The FTC has been busy this summer! In addition to releasing a few online marketing and privacy reports, the nation’s consumer watchdog also issued several updates to the current mac-daddy of U.S. online privacy laws – the Children’s Online Privacy Protection Act (COPPA). The changes are mostly cosmetic and language-oriented – out with “legalese,” in with “plain English” type of adjustments.
Nevertheless, there are a few items worth reviewing.
Bolstered Liability Language Regarding Site & App Functionality
Requested, Promoted and Encouraged
The previous version of the Children’s Online Privacy Protection Act said the law applied to website operators and app developers who “requested” identifiable information from minors. In the latest version, “requested” has been expanded to “requested, promoted or encouraged.”
Everything Digital Falls Under COPPA Now
The last COPPA version specifically mentioned chat rooms and message boards as Internet-based platforms on which children could share personal information. Now, specific mentions of various types of online websites has been replaced with the broader “in identifiable form.”
Other Small COPPA Language Changes
- Changed e-mail to email;
- Included “instant messaging user identifiers, VOIP identifiers and video chat identifiers as “an identification that permits direct contact”;
- Added geolocation as a “persistent” identifier;
- Added the word transfer to section that addresses the exchange of PII between parties, used to be only sharing, selling and renting.
Clarified The Value of Hyperlinks In Determining Which Websites Fall Under COPPA and Which Do Not
The new COPPA documents states:
A website or online service shall not be deemed directed to children solely because it refers or links to a commercial website or online service directed to children by using information location tools, including a directory, index, reference, pointer, or hypertext link.
In other words, just because you link to a website that may fall under COPPA regulations doesn’t mean you ARE a site that falls under COPPA regulations.
Clarified That Websites That Deleting Children’s Info Lowers Liability
One of the main confusions about the Children’s Online Privacy Protection Act is whether or not sites that don’t use, share or sell collected data have to comply with it. The new version of the rule clarifies:
“An operator shall not be considered to have collected personal information under this paragraph if it takes reasonable measures to delete all or virtually all personal information from a child’s postings before they are made public, and also to delete such information from its records.”
Passive Tracking Illegal According To COPPA
The new Children’s Online Privacy Protection Act rules document clearly states that passive tracking of a child online – without following COPPA protocol – is illegal.
Cleared Up What Constitutes Website Functionality
COPPA rules have always allowed for the inconsequential collection of children’s’ data related to website maintenance and functionality mechanisms, like updates and certain types of security backups. The latest version of the rules expounds on allowable “administrative and functionality” collection circumstances. Perhaps most notably, the word “analyze” was added to this section – thereby allowing for more flexibility in terms of traffic aggregator plugins and apps used for business marketing and SEO.
Plainly Stated What Factors The Commission Looks For When Deciding If A Website Must Comply With COPPA Regulations
Previously, the FTC’s explanation of the factors considered when determining a website’s COPPA status was a confusing. The new document is much clearer.
The FTC looks at the following factors when deciding if a site is “directed towards children”:
- Subject matter;
- Visual content;
- Use of animated characters or child-oriented activities and incentives;
- Music and other audio content;
- Age of models;
- Presence of child celebrities or celebrities who appeal to children;
- Language; and
- “Competent and reliable empirical evidence regarding audience.”
Actual Knowledge Is The New COPPA Standard
Also, the new Children’s Online Privacy Protection Act states that a website, plugin or app will be deemed “directed to children” when the operator has “actual knowledge” that it is collecting personally identifiable information.
Slight Change of Rules Concerning Credit Card Parental Consent Authorization
If it wasn’t clear before, the FTC has now made it so: it is not sufficient to just gather credit card information without charging it as an acceptable parental consent mechanism. However, credit card information coupled with other identifying information may be sufficient.
App Store Account Coverage & Liability
The latest version of the COPPA rules says that developers can “rely” on any disclosures a given app store has if said app store includes legal coverage in their deal / contract with developers. Moreover, software companies can develop multi-platform COPPA parental consent mechanisms without assuming liability. (#score)
Data Retention Clarification
The latest version of the Children’s Online Privacy Protection Act states that any personally identifiable data collected from people aged 13 and younger can only be used “for only as long as is reasonable necessary to fulfill the purpose for which the information was collected.”
Safe Harbor Programs
The original COPPA rules allowed for legislators to develop a “safe harbor parental consent” program in which designated products could earn a “COPPA safe harbor” designation and using any of them would ensure compliance with the law.
Welp, the FTC has developed the program and ratified several products and services. So, new language was added to the COPPA rules to reflect the new “safe harbor” program and outline the “self-regulator” standards.
Speak With A COPPA Lawyer
If you need to learn more about the Children’s Online Privacy Protection Act, check out the related blog posts (in the right sidebar if you’re at a computer; below if you’re on a mobile device).
If you need a COPPA lawyer to review your website for