The U.S. Federal Trade Commission recently updated the rule for
children's online privacy protection, expanding a
business's obligations and accountability for online data
The U.S. federal law known as the Children's Online Privacy
Protection Act (COPPA), 15 U.S.C. §§ 6501-6508,
requires that commercial website and online service operators
provide parental notification and obtain verifiable parental
consent prior to collecting personal information from children
under 13. (Note: all references to
"children" hereinafter refer to children under 13.)
After COPPA was enacted in 1998, the Federal Trade Commission (FTC)
promulgated the Children's Online Privacy Protection Rule (the
COPPA Rule), 16 C.F.R. Part 312, to implement COPPA.
In 2010, the FTC began the process of updating the COPPA Rule to
address changing technology in the way information about children
is collected online, including the increased use of mobile devices
and social media. After seeking and considering several
rounds of public comments, the FTC adopted the amended COPPA Rule
on December 19, 2012. The amended COPPA rule, which will take
effect on July 1, 2013, makes several notable changes:
Expands the definition of "personal information" to
include geolocation information, a child's photo or audio or
video file, screen or user names, and persistent identifiers
(e.g., a customer number held in a cookie, an IP address,
a unique mobile device ID, etc.) that can be used to identify a
user over time and across different websites or online
Holds an online service operator liable for third-party
collection of personal information on its platform, if the third
party is acting on behalf of the operator (e.g., as an
agent or service provider) or if the operator benefits by allowing
the third party to collect information from users on its
Makes a party (e.g., a software plug-in or an ad
network) that collects information on another's platform liable
under COPPA, if that party has actual knowledge it is collecting
personal information on a children-directed platform
Further clarifies the test for determining whether an online
service is children-directed (which remains a highly fact-specific
inquiry that depends on the totality of the circumstances)
Adds an age-screening safe harbor for online services that fit
the "directed to children" criteria, but do not target
children as their primary audience
Streamlines what disclosures need to be made in an online
regarding its information practices with respect to children
Expands acceptable methods for obtaining verified parental
With these changes, the amended COPPA Rule enhances online
privacy protection for children and makes online service operators
more accountable for data collection activities involving
children. To ensure compliance with the amended COPPA Rule,
online service operators—including websites, mobile app
operators, social media plug-in providers and ad
networks—need to evaluate their data collection activities
with respect to children, including third-party activities on their
platforms as well as their activities on third-party platforms.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
On Friday, November 13, Federal Trade Commission ("FTC" or the "Commission") Chief Administrative Law Judge ("ALJ") D. Michael Chappell issued an Initial Decision in In the Matter of LabMD, Inc. (FTC Docket No. 9357), dismissing the Commission's Complaint against LabMD, Inc. ("LabMD"), upon a finding that the FTC had failed to "demonstrate a likelihood that [LabMD's] computer network will be breached in the future and cause substantial computer injury."
Whether you are in-house counsel or external counsel, upon first hearing of a massive data breach affecting your client, your first reaction will likely be at least a twinge of panic. So first, take a deep breath and calm down.
Anthony Albanese, the head of the New York Department of Financial Services, issued a letter to more than 20 federal and state regulators outlining proposed cybersecurity regulations for banks and insurance companies operating in New York.
High-profile data breaches seem to hit the headlines almost every day. These breaches have proved terrifying for many companies, particularly as the attackers release embarrassing emails and other information.