Just in time for Christmas, the Federal Trade Commission (“FTC”) has unveiled its long-anticipated update to the Children’s Online Privacy Protection Rule (“COPPA Rule”).  The COPPA Rule, which has been in place since 1999, imposes a variety of privacy requirements on “operators” of websites and online services that are “directed to children” under 13 or have actual knowledge that they are collecting “personal information” from children.  Among other requirements, such operators must provide notice of their practices and obtain verifiable parental consent before collecting, using, or disclosing personal information from children.

Beginning on July 1, 2013, the COPPA Rule will impose new duties on operators that already fall under COPPA, while also extending the scope of the Rule to reach additional operators that previously fell outside the Rule.  Sites and services that may be affected by these changes will want to reassess their practices in light of this significant rulemaking.

Among other notable changes, the revised COPPA Rule will have the following effects:

  • The COPPA Rule will apply to additional categories of “personal information” such as certain geolocation information; photo, audio, and video files with a child’s image or voice; screen or user names; and persistent identifiers (such as cookies and IP addresses) that can be used to recognize a user over time and across different sites or services.
  • However, under an exception, operators may continue to collect and use persistent identifiers without parental notice and consent for certain internal support purposes.  Although contextual advertising is considered internal support, online behavioral advertising is not.
  • The COPPA Rule will hold first-party sites and services strictly liable for the activities of third parties – such as ad networks and social plug-ins – that collect personal information from their users, if the collection benefits the site or service.
  • In addition, such third-party services will be directly subject to COPPA if they have actual knowledge that they are collecting personal information from a child-directed site or service.
  • Sites and services that are “directed to children” under the COPPA Rule, but do not target children as their primary audience, will have the option of age-screening all users and then obtaining parental notice and consent with respect to those users that identify themselves as being under 13.  In contrast, sites and services that target children as their primary audience must continue to treat all users as children.
  • Operators will be required to comply with new data retention and deletion guidelines, but there is no specific time limit for retention.  In addition, operators that release personal information to third parties will need to take reasonable steps to select third parties capable of providing data security and obtain assurances that they will do so.
  • Operators that choose to participate in FTC-approved safe harbor programs will be subject to annual assessments by the safe harbors, and the safe harbors will report annually to the FTC on aggregate assessment results and any disciplinary actions.
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Julia Kernochan Tama

As a co-chair of Venable’s Privacy and Data Security Group, Julia Tama is a trusted advisor and advocate for large and small companies in a dynamic legal area. Julia helps clients resolve privacy and security compliance challenges and zealously defends companies against government…

As a co-chair of Venable’s Privacy and Data Security Group, Julia Tama is a trusted advisor and advocate for large and small companies in a dynamic legal area. Julia helps clients resolve privacy and security compliance challenges and zealously defends companies against government inquiries and enforcement actions. Her team is at the forefront of legal issues involving innovative technologies, including artificial intelligence (AI), machine learning, and connected vehicles. She takes a tailored, practical approach rooted in a fluent understanding of relevant technologies and each client’s unique business model and goals.

Emilio W. Cividanes

One of the country’s first privacy lawyers, Milo Cividanes focuses his practice on assisting companies to develop and implement regulatory, government relations, and litigation strategies to preserve and expand their use of data in connection with 21st century business models. He has…

One of the country’s first privacy lawyers, Milo Cividanes focuses his practice on assisting companies to develop and implement regulatory, government relations, and litigation strategies to preserve and expand their use of data in connection with 21st century business models. He has repeatedly been acknowledged globally as a leading authority on data protection and as an effective problem solver. Milo co-leads the eCommerce, Privacy, and Cybersecurity Group, which has been recognized as one of the top privacy practices and top advertising practices in the United States.

Stuart P. Ingis

Stu Ingis is chairman of Venable. Stu is a nationally recognized attorney who has earned a reputation among peers and the industry as a thought leader in crisis management, privacy, marketing, advertising, consumer protection, eCommerce, and Internet law. Stu’s leadership in developing cutting-edge…

Stu Ingis is chairman of Venable. Stu is a nationally recognized attorney who has earned a reputation among peers and the industry as a thought leader in crisis management, privacy, marketing, advertising, consumer protection, eCommerce, and Internet law. Stu’s leadership in developing cutting-edge industry self-regulation and coalition building has placed him at the forefront of privacy and data security regulation and public policy. Clients rely on him as a trusted voice, confidant, and advocate before Congress, the Federal Trade Commission, state attorneys general, and other federal and state agencies.