Today, after four-years of discussion, the new stronger FTC rules protecting children online, goes into effect.
Much has changed about the Internet and the way we use it since In 1998 – the year Congress passed the Children’s Online Privacy Protection Act, or COPPA. Behavioral advertising, online tracking, social networks and the advent of the mobile Internet have made the Internet more accessible to children, and children’s personal information more accessible to companies as well as potential bad guys.
One thing that had not changed, however, was the federal regulations implementing COPPA – until today. Following a more than two year rule-making process and six month phase-in, the amended COPPA rule is now in effect.
COPPA is complex, but it contains three fundamental concepts.
- First, before an operator of a website may collect personal information from a child under the age of 13, it must obtain the verified consent of the child’s parent.
- Second, site operators must describe the information they collect and how they use it and share it in a privacy policy.
- And finally, the sites must store the children’s’ personal information securely.
These requirements apply to all child-directed sites – sites that have children as their primary target audience – and general audience sites that know they are collecting personal information from children under the age of 13.
The new rule adapts these core concepts to the current realities of Internet usage and data collection. In doing so, it substantially expands what is considered “personal information.” Reflecting the growth of social networks, user generated content and child-oriented mobile apps, operators of child directed sites now must obtain verifiable parental consent before they can collect users’ screen names, photo, video and audio files that contain a child’s image or voice, geo location data precise enough to identify a street and city; and persistent identifiers, such as cookies, an IP address, or unique mobile device identifier.
The new rule also makes clear that third parties, such as advertising networks, who receive personal information from sites they know are child directed must comply with COPPA, even if they have no direct user relationship with the child. Although these third parties will not have to investigate their partners’ sites, the Federal Trade Commission has suggested that they will be deemed to have knowledge if one of their employees recognizes that they are receiving personal information from a child-directed site.
The FTC has ramped up its enforcement of COPPA in recent years, and civil penalties are often substantial – up to $16,000 per violation. Companies, especially startups, will need to understand how their data collection practices fit within the complex new COPPA Rule.
Although the FTC has indicated that it will exercise moderation in the initial months of the new rule where companies are acting in good faith to comply, that leniency will not last forever. For additional information visit the websites listed below.
