On December 19, 2012, the Federal Trade Commission announced the adoption of its long-awaited amendments to the Children’s Online Privacy Protection Rule (the “Rule”). The FTC implemented the Rule, which became effective on April 21, 2000, pursuant to provisions in the Children’s Online Privacy Protection Act of 1998 (“COPPA”).
After declining to modify the Rule in 2006, in 2010, the Commission launched an extensive examination of possible changes that resulted in the proposed COPPA Rule amendments released in September 2011. The proposed amendments were intended to reflect the FTC’s commitment to “helping to create a safer, more secure online experience for children” in the face of rapid technological change. Today’s announcement follows multiple rounds of stakeholder comments as well as additional proposed modifications to the Rule which were published in August 2012.
Some of the key changes in the updated Rule are outlined below.
- The definition of “personal information” now includes “geolocation information sufficient to identify street name and name of a city or town” and photographs, videos or audio files “where such file contains a child’s image or voice.”
- The “persistent identifier” element in the definition of personal information has been revised to cover identifiers that “can be used to recognize a user over time and across different websites or online services,” specifically including IP addresses.
- Certain methods for obtaining verifiable parental consent have been expanded and clarified to respond to evolving technology. For example, a signed parental consent form may now be returned to the website operator by “electronic scan” and consent may be provided to “trained personnel via video-conference.” The credit card transaction example includes clarification that the credit or debit card or other online payment system used to verify parental consent must provide “notification of each discrete transaction to the primary account holder.”
- The new Rule adds an exception to the requirement to provide notice and obtain verifiable parental consent where an operator “collects a persistent identifier and no other personal information and such identifier is used for the sole purpose of providing support for the internal operations of the website or online service.” The definition of “support for the internal operations of the website or online service” is limited to seven specific “necessary” activities.
- The amendments include a new requirement that personal information collected from children be retained only “as long as is reasonably necessary to fulfill the purpose for which the information was collected” and deleted “using reasonable measures to protect against unauthorized access to, or use of, the information in connection with its deletion.”
- Apps and websites directed at children may not permit third-party collection of children’s personal information through plug-ins unless parental notice is given and consent is obtained, and in some cases such third parties will be responsible for complying with COPPA.
The FTC’s Business Center Blog has posted a five-point guide for businesses to aid their compliance efforts.
The amended rule will become effective on July 1, 2013.