For operators of web sites, apps and other online services, change is definitely coming – and quickly. On April 25, 2013, the Federal Trade Commission (“FTC”) issued updated Frequently Asked Questions (the “FAQs”) for its amended implementing rule (the “Rule”) for the Children’s Online Privacy Protection Act (“COPPA”). The FAQs give some additional insight regarding the changes and updates to the Rule (for a summary of those changes, click here). Key takeaways of the FAQs include:
- The Rule will take effect on July 1, 2013 – the FTC has not granted an extension.
Anticipate the FTC may act quickly to enforce the new Rule. All web sites and other online services should evaluate whether they are in full compliance with COPPA and the amended Rule and, if applicable, take immediate steps to compliance in order to meet the July 1 deadline.
- The FTC clarified the extent to which the new Rule will apply to previously collected data:
Geolocation Data: The Rule only covers geolocation information precise enough to identify street name and city or town. The FTC considers its specific delineation of this type of data a mere clarification of existing regulation. Accordingly, if prior to July 1 an online service collected precise geolocation data without parental consent, the online service must immediately obtain parental consent. Note that this data may be collected passively and unintentionally, as geolocation information is sometimes automatically associated with uploaded files (such as pictures and video).
Photos, Videos and Audio Files: Online services may retain previously collected files containing a child’s image or voice without obtaining parental consent. However, the FTC recommends ceasing use or disclosure of this type of information without parental consent — as a “best practice.” Thus, businesses should consider carefully whether they will continue to use, disclose or retain photographs, videos and audio files after the Rule takes effect July 1. Note, too, that the FTC states it is acceptable to post photos where the child’s face is blurred and not recognizable.
User Names and Screen Names: The amended Rule is more broad in its definition of user and screen names as personal information, such that as of July 1, these types of identifiers are “personal information” if they permit direct online contact with a person. Similar to photos, videos and audio files, organizations may retain previously collected user and screen names (and similar identifiers) that are newly included as subject to the Rule without parental consent. However, the Rule will apply to these identifiers if an organization associates any new information with the identifier after the Rule takes effect July 1. In addition, the FTC recommends obtaining parental consent — as a “best practice.” Thus, online services should fully analyze their use of screen names and similar identifiers to determine if they will trigger the new Rule and consider obtaining parental consent.
Persistent Identifiers: Starting July 1, a persistent identifier (such as an IP address) is “personal information” subject to the Rule if it can be used to recognize a user over time and across different web sites or online services (whether or not combined with individually identifiable information). Here, too, organizations may retain, without parental consent, persistent identifiers that are now covered by the Rule but were not previously subject to it. However, the Rule applies to any collection on or after July 1 of that persistent identifier or any association of information with that persistent identifier (e.g., association of an IP address with browsing activity on a web site). Accordingly, beginning July 1, online services will need prior parental consent to collect data using persistent identifiers unless the information is used solely for support of internal operations or falls within another exception under the Rule.
- Mobile phone numbers are not “online contact information” as defined by the Rule.
Accordingly, operators of online services must not collect mobile phone numbers from children as part of the process to obtain parental consent. Instead, operators should collect an email address, IM user identifier, VOIP identifier, video chat user identifier or other substantially similar identifier. However, once in contact with the parent, the parent may provide his or her mobile phone number for further communications.
- The FTC provided App-specific guidance:
Parental Notice and Consent: All operators of online services (whether App, website or other online service) may collect from the child the parent’s online contact information for the sole purpose of providing direct notice to the parent. The FTC also recognizes that other acceptable means are available through Apps, and operators may use those other means, such as through the mobile device, so long as the mechanism used provides notice and obtains the parent’s consent prior to collection of personal information from the child and is reasonably designed to ensure that it is the parent who receives the notice and gives consent. Note, however, that an App may not rely on collection of an app account number or password to fulfill the Rules’ notice and consent requirements without other indicia or reliability, which may include knowledge-based authentication questions, because it is too unlikely that the app store account information (user name or account number and password) is provided by the child and not the parent.
Locally Stored Content: An app is not “collecting” personal information and does not trigger compliance obligations merely because it includes features that allow a user to upload photos or otherwise interact with personal information stored on the device — so long as that information remains locally stored and is never transmitted from the device.
- The FTC provided specific guidance regarding online advertising:
Key points from the FAQs with regard to how the Rule impacts online advertising include:
- Behavioral advertising triggers the Rule; it does not fall within the term “support for internal operations,” and thus there is no exception for collecting persistent identifiers if they are used for behavioral advertising.
- A child-directed content provider will be strictly liable for any collection of personal information (including persistent identifiers such as IP address) by a third party.
- A child-directed content provider must provide notice and obtain prior parental consent before allowing any third party to collect personal information from visitors.
- It is acceptable for a child-directed content provider to allow for contextual advertising on the site – but it must ensure that doing so does not otherwise violate COPPA or the Rule.
- A company (for example, an online advertising service) that collects information through a third party web site or other online service will have “actual knowledge” that it has collected personal information from users of a child-directed site or service if: (1) the content provider directly provides that information; (2) if a representative of the company recognizes that the nature of the content on the third party site or service is child-directed.
- Online services partially directed to children may age-screen but may not block users who are younger than age 13
The Rule allows a web site, app or other online service that falls under the definition of being directed toward children — but where children are not the primary audience — to use an age screen to differentiate between child and non-child users. Businesses must then either obtain parental consent or not allow children to participate in features and activities that collect personal information as defined by the Rule. However, the FTC makes clear repeatedly in the FAQs that businesses must not altogether prohibit children from participating in a site or service that is “child-directed” as determined by a preponderance of factors as set forth in the Rule and FAQs. Organizations should take care in determining whether their online service is “directed to children” and, if so, whether it is directed to children as the “primary audience.” Any age-screening mechanism should comply with FTC guidance (including with regard to not blocking child-users for at least certain types of sites and taking care not to encourage children to falsify their information).
- Reasonable security measures include contract provisions and periodic monitoring
Organizations must determine that third parties have reasonable practices in place to maintain the confidentiality and security of data prior to sharing personal information of children with those third parties. The FAQs state that contracts with service providers should specifically address this issue and that the entity sharing the data must use reasonable means, such as periodic monitoring, to confirm that the third party is, in fact, maintaining the confidentiality and security of the information.
- Operators of online services may need to update their privacy policies and online practices.