Just in time for Christmas, the Federal Trade Commission (“FTC”) has unveiled its long-anticipated update to the Children’s Online Privacy Protection Rule (“COPPA Rule”). The COPPA Rule, which has been in place since 1999, imposes a variety of privacy requirements on “operators” of websites and online services that are “directed to children” under 13 or have actual knowledge that they are collecting “personal information” from children. Among other requirements, such operators must provide notice of their practices and obtain verifiable parental consent before collecting, using, or disclosing personal information from children.
Beginning on July 1, 2013, the COPPA Rule will impose new duties on operators that already fall under COPPA, while also extending the scope of the Rule to reach additional operators that previously fell outside the Rule. Sites and services that may be affected by these changes will want to reassess their practices in light of this significant rulemaking.
Among other notable changes, the revised COPPA Rule will have the following effects:
- The COPPA Rule will apply to additional categories of “personal information” such as certain geolocation information; photo, audio, and video files with a child’s image or voice; screen or user names; and persistent identifiers (such as cookies and IP addresses) that can be used to recognize a user over time and across different sites or services.
- However, under an exception, operators may continue to collect and use persistent identifiers without parental notice and consent for certain internal support purposes. Although contextual advertising is considered internal support, online behavioral advertising is not.
- The COPPA Rule will hold first-party sites and services strictly liable for the activities of third parties – such as ad networks and social plug-ins – that collect personal information from their users, if the collection benefits the site or service.
- In addition, such third-party services will be directly subject to COPPA if they have actual knowledge that they are collecting personal information from a child-directed site or service.
- Sites and services that are “directed to children” under the COPPA Rule, but do not target children as their primary audience, will have the option of age-screening all users and then obtaining parental notice and consent with respect to those users that identify themselves as being under 13. In contrast, sites and services that target children as their primary audience must continue to treat all users as children.
- Operators will be required to comply with new data retention and deletion guidelines, but there is no specific time limit for retention. In addition, operators that release personal information to third parties will need to take reasonable steps to select third parties capable of providing data security and obtain assurances that they will do so.
- Operators that choose to participate in FTC-approved safe harbor programs will be subject to annual assessments by the safe harbors, and the safe harbors will report annually to the FTC on aggregate assessment results and any disciplinary actions.