The Children's Online Privacy Protection Act (COPPA) became law almost 15 years ago, but in 2013, the Federal Trade Commission's revisions to the COPPA Rule, which were intended to modernize the Rule, became effective.
image credit: Mike Licht |
What Is the Children's Online Privacy Protection Act Rule?
The COPPA Rule requires operators of websites or online services
directed to children under 13 years of age (and operators of other
websites or online services that have actual knowledge that they are
collecting personal information online from a child under 13 years of
age, even if not by design) to provide notice to parents and obtain verifiable parental consent prior to collecting, using, or disclosing personal information
from children under 13 years of age. The Rule also requires operators
to keep secure the information they collect from children, and prohibits
them from requiring the disclosure of more personal information than is reasonably necessary.
What Revisions Took Effect in 2013?
The lengthy 2013 revisions were designed to achieve the following:- Modify the definition of "operator" to make clear that the Rule covers an operator of a child-directed site or service where it integrates outside services, such as plugins or advertising networks, that collect personal information from its visitors;
- Modify the definition of "Web site or online service directed to children" to clarify that the Rule covers a plug-in or ad network when it has actual knowledge that it is collecting personal information through a child-directed Web site or online service;
- Modify the definition of "Web site or online service directed to children" to allow a subset of child-directed sites and services to differentiate among users, and requiring notice and parental consent only for users who self-identify as under age 13;
- Modify the definition of "personal information" to include geolocation information and persistent identifiers that can be used to recognize a user over time and across different Web sites or online services;
- Modify the definition of "support for internal operations" to expand the list of defined activities;
- Streamline and clarify the direct parental notice requirements to ensure that key information is presented to parents in a succinct ‘‘just-in-time’’ notice;
- Expand the non-exhaustive list of acceptable methods for obtaining prior verifiable parental consent;
- Create three new exceptions to the Rule’s notice and consent requirements;
- Strengthen data security protections by requiring operators to take reasonable steps to release children’s personal information only to third parties who are capable of maintaining the confidentiality, security, and integrity of the information;
- Require reasonable data retention and deletion procedures;
- Strengthen the FTC’s oversight of self-regulatory "safe harbor" programs; and
- Institute voluntary pre-approval mechanisms for new consent methods and for activities that support the internal operations of a Web site or online service.