Do you operate a website that targets children under the age of 13 or a general audience site that collects personal information from such children? If the answer is yes, you should already be familiar with the Children’s Online Privacy Protection Act (COPPA). If your not familiar with COPPA and your website collects personal information from children under 13, you better get up to speed on all COPPA requirements in a big hurry. Enacted in 1998, COPPA regulates the collection, use and disclosure of personal information from children under the age of 13. Essentially, COPPA requires that the Federal Trade Commission (FTC) issue and enforce regulations concerning child online privacy (the COPPA Rule).
COPPA applies to websites that fall into one of two categories: 1) commercial websites or online services targeted to children under 13 that collect, use or disclose personal information from such children; or 2) general audience websites or online services that knowingly collect, use or disclose information from children under the age of 13. If your website falls under one of those categories, then your website needs to comply with this law.
Even you are aware of COPPA and believe your website is following the law, you need to know that the FTC has adopted recent changes to COPPA, effective July 1st, 2013.
So what do the amendments change?
As a summary, the amendments accomplish the following primary changes:
- Defines website “operator” to now cover an operator of a child-directed site or service where it integrates outside services, such as plug-ins or advertising networks, that collect personal information from children. The definition of “Web site or online service directed to children” was also amended so that it covers a plug-in or ad network when it has “actual knowledge that it is collecting personal information through a child-directed Web site or online service;”
- Streamlines the direct notice to parents requirements to make sure that the most information disclosures and information is presented to parents (a ‘‘just-in-time’’ notice);
- Expands the non-exhaustive list of acceptable methods for obtaining prior verifiable parental consent;
- Creates new exceptions to the Rule’s notice and consent requirements;
- Adds more required data security protections;
- Requires that website operators adopt reasonable data retention and deletion procedures;
- Provides a mechanism for voluntary pre-approval of new consent methods and for a determination of whether certain activities are seen as supporting the internal operations of your website or online service.
The amendments also add four new categories of information to the definition of “personal information.” These changes apply to any personal information that is collected after the effective date of July 1st, 2013.
–Geolocation information is now a stand-alone category under personal information. However, the FTC has stated that this was simply a clarification of the original COPPA rules. The definition of personal information already covers any geolocation information that provides information precise enough to identify the name of a street and city or town. Website operators are required to obtain parental consent prior to collecting such geolocation information, regardless of when such data is collected.
-Now a screen or user name is considered personal information where it functions in the same manner as online contact information. This includes not only an email address, but any other “substantially similar identifier that permits direct contact with a person online. Currently under COPPA, a screen or user name was only considered personal information if it revealed a child’s email address.
-Use of Persistent identifiers (cookies and similar tools with unique user identifiers) must be disclosed now only if they are combined with personal information collected from children under 13 and can be used to recognize a user over time and across different websites or online services. The website operator(s) is required to obtain prior parental consent unless such collection falls under an exception, such as for the support of internal operations of your website or online service.
Do I have to provide notice or disclose personal information collected before July 1st, 2013?
- -If you have collected geolocation information and have not yet obtained parental consent, you must do so immediately.
Website operators do not need to seek parental consent for newly-covered persistent identifiers if they were collected prior to the effective date of the amendments to COPPA. However, after the effective date, if your website continues to collect or associates any new information with a now-covered persistent identifier (such as information about a child’s activities on your website or online service), than you must disclose such use.
- -If your website has collected photos or videos containing a child’s image or audio files with a child’s voice prior to the effective date, you do not need to obtain parental consent.
- -Any newly-covered screen or user names collected prior to the effective date of the amendments does not require website operators to obtain parental consent or otherwise disclose this. But, a previously-collected screen or user name would trigger the COPPA requirements if website operators associate any new information with the screen or users names after the effective date.