The Federal Trade Commission final updated COPPA Rule, published this morning (December 19, 2012), brings child protection online to the 21st century. While most of the high level requirements, which stem directly from the Child Online Privacy Protection Act (COPPA) remain unchanged, the updated Rule contains references to modern technologies such as geolocation, plug-ins and mobile apps, and modern methods of financing websites, such as behavioral targeting. It also takes into account more than ten years of practice and attempts to address some of the shortcomings and complexities of the prior rule. For example, the new Rule requires better accountability from Safe Harbor programs, which will have to annually audit their members and also report annually to the FTC on the outcome of these annual reviews. It also requires better accountability from companies. Companies that release children personal information to third parties service providers or otherwise will be responsible for ensuring that these third parties are capable of protecting the confidentiality, security and integrity of children’s personal information, and that they actually do provide these protections when handling the children information in their custody.
More covered entities
The new definition of “operator” now also covers website or online service directed to children that integrate outside services, such as a plug-in or ad network. The new definition of “website or online service” will also include plug-ins and ad networks that has actual knowledge that it is collecting personal information through a child-directed website or service.
More personal information protected
The definition of personal information is expanded to include:
- Geolocation information
- Photos, videos, and audio files that contain a child’s image or voice
- Persistent identifiers, such as IP address or mobile device IDs, that can be used to recognize a user over time and across different websites or online services.
More permitted activities
Conversely, more activities are specifically permitted. These contextual advertising, frequency capping, legal compliance, site analysis, and network communications. However, this does not include behavioral advertising. Parental consent is required when using or disclosing information to contact a specific person or develop a profile on that person.
New form of disclosures
The Rule still requires a direct notice to parents in addition to the online notice of information practices, but it streamlines what website or service must disclose in their online privacy statements describing their information practices.
New forms of parental consent
The new Rule offers more ways in which parents can communicate their consents. These additional means include electronic scans of signed parental consent forms (in addition to mail and fax), videoconferencing, use of government-issued ID, and use of online payment systems (other than credit or debit cards) that provides notification of each discrete transaction to the primary account holder.
Stronger security and confidentiality
While operators continue to be responsible for protecting the confidentiality, security and integrity of children’s information, they will be required, in addition, to ensure, before releasing information to service providers and third parties, that these entities are capable of maintaining the confidentiality, security, and integrity of the information. They will be responsible for obtaining assurances that these measures will be maintained.
New limited retention and disposal rules
Operators will be expected to retain personal information collected online from a child for only as long as reasonably necessary to fulfill the purpose for which the information was collected. They will also be required to delete such information by using reasonable measures to protect against unauthorized access to, or use of, the information in connection with its deletion.
New monitoring and reporting requirements
The new Rule strengthens the FTC’s oversight of safe harbor programs. Safe harbor programs will be required to arrange for annual assessment of operators compliance with the program guidelines, and to provide the FTC with an annual report of the aggregated results of these independent assessments.