Important changes to the Children’s Online Privacy Protection Act (“COPPA”) will take effect in just a few days.1 Recent statements from the FTC and other enforcement agencies like the California Attorney General’s office have made it clear that child privacy is a key area of concern and a target for enforcement. The amended rule — which addresses the increase in online data collection, behavioral marketing, and the use of mobile devices — includes changes to the types of information covered, the methods for obtaining parental consent, and additional restrictions on how information can be shared. While these changes are most applicable to apps or websites directed to children, they may also impact general audience apps and websites. Businesses, including advertising networks and others operating in the mobile ecosystem, should review their practices for compliance with the COPPA requirements set to take effect on July 1, if they have not already done so.
The COPPA rule applies to: (a) operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children; (b) operators of general audience websites and online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13; and (c) websites and online services with actual knowledge that they are collecting personal information directly from users of another website or online service directed to children.
Entities covered by COPPA must adhere to several requirements, which include:
Notably, the amended COPPA rule increases liability as to the information practices of third parties. The definition of “operator” will now clearly include operators of child-directed sites or services that integrate outside services, such as plug-ins or advertising networks. An operator must obtain parental consent where an app or website allows third parties to collect personal information from children through plug-ins. Plug-ins, ad networks, and other third party services are subject to the amended rule if they have actual knowledge that they are collecting information from children. While “actual knowledge” is not explicitly defined under COPPA, the FTC has stated that an operator has actual knowledge if it asks for — and receives— information that allows it to determine the user’s age.
The amended rule also modifies the types of personal information subject to the parental notice and consent requirements. The amended rule now includes: first and last name; home or other physical address; online contact information; telephone numbers; SSN; as well as geolocation; user name or handle; persistent identifiers used to recognize users over time (e.g. mobile device IDs); and photos, videos or audio files containing a child’s image or voice. Persistent identifiers were previously covered only when combined with individually identifiable information. Under the amended rule, a persistent identifier is considered personal information where it can be used to recognize a user over time and across different websites or online services. The FTC has stated that operators need not seek parental consent for the latter if it was collected prior to July 1, 2013. However, after that date, businesses subject to COPPA are generally prohibited from collecting persistent identifiers of children under 13 without parental consent or from associating new information with persistent identifiers that were used prior to July 1, 2013.
The amended rule also clarifies the direct notice requirements to ensure that key information is presented to parents in a succinct ‘‘just-in-time’’ notice, and expands the non-exhaustive list of methods for obtaining verifiable parental consent.
The FTC has published a set of FAQs to assist businesses in responding to these and other changes under the amended COPPA rule located here. Additionally, the FTC has sent notice letters to mobile app developers, encouraging compliance and alerting those parties to the potential liability implicated by the revised rule. Businesses should carefully review their privacy policies and practices — as well as those of third parties like ad networks and plug-ins — to ensure compliance with the amended COPPA rule.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:Del-Sesto-Ronald