The Federal Trade Commission announced its final amendments to the Children's Online Privacy Protection Rule ("COPPA Rule" or the "Rule") on December 19, 2012. The Rule is designed to prevent data collection from children under the age of 13 for marketing purposes without parental consent, and the changes will go into effect on July 1, 2013. The amendments came after nearly two years of reflection on the Rule, which included a public roundtable, several rounds of public comment and two previous iterations of proposed amendments. 

The final Rule is arguably less restrictive than previous proposed versions suggested it might be. Nevertheless, the Rule is much broader in scope and extends to data collection practices and entities that were not previously subject to COPPA. Overall, the amendments result in a number of significant changes to the Rule. To summarize, the changes affect the following: 

    (1) What it means for a site or service to be directed to children;

    (2) The standards for establishing operator and third party liability;

    (3) What constitutes personal information;

    (4) Parental notification and consent requirements; and

    (5) FTC oversight.

1. Sites or Services Directed to Children

The definition of what constitutes a site or service directed at children will remain largely the same, using the "totality of the circumstances" test. The final Rule does, though, add two enumerated factors. The totality of the circumstances test is used to determine whether a site or service is directed at children and whether a site or service targets children as its primary audience. The additional factors are (i) music, as an element of audio content and (ii) presence of child celebrities who appeal to children. The enumerated factors, however, will remain a non-exhaustive list, and no factor is to be given any more weight than another. Thus, the additional factors would have likely been relevant even without the change.

The final Rule also provides a safe harbor of sorts to sites or services that are directed at children but do not target children as the primary audience, such as family websites that appeal to an audience of all ages, but do contain child-oriented content. Whereas sites or services that are directed to children and target children as the primary audience must treat every user as a child and apply COPPA restrictions to all, sites or services that are "directed at children" but do not "target" children need not. Rather, these sites or services are given the option to age-screen their users and apply COPPA protections only to those users who self-identify as under 13. 

2. Operator/Third Party Liability

The new Rule revised its definition of "operator" to state that "[p]ersonal information is collected or maintained on behalf of an operator when: (a) it is collected or maintained by an agent or service provider of the operator; or (b) the operator benefits by allowing another person to collect personal information directly from users of such operator's website or online service." This means that sites or services that collect or allow third parties to collect personal information (such as ad networks or social plugins) are operators and must comply with parental notice and consent requirements. Additionally, third parties that collect personal information with actual knowledge that the site or service is directed at children are also subject to COPPA. The actual knowledge standard is lower than the constructive knowledge standard that the FTC previously considered. Finally, the FTC shielded platforms from incurring any operator liability where they only offer access to other parties' applications. Platforms include mobile application providers such as Google Play or Apple's APP STORE mobile download service.

3. Personal Information

Sites or services subject to the COPPA Rule may not collect the personal information of children under the age of 13 without first notifying parents and obtaining parental consent. The revised Rule states that such personal information consists of:

  • Persistent Identifiers - The final Rule defines any persistent identifier as "personal information," and it defines a persistent identifier as anything used to recognize a user over time and across different websites or online services (e.g. an IP address, a user number stored in a cookie, a processor/device serial number or a unique device identifier). Note, though, that persistent identifiers may be collected without parental notice and consent where it is used only to support the website or service's internal operations (i.e. contextual advertising, frequency capping, legal compliance, site analysis and network communications); 
  • Online Contact Information - Email addresses or other identifiers that permit direct contact with a person online;
  • Screen or User Names - Functions in the same manner as online contact information and covers direct, private, user-to-user contact; 
  • Photo, Audio and Video Files - Considered personal information where it contains a child's image or voice; and
  • Geo-location Information - Considered personal information where it is sufficient to identify both street name and city/town name.

The new Rule does not expand personal information to include full zip code plus 4 data or date of birth combined with gender and zip code. The Rule also provides a method for seeking FTC approval to add more activities to the list of internal operations for which persistent identifiers can be collected without parental notification and consent. Any collection of persistent identifiers for contacting individuals directly or through behavioral advertising, or creating profiles on individuals, however, requires parental notification and consent.

Further, what it means to collect personal information has been expanded. Collection includes "prompting" or "encouraging" the submission of information and even the "passive tracking" of information. Nevertheless, collection will not be deemed to have occurred where operators take reasonable measures to delete all or virtually all children's personal information before it is made public. This is a change from the current Rule's 100 percent deletion standard.

Additionally, where operators do decide to make use of children's personal information and comply with the notification and consent requirements, they may only retain the information so long as is necessary to fulfill the purpose of collection in the first place. The information must subsequently be deleted. Moreover, operators must secure the information and protect against unauthorized access or use while the information is being disposed of. Finally, operators must also take reasonable steps to ensure that the personal information is released only to those capable of providing the same security required of the operator.

4. Parental Notification and Consent

The Rule expands on the parental notice requirement, requiring that parents be notified of an operator's data collection practices in two ways. First, the privacy policy must be available directly on the site or service. The Rule includes requirements for the content and placement of the notice. Second, parents must be provided with a direct notice. The direct notice must explain to parents what personal information has already been collected from the child, the purpose of the notification, what actions the parent can take and how the collected information will be used. Importantly, merely providing a link to the privacy policy is not sufficient; this information must be conveyed in the direct notice.

In addition to notification, the Rule requires that operators obtain verifiable parental consent before collecting personal information from children. The "email plus" method for obtaining parental consent is retained on a limited basis, that is, when children's personal information is used for internal purposes only. However, the Rule also provides additional methods of obtaining consent such as electronic scans of signed forms, video verification methods, checking a parent's government identification and certain online payment systems. To allow for more consent processes to be added over time, the Rule establishes a voluntary commission with the authority to approve new parental consent methods.

5. Self-Regulatory Safe Harbor Programs

The final Rule creates expanded oversight over approved safe harbor programs. This oversight includes annual audits of participants and FTC reporting requirements. Participants in the safe harbor programs are likely to face higher compliance burdens and higher levels of government scrutiny. Indeed, the scrutiny of the safe harbor process could very well undermine one of the prior benefits of safe harbor participation.

What this means to you

The final COPPA Rule contains significant changes that deserve a thorough analysis, to determine whether your site or service now comes within the purview of the Rule and, if so, what steps must be taken toward compliance. You can be confident that the FTC, after the long, arduous road of revision and issuance of the revised, final Rule, is now actively looking for test cases for enforcement proceedings.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.