Jim Rennie
Sr. Product Counsel | TRUSTe
Today, the FTC announced new amendments to the Children’s Online Privacy Protection Act (COPPA) rules. COPPA focuses on the collection and use of data concerning children under the age of 13. COPPA was first enacted in 2000, the new rule amendments are intended to update the law and bring it in line with current technologies and practices. The new rules go into effect July 1, 2013.
TRUSTe’s COPPA Safe Harbor program has been a leading compliance solution for companies seeking to serve the needs of children and their parents online.
As a leader in online privacy compliance, TRUSTe has always strived to set a bar for certification that is above the bare minimum required. This philosophy helps to smooth the transition sparked by rule changes such as this one, as many of the changes are already incorporated into TRUSTe’s program requirements and our best practice recommendations.
For example: under the new rules, geolocation data will be considered Personal Information which may not be collected without parental consent. Not only has TRUSTe required geolocation data to be treated as Personal Information for several years, we have also required transmission of such information be encrypted in order to enhance consumer safety.
Similarly, under the new rules unique identifiers such as mobile device IDs and IP addresses are considered Personal Information. TRUSTe has been advising our client for some time that our understanding of Personal Information includes exactly these types of identifiers.
The new rule has also added more specific obligations around the areas of data retention, disposal and security. While these are notable additions to the rule, no one engaging in reasonable security practices, or following TRUSTe’s suggested best practices, should consider these requirements unusual.
This isn’t to say that TRUSTe’s program requirements will not change at all in light of the new rules. For instance, under the new rules, photos, videos and audio recordings of children are always considered Personal Information. While TRUSTe always acknowledged the possibility of such media being Personal Information in certain contexts, this new bright line rule is clearly something that will have to be specifically incorporated into our COPPA Safe Harbor program requirements going forward.
Additionally, the new rule expands and clarifies the definition of who is an “operator” subject to the COPPA rules. With this new definition of operator, a number of entities may now become subject to COPPA who may not have been otherwise. This becomes particularly complicated when there is a website that integrates external online services, such as toolbars or plug-ins, which also collect information from children under the age of 13. In these instances, there will be multiple “operators” for each site who are subject to COPPA.
While the FTC has expanded the definition of “operator,” it has specifically allowed for additional activities, which would not trigger the obligations under the rule. Contextual advertising, frequency capping, legal compliance and site analytics are all now permitted activities an “operator” can engage in without triggering the rules requirements. However, it should be noted that behavioral advertising is not one of these permitted activities and requires verifiable parental consent.
Over the coming weeks, TRUSTe will be working to fully analyze the new law, craft appropriate program requirements, and submit them to the FTC for approval.
Perhaps one of the changes TRUSTe is most excited about are the FTC’s new methods for evaluating and approving innovative new consent mechanisms. TRUSTe looks forward to providing our clients with a wide range of consent mechanisms, and being able to push the envelope, while at the same time providing the peace of mind in knowing that the cost of such innovation is not falling out of compliance with the COPPA.
As we prepare to enact the necessary changes to our program requirements, we will be updating our clients regularly. TRUSTe is dedicated to making this transition as painless as possible, and ensuring that we are always at the forefront of online privacy protection.
