In an effort to provide clarity on it its revised Children's Online Privacy Protection Rule ("Rules"), the FTC recently published a list of  Frequently Asked Questions ("FAQs") with information on how to comply. The FAQs should provide helpful guidance to operators of commercial websites and other online services (such as mobile apps) that are either directed to children under 13 or otherwise collecting, using and/or distributing information from children. The Rules, which implement the Children's Online Privacy Protection Act ("COPPA"), were amended by the FTC in December 2012 in an effort to "keep up with changing technology". The Rules appear to be a regulatory priority: on May 15th, the FTC sent letters to 90 companies highlighting the changes and warning that new compliance measures may be necessary -- including changes in privacy and data retention policies, notices, and parental consent mechanisms.  

 Below are some highlights from the FAQs:

  • FAQ 4 clarifies when an operator needs to obtain parental consent for information collected prior to the effective date of the amended Rules. Specifically, operators who have collected geolocation data from children without parental consent, must obtain that consent immediately. Conversely, operators who, before the effective date, collected (i) photos, videos or audio files of children; (ii) screen or user names; or (iii) persistent identifiers, are not required to obtain consent. (Although the FTC recommends they do so.)  However, operators should obtain consent if persistent identifiers or screen/user names are later associated with newly collected information.  
  • FAQ 30 says that when an app is directed to children, the amended Rules require privacy policies to appear on a home or landing screen, but the Rules do not expressly require those policies to appear at point of purchase. Nevertheless, the FTC encourages app operators to include a link to the privacy policy at point of purchase. However, if an app collects personal information upon download, it will be necessary to provide direct notice and obtain verifiable parental consent as required by COPPA.
  • FAQ 32 describes in detail the format and content of information that operators must include in direct notices to parents.
  • FAQ 41 makes clear that under the amended Rules, the website/online service operator is liable for the collection of information on its site or through its services (including through ads), even if the operator did not engage in the collection. For example, an operator of a child-directed website may be required to notify parents and obtain verifiable parental consent when data is collected through third-party advertising run on its site.
  • FAQ 53 says a teen-focused website may be deemed "directed to children" if it attracts a substantial number of children under the age of 13. Where any website is determined to be directed to children, it may not block children under 13 from using the service.  In those cases, the service must be fully COPPA compliant. However, where children under 13 are not the primary audience of the website/online service, operators may screen out those users who identify themselves as being under 13.
  • FAQ 66 states that mobile app operators cannot rely on a parent's app store account and credit card information -- even with the password -- to serve as verifiable parental consent.
  • FAQs 76-79 give additional clarity on the "support for internal operations" exception. A website may use certain information without consent for performing network communications, authenticating users or personalizing content for the site or service, serving contextual ads or capping the frequency of ads, protecting the security or integrity of the user, site or service, or ensuring legal or regulatory compliance. However, the FAQs also make clear that behavioral advertising and other similar practices will not fall under this exception.      
  • The FAQs also highlight in several areas that the new Rules require "reasonable" retention and deletion procedures for children's data.  Companies are not allowed to keep data indefinitely, but only so long as is reasonably necessary for the operation of the business. 

There's more to the FAQs and we encourage you to review them prior to July 1, 2013 -- the effective date of the new Rules.

www.fkks.com

This alert provides general coverage of its subject area. We provide it with the understanding that Frankfurt Kurnit Klein & Selz is not engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so. We do not seek to represent clients in other jurisdictions.