What You Need to Know about the Children's Online Privacy Protection Act (COPPA)

Online privacy and information security are areas of ever-increasing concern for the Federal Trade Commission, state and federal prosecutors, plaintiff's lawyers, and consumer advocates.  There are now a smattering of laws and regulations that operators of websites, applications, and advertisers must comply with relating to these issues.  Anyone who (a) operates a website designed for kids or (b) operates a website geared to a general audience but who is aware that it is collecting information from someone under 13 should understand and comply with the Children's Online Privacy Protection Act, the FTC's rules, and the FTC's guidance.  


The Children's Online Privacy Protection Act (COPPA) became law almost 15 years ago, but in 2013, the Federal Trade Commission's revisions to the COPPA Rule, which were intended to modernize the Rule, became effective. 

image credit: Mike Licht

What Is the Children's Online Privacy Protection Act Rule?
 

The COPPA Rule requires operators of websites or online services directed to children under 13 years of age (and operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age, even if not by design) to provide notice to parents and obtain verifiable parental consent prior to collecting, using, or disclosing personal information from children under 13 years of age. The Rule also requires operators to keep secure the information they collect from children, and prohibits them from requiring the disclosure of more personal information than is reasonably necessary.

What Revisions Took Effect in 2013?

The lengthy 2013 revisions were designed to achieve the following:

• Modify the definition of "operator" to make clear that the Rule covers an operator of a child-directed site or service where it integrates outside services, such as plugins or advertising networks, that collect personal information from its visitors;
• Modify the definition of "Web site or online service directed to children" to clarify that the Rule covers a plug-in or ad network when it has actual knowledge that it is collecting personal information through a child-directed Web site or online service;
• Modify the definition of "Web site or online service directed to children" to allow a subset of child-directed sites and services to differentiate among users, and requiring notice and parental consent only for users who self-identify as under age 13;
• Modify the definition of "personal information" to include geolocation information and persistent identifiers that can be used to recognize a user over time and across different Web sites or online services;
• Modify the definition of "support for internal operations" to expand the list of defined activities;
• Streamline and clarify the direct parental notice requirements to ensure that key information is presented to parents in a succinct ‘‘just-in-time’’ notice;
• Expand the non-exhaustive list of acceptable methods for obtaining prior verifiable parental consent;
• Create three new exceptions to the Rule’s notice and consent requirements;
• Strengthen data security protections by requiring operators to take reasonable steps to release children’s personal information only to third parties who are capable of maintaining the confidentiality, security, and integrity of the information;
• Require reasonable data retention and deletion procedures;
• Strengthen the FTC’s oversight of self-regulatory "safe harbor" programs; and
• Institute voluntary pre-approval mechanisms for new consent methods and for activities that support the internal operations of a Web site or online service.

You can read more about the 2013 Rule changes here, here, and here.

Does Your Website Privacy Policy Pass the Test?

In the past couple of years, Facebook, Twitter, and Google each settled disputes with the Federal Trade Commission ("FTC") relating to website privacy, and Google has reportedly paid $8.5 million to settle a class action suit based on similar privacy-based claims.  Even though actions against these Internet giants capture the headlines, all organizations, regardless of size, with websites can learn valuable lessons from the FTC's recent enforcement actions (as Upromise, Inc. learned in 2012 when the FTC took action against it on similar grounds).  The following discussion presents a high-level description of various aspects of website privacy law that organizations should not overlook:

Capturing Information

If your organization has a website that collects information in any way, including through an embedded "contact" form, or even cookies, you should strongly consider establishing a website privacy policy statement to protect your organization from liability.  Privacy policies are not just for large corporations and "web-based" companies.  A myriad of laws control what must be disclosed in a website privacy policy statement and how it is presented, as well as the underlying privacy practices.

Making Promises

Organization sometimes make promises in their website privacy statements that they fail to fulfill in practice.  Allegations of broken promises can be found in most of the FTC's recent enforcement actions in this area.  This is particularly unfortunate because, in many instances, the organization created an otherwise avoidable risk by establishing privacy standards that were stricter than the law required.  This type of risk is increased if an organization (or its third-party website designer) simply copies another organization's privacy policy statement without first understanding all of the legal and practical considerations that went into the original privacy statement, including what different or additional policies an organization may need to have because of the different ways in which it does business.  To be effective in protecting your organizationfrom liability, your website privacy policy statement must be tailored to your organization's own practices. 

Conducting Business On-Line  

If your organization does business through its website, it may well have additional financial privacy protection obligations and disclosure requirements under various federal and state financial privacy laws, particularly if credit is extended for online transactions.  Any organization engaging in credit transactions through its website needs to be aware of the many additional legal obligations created by the patchwork of financial privacy laws.

Protecting Children

Websites directed at children are subject to additional restrictions and requirements under the Children's Online Privacy Protection Act ("COPPA").  If your organization's website, or a section of the website, is designed for children, COPPA disclosures and policies are necessary.

Opt-Out Requirements for Advertising

A federal law, the Controlling the Assault of Non-Solicited Pornography and Marketing Act, commonly known as the "CAN-SPAM Act," limits electronic advertising.  Although it is not a privacy law per se, it does require Internet and email advertisers to provide an opt-out mechanism for electronic marketing, among other things.  If your company advertises through its website or by email, you must have CAN-SPAM policies and an opt-out procedure.  It is customary and advisable to address the CAN-SPAM Act and opt-out rights in a website privacy policy.

Don't Forget State Laws

A few states have their own website privacy laws with which your organization must comply if you are directing your website to residents of any of those states.  For example, if your organization's website is directed at California residents, or at U.S. audiences generally, your website will need to comply with California's rules, which are reputed to be the most rigorous and which include specific requirements that go beyond the requirements of the federal rules.

Conclusion

Internet privacy is gaining increasing attention from governmental entities, consumer groups, and plaintiffs' class action attorneys, and is expected to be an emerging source of risk for many companies.  Fortunately, much of that risk is avoidable if care is taken to observe the patchwork of applicable legal requirements.