On May 6, 2013, the FTC unanimously decided that the revised Children’s Online Privacy Protection Act (COPPA) will go into effect on July 1, 2013, as announced last December. Several industry organizations had asked the Commission to postpone the implementation date because the FTC had not issued updated guidelines for the revised rules.
However, last week, the FTC issued the requested guidelines in a new document, “Complying with COPPA: Frequently Asked Questions.” The document contains 92 questions and answers that will help both businesses and parents interpret the revised rules. The FAQs explain the Act’s requirements and provide welcome assistance for businesses — including those that sponsor sweepstakes and contests for children under the age of 13 — that need to understand COPPA’s requirements.
Here are the key changes in COPPA that take effect on July 1, 2013.
- Operator’s notice to parents
- Obtaining parental consent
The revised rules allow several new ways businesses can obtain parental approval. Those include:
- Electric scans of signed parental consent forms
- Video conferencing
- Use of government-issued ID
- Alternative payment systems (on the assumption that they meet the same stringent criteria as credit cards)
- Stricter rules to maintain confidentiality of the child’s personal information
The new rules require operators to make certain that before they provide personal information to service providers and other third parties, that these third-party entities are able to protect the confidentiality, security and integrity of the children’s personal information.
The revised rule also allows operators to keep a child’s personal information only as long as necessary, such as to the end of a sweepstakes or contest.
- Safe harbors
The revised rules also require that any organizations using safe harbors conduct audits of their members and report the results to the FTC.
Under the new rules, the definition of “personal information” has been expanded to include “geo location” information, as well as photographs, videos, and audio files that contain a child’s image or voice. The definition now also includes “Persistent identifiers” that can be used to identify a user over time and across different websites or online services.
- The new rules also clarify that the definition of “website or online service directed to children” now includes a plug-in or ad network that has actual knowledge that it is collecting personal information through a child-directed website or service.
- The revised rules further clarify that an “operator” includes any operator of a child directed site or service that allows outside services, such as plug-ins or advertising networks, to collect personal information from visitors.
If you operate a website or online service directed to children younger than 13 — or if you have actual knowledge that you are collecting personal information online from children in that age group, such as through a sweepstakes or contest — you need to be aware of COPPA’s requirements. The FTC’s new Frequently Asked Questions provide a reliable resource for complying with this complex law.
Click here to view all our posts on COPPA.
This post was written by retired Thompson Coburn partner Dale Joerling. If you have any questions about the topics discussed in this post, please contact Thompson Coburn partner Hap Burke.