screen all users and apply the notice and consent requirements only for users who identify themselves as under the age of 13.
Before collecting, using or disclosing personal information from a child, an operator must obtain verifiable parental consent from the child’s parent, including material changes. The operator must give parents the option to consent to use but not disclose to third parties.
How to Obtain Parental Consent – You should make a reasonable effort to obtain a parent’s consent (given available technology, new methods are allowed) by:
You may apply to the FTC to approve new parental consent methods and an app store log-in is not considered sufficient. Additionally, parents have the right to review PI provided by their child.
If you are going to use children’s personal information only for Uinternal purposesU (FTC FAQ I. #5: http://business.ftc.gov/documents/Complying-with-COPPA-Frequently-Asked-Questions) then you can use any of the above methods or you can use the “email plus” method of parental consent. “Email plus” allows you to request (in the direct notice sent to the parent’s online contact address) that the parent indicate consent in a return message. Be sure to take an additional confirming step after receiving the parent’s message (this is the “plus” factor), includes:
Security: Operator must have “reasonable procedures” to protect the confidentiality, security, and integrity of PI collected from children.
Retention and Deletion: Operator may retain PI only as long as reasonably necessary, and must delete PI using reasonable measures.
You may apply for approval of a self-regulatory COPPA Safe Harbor Program if it:
There will be an annual audit of members and annual reporting to the FTC which will include aggregate assessment details and any disciplinary actions.
Members may email ANA at firstname.lastname@example.org