FTC's revised COPPA Rule: Five need-to-know changes for your business

It’s not often we describe something as a drop-what-you’re-doing development.  But if you’ve been following proposed changes to the Children's Online Privacy Protection Act (COPPA) Rule, this may qualify.  After national workshops, Federal Register Notices, and hundreds of comments from the public, the FTC just issued final changes to the COPPA Rule.

As marketers know, the Rule puts certain requirements in place if you operate a website or online service directed to children under 13 or if you have actual knowledge that you’re collecting personal information online from kids in that age group.  Even with today’s announcement, most big-picture COPPA principles remain unchanged.  You still have to give notice to parents and get their verifiable consent before collecting, using, or disclosing personal information from children under 13.  You still have to keep kids’ information secure and you can’t condition their participation in activities on the collection of more personal info than is reasonably necessary to take part.  And the new Rule retains “safe harbor” provisions so that groups can submit programs for FTC approval.

So what’s new?  Here is our thumbnail summary to help guide your line-by-line review:

1.  New COPPA definitions.  The new Rule modifies some of the terminology COPPA mavens may be used to:         

• The new Rule makes it clear that operator covers an operator of a child-directed site or service where it allows outside services — like plug-ins or advertising networks — to collect personal information from visitors.  But as the Statement of Basis and Purpose explains, this revision covers only operators that design and control the child-directed content —  for example, the app developer or site owner.  It doesn’t cover platforms that just offer access to someone else’s child-directed sites or services.
   
• The new Rule clarifies that the definition of website or online service directed to children covers a plug-in or ad network when it has actual knowledge that it’s collecting personal information through a child-directed website or service.  Under the new definition, a subset of child-directed sites and services can now differentiate among users, requiring them to provide notice and get parental consent only for those who identify themselves as under 13.
   
• The definition of personal information now includes geolocation information, as well as photos, videos, and audio files that contain a child’s image or voice.  Also covered:  persistent identifiers that can be used to recognize a user over time and across different websites or online services.  But there’s a notable exception: COPPA’s parental notice and consent requirements don’t kick in if the identifier is used solely to support the internal operations of the site or service.
   
• Permitted activities now covered under the definition of support for internal operations include (among other things) contextual advertising, frequency capping, legal compliance, site analysis, and network communications.  But there’s an important caveat:  Operators may not, without parental consent, use or disclose information collected to contact a specific person, including through behavioral advertising, to amass a profile on that person or for any other purpose.  The new Rule also sets up a process so industry members can ask for formal approval for additions to the definition of support for internal operation.

2.  Changes to what operators need to tell parents.  In the notice that operators must send directly to parents before collecting personal info from their kids, the new Rule puts key information up front.  That "just in time" notice makes it easier for Moms or Dads to get the details they need, when they need them.  The Rule also streamlines what operators have to put in their online privacy policies about their information practices.  An added benefit:  To-the-point privacy policies are easier to read on smaller screens.

3.  New ways companies can get parental consent.  In addition to the already approved methods, the new Rule offers more ways businesses can get parents’ OK: electronic scans of signed parental consent forms, videoconferencing, use of government-issued ID, and alternative payment systems (assuming they meet the same stringent criteria as credit cards).  The sliding scale mechanism of parental consent — often called “email plus” — remains an acceptable method for operators collecting personal info just for internal use.  To encourage innovation in this area, the new Rule establishes a voluntary 120-day notice and comment process for businesses to get FTC approval for other methods.  In addition, operators that participate in an FTC-approved safe harbor program can use a method allowed under that program. 

4.  Stronger provisions to keep kids' information confidential and secure.  Under the new Rule, operators must take reasonable steps to make sure that before releasing information to service providers and third parties, those companies are capable of maintaining the confidentiality, security, and integrity of the information — and that they give assurances they’ll follow through. The Rule also requires that operators retain kids’ personal information for only as long as is reasonably necessary and that when they dispose of it, they’ll take reasonable measures to protect against unauthorized access.

5.  Additional monitoring of self-regulatory safe harbors.  The new Rule strengthens the FTC's oversight of safe harbor programs, requiring them to audit their members and report the combined results of those audits annually to the FTC.

Bookmark the BCP Business Center’s Children’s Privacy page for further developments.  Join FTC staff on Twitter from 2:00 to 3:00 ET on Wednesday, December 19, 2012, to discuss the latest on COPPA.  Tweet questions to @FTC with the hashtag #COPPA.