Amended COPPA Rule Effective July 1, 2013 | Practical Law

Amended COPPA Rule Effective July 1, 2013 | Practical Law

A discussion of key changes to the Children's Online Privacy Protection Rule that become effective July 1, 2013.

Amended COPPA Rule Effective July 1, 2013

Practical Law Legal Update 0-528-9307 (Approx. 5 pages)

Amended COPPA Rule Effective July 1, 2013

by PLC Intellectual Property & Technology
Published on 17 May 2013USA (National/Federal)
A discussion of key changes to the Children's Online Privacy Protection Rule that become effective July 1, 2013.
On July 1, 2013, amendments to the Children's Online Privacy Protection Rule (COPPA Rule), the rule implementing the Children's Online Privacy Protection Act (COPPA), take effect. The FTC adopted the amendments in December 2012 to ensure the COPPA Rule continues to serve its intended purpose as technology and the ways children use the internet evolve. The amended rule takes into account children's increased use of mobile technology and social media.
The amendments broaden and clarify companies' obligations and give parents more control over the personal information that websites and online services may collect from children under 13 years of age. Among other changes, the amendments expand both:
  • The universe of companies subject to COPPA's requirements.
  • The categories of information considered personal information under COPPA.
To minimize the risk of COPPA violations, operators of online services that collect information from children should carefully review the new COPPA Rule and their information practices and take any steps necessary to comply before July 1, 2013.

Information Collection by Third-party Services

The amended COPPA Rule is explicit that where a child-directed service integrates third-party services, including ad networks and plug-ins, that collect information from the service's visitors, the COPPA Rule covers both:
  • The operator of the child-directed website or service.
  • The outside service if it has actual knowledge that it is collecting personal information through a child-directed website.
Therefore, to avoid liability, companies that include third-party advertising and other materials in their child-directed websites and services must ensure they understand these third parties' information collection practices and either:
  • Prohibit third parties from collecting information from their website visitors.
  • Ensure they comply with all of COPPA's requirements for the third parties' information collection.
The FTC staff recommends that child-directed services operators signal their status and work with the third parties to provide adequate COPPA protections.

Expanded Definition of Personal Information

The amended COPPA Rule adds four new categories of information to its definition of personal information to include:
  • Screen or user names that function in the same way as an e-mail address or other online contact information.
  • Geolocation information that can identify a street name and town or city name.
  • A persistent identifier that can track a user over time and across different websites or online services such as:
    • a customer ID stored in a cookie;
    • an IP address; or
    • a unique device identifier.
  • A photograph, video or audio file that contains a child's image or voice.
The amendments also make clear that the COPPA Rule applies, with certain exceptions:
  • Regardless of whether a information is required or voluntary.
  • To passive online tracking.
  • Where the service enables a child to publicly post personal information.

COPPA Rule Compliance

Companies subject to COPPA should also review and if necessary modify their privacy disclosures and practices for children's personal information to ensure they comply with the COPPA Rule's new compliance obligations. In addition to expanding the COPPA Rule's scope, the amendments:
  • Modify notice requirements for both:
    • online privacy policies; and
    • direct notices to parents.
  • Strengthen data security requirements, including when releasing children's personal information to service providers.
  • Impose data retention and deletion obligations.
For sample data protection clauses when contracting with third parties that may have access to children's information, see Standard Clauses, Data Security Contract Clauses for Service Provider Arrangements (Pro-customer). For information on privacy issues involved with mobile apps, including children's privacy, see Practice Note, Mobile App Privacy: The Hidden Risks For guidance on developing practices and policies for protecting personal information, including children's information, see Common Gaps in Information Security Compliance Checklist.