The U.S. Federal Trade Commission recently updated the rule for
children's online privacy protection, expanding a
business's obligations and accountability for online data
The U.S. federal law known as the Children's Online Privacy
Protection Act (COPPA), 15 U.S.C. §§ 6501-6508,
requires that commercial website and online service operators
provide parental notification and obtain verifiable parental
consent prior to collecting personal information from children
under 13. (Note: all references to
"children" hereinafter refer to children under 13.)
After COPPA was enacted in 1998, the Federal Trade Commission (FTC)
promulgated the Children's Online Privacy Protection Rule (the
COPPA Rule), 16 C.F.R. Part 312, to implement COPPA.
In 2010, the FTC began the process of updating the COPPA Rule to
address changing technology in the way information about children
is collected online, including the increased use of mobile devices
and social media. After seeking and considering several
rounds of public comments, the FTC adopted the amended COPPA Rule
on December 19, 2012. The amended COPPA rule, which will take
effect on July 1, 2013, makes several notable changes:
Expands the definition of "personal information" to
include geolocation information, a child's photo or audio or
video file, screen or user names, and persistent identifiers
(e.g., a customer number held in a cookie, an IP address,
a unique mobile device ID, etc.) that can be used to identify a
user over time and across different websites or online
Holds an online service operator liable for third-party
collection of personal information on its platform, if the third
party is acting on behalf of the operator (e.g., as an
agent or service provider) or if the operator benefits by allowing
the third party to collect information from users on its
Makes a party (e.g., a software plug-in or an ad
network) that collects information on another's platform liable
under COPPA, if that party has actual knowledge it is collecting
personal information on a children-directed platform
Further clarifies the test for determining whether an online
service is children-directed (which remains a highly fact-specific
inquiry that depends on the totality of the circumstances)
Adds an age-screening safe harbor for online services that fit
the "directed to children" criteria, but do not target
children as their primary audience
Streamlines what disclosures need to be made in an online
regarding its information practices with respect to children
Expands acceptable methods for obtaining verified parental
With these changes, the amended COPPA Rule enhances online
privacy protection for children and makes online service operators
more accountable for data collection activities involving
children. To ensure compliance with the amended COPPA Rule,
online service operators—including websites, mobile app
operators, social media plug-in providers and ad
networks—need to evaluate their data collection activities
with respect to children, including third-party activities on their
platforms as well as their activities on third-party platforms.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The U.S. Department of Justice (DOJ), Computer Crime and Intellectual Property Section (CCIPS) Cybersecurity Unit recently issued a comprehensive list of Best Practices for Victim Response and Reporting of Cyber Incidents.
In April 2015, the Department of Health and Human Services' Office for Civil Rights issued two "frequently asked questions" providing guidance on workplace wellness programs under the HIPAA Privacy, Security, and Breach Notification rules.
With all of the privacy and data security enforcement
actions brought by the Federal Trade
Commission in recent years, and with all of the
guidance distributed by the FTC in that time frame, it is
easy to get caught up in making sure your privacy and
data security practices are in order and compliant ...