The U.S. Federal Trade Commission recently updated the rule for
children's online privacy protection, expanding a
business's obligations and accountability for online data
The U.S. federal law known as the Children's Online Privacy
Protection Act (COPPA), 15 U.S.C. §§ 6501-6508,
requires that commercial website and online service operators
provide parental notification and obtain verifiable parental
consent prior to collecting personal information from children
under 13. (Note: all references to
"children" hereinafter refer to children under 13.)
After COPPA was enacted in 1998, the Federal Trade Commission (FTC)
promulgated the Children's Online Privacy Protection Rule (the
COPPA Rule), 16 C.F.R. Part 312, to implement COPPA.
In 2010, the FTC began the process of updating the COPPA Rule to
address changing technology in the way information about children
is collected online, including the increased use of mobile devices
and social media. After seeking and considering several
rounds of public comments, the FTC adopted the amended COPPA Rule
on December 19, 2012. The amended COPPA rule, which will take
effect on July 1, 2013, makes several notable changes:
Expands the definition of "personal information" to
include geolocation information, a child's photo or audio or
video file, screen or user names, and persistent identifiers
(e.g., a customer number held in a cookie, an IP address,
a unique mobile device ID, etc.) that can be used to identify a
user over time and across different websites or online
Holds an online service operator liable for third-party
collection of personal information on its platform, if the third
party is acting on behalf of the operator (e.g., as an
agent or service provider) or if the operator benefits by allowing
the third party to collect information from users on its
Makes a party (e.g., a software plug-in or an ad
network) that collects information on another's platform liable
under COPPA, if that party has actual knowledge it is collecting
personal information on a children-directed platform
Further clarifies the test for determining whether an online
service is children-directed (which remains a highly fact-specific
inquiry that depends on the totality of the circumstances)
Adds an age-screening safe harbor for online services that fit
the "directed to children" criteria, but do not target
children as their primary audience
Streamlines what disclosures need to be made in an online
regarding its information practices with respect to children
Expands acceptable methods for obtaining verified parental
With these changes, the amended COPPA Rule enhances online
privacy protection for children and makes online service operators
more accountable for data collection activities involving
children. To ensure compliance with the amended COPPA Rule,
online service operators—including websites, mobile app
operators, social media plug-in providers and ad
networks—need to evaluate their data collection activities
with respect to children, including third-party activities on their
platforms as well as their activities on third-party platforms.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The Federal Financial Institutions Examination Council (FFIEC) released a Cybersecurity Assessment Tool (CAT) on June 30, 2015, to assist organizations in identifying cyber risks and assessing their cybersecurity preparedness.
The FFIEC notes cyberattacks have become more common. New platforms, such as cloud and social media, and new technologies, such as mobile devices and applications, are creating new cyberattack opportunities.
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
We previously reported here that CNA filed a lawsuit against its insured Cottage Health System seeking reimbursement of amounts that it previously paid under Cottage's cyber liability insurance policy.