What You Need to Know about the Children's Online Privacy Protection Act (COPPA)

Online privacy and information security are areas of ever-increasing concern for the Federal Trade Commission, state and federal prosecutors, plaintiff's lawyers, and consumer advocates.  There are now a smattering of laws and regulations that operators of websites, applications, and advertisers must comply with relating to these issues.  Anyone who (a) operates a website designed for kids or (b) operates a website geared to a general audience but who is aware that it is collecting information from someone under 13 should understand and comply with the Children's Online Privacy Protection Act, the FTC's rules, and the FTC's guidance.  


The Children's Online Privacy Protection Act (COPPA) became law almost 15 years ago, but in 2013, the Federal Trade Commission's revisions to the COPPA Rule, which were intended to modernize the Rule, became effective. 

image credit: Mike Licht

What Is the Children's Online Privacy Protection Act Rule?
 

The COPPA Rule requires operators of websites or online services directed to children under 13 years of age (and operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age, even if not by design) to provide notice to parents and obtain verifiable parental consent prior to collecting, using, or disclosing personal information from children under 13 years of age. The Rule also requires operators to keep secure the information they collect from children, and prohibits them from requiring the disclosure of more personal information than is reasonably necessary.

What Revisions Took Effect in 2013?

The lengthy 2013 revisions were designed to achieve the following:

• Modify the definition of "operator" to make clear that the Rule covers an operator of a child-directed site or service where it integrates outside services, such as plugins or advertising networks, that collect personal information from its visitors;
• Modify the definition of "Web site or online service directed to children" to clarify that the Rule covers a plug-in or ad network when it has actual knowledge that it is collecting personal information through a child-directed Web site or online service;
• Modify the definition of "Web site or online service directed to children" to allow a subset of child-directed sites and services to differentiate among users, and requiring notice and parental consent only for users who self-identify as under age 13;
• Modify the definition of "personal information" to include geolocation information and persistent identifiers that can be used to recognize a user over time and across different Web sites or online services;
• Modify the definition of "support for internal operations" to expand the list of defined activities;
• Streamline and clarify the direct parental notice requirements to ensure that key information is presented to parents in a succinct ‘‘just-in-time’’ notice;
• Expand the non-exhaustive list of acceptable methods for obtaining prior verifiable parental consent;
• Create three new exceptions to the Rule’s notice and consent requirements;
• Strengthen data security protections by requiring operators to take reasonable steps to release children’s personal information only to third parties who are capable of maintaining the confidentiality, security, and integrity of the information;
• Require reasonable data retention and deletion procedures;
• Strengthen the FTC’s oversight of self-regulatory "safe harbor" programs; and
• Institute voluntary pre-approval mechanisms for new consent methods and for activities that support the internal operations of a Web site or online service.

You can read more about the 2013 Rule changes here, here, and here.