Privacy & Security Alert
June 27‚ 2013
Guide to Compliance with the Amended COPPA Rule
- Children’s Online Privacy Protection Act, enacted by Congress in 1998
- Congress directed the Federal Trade Commission (FTC), the nation’s consumer protection agency, to issue and enforce regulations concerning children’s online privacy
- The FTC issued the Children’s Online Privacy Protection Rule, effective April 21, 2000
- The FTC issued an amended COPPA Rule on December 12, 2012, with an effective date of July 1, 2013.
PURPOSE OF COPPA: To place parents in control over what information is collected online from their children under 13.
SCOPE OF COPPA: applies to the following three (3) categories of online operators:
- Operators of commercial Web sites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information (PI) from children under 13 (including personal information about themselves, their parents, friends or other persons);
- “Online service” is broadly defined to cover any service available over the Internet, or that connects to the Internet or a wide-area network. Examples: services that allow users to play network-connected games, engage in social networking activities, purchase goods or services online, receive online advertisements or interact with other online content or services, mobile applications that connect to the Internet, VoIP services, Internet-enabled location-based services, Internet-enabled gaming platforms.
- “Web site or online service directed to children” is defined in §312.2 of COPPA. The following factors should be considered when determining whether a Web site or online service or portion thereof is directed to children: (i) the subject matter, (ii) the visual content, (iii) use of animated characters or child-oriented activities and incentives, (iv) music or other audio content, (v) age of models, (vi) presence of child celebrities or celebrities who appeal to children, (vii) language or other characteristics of the Web site or online service, and (viii) whether advertising promoting or appearing on the Web site or online service is directed to children. The FTC will also consider “competent and reliable empirical evidence” regarding the audience composition or intended audience of the Web site or online service. Lastly, a Web Site or online service will be deemed “directed to children” if it has actual knowledge that it is collecting PI directly from users of another Web site or online service that is directed to children.
- Operators of general audience Web sites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13;
The Rule does not define the term “actual knowledge,” but the FTC said that an operator has “actual knowledge” of a user’s age if the site or service asks for — and receives — information from the user that allows it to determine the user’s age. From article titled “Children’s Online Privacy Protection Rule: Not Just for Kids’ Sites” published by the FTC in April 2013]. Examples: (a) an operator who asks for a date of birth on a site’s registration page has “actual knowledge” as defined by COPPA if a user responds with a year that suggests the user is under 13, or (b) an operator may also have “actual knowledge” based on answers to “age-identifying” questions like the following: “What grade are you in?” or “What type of school do you go to? (a) elementary; (b) middle; (c) high school; (d) college.”
- Web sites or online services with “actual knowledge” that they are collecting personal information directly from users of another Web site or online service directed to children under 13. Examples: providers of plug-ins, advertising networks, and other third-party service providers
- A plug-in is a piece of software that acts as an add-on to a web browser and gives the browser additional functionality. Plug-ins can allow a web browser to display additional content it was not originally designed to display. Well-known browser plug-ins include the Adobe Flash Player, Adobe Reader, the Macromedia Flash Player, the QuickTime Player, and the Java plug-in. Most plug-ins are available as free downloads. To install the plug-in, you visit the website of the plug-in’s developer and click on a link that will download the installer for the plug-in you have selected. Once you have downloaded the installer, you can open it and follow the prompts to install the plug-in on your system.
- An online advertising network or ad network is a company that connects advertisers to Web sites that want to host advertisements. The key function of an ad network is aggregation of ad space supply from publishers and matching it with advertiser demand. Online ad networks use a central ad server (a computer server, specifically a web server, that stores advertisements used in online marketing and delivers them to website visitors) to deliver advertisements to consumers, which enables targeting, tracking and reporting of impressions.
Examples of a third party’s actual knowledge under COPPA: (a) if the operator of a child-directed site directly communicates to an ad network or plug-in about the nature of its site, the ad network or plug-in will have “actual knowledge” under COPPA, or (b) a representative of the ad network or plug-in recognizes the child-directed nature of the site’s content [according to the FTC FAQ 39, it is unlikely that the mere collection of a URL from a child-directed site or service will constitute “actual knowledge”], or (c) if a concerned parent or someone else informs a representative of the ad network or plug-in that it is collecting PI from children under 13.
In addition, if in the future, an industry standard or agreed-upon convention is developed under which sites or services signal their child-directed status (e.g. via explicit signaling from the embedding web page to the third party), this will be deemed “actual knowledge” [See FTC FAQ 39].
COPPA applies to the online collection of PI from children under 13 by a covered operator, even if children volunteer the PI OR are not required by the operator to input the information to participate on the Web site or service. COPPA does not apply to information about children under 13 collected online from parents or other adults, although the FTC expects that operators will keep confidential any information obtained from parents in the course of obtaining parental consent or providing for parental access pursuant to COPPA.
COPPA also covers operators that allow children under 13 to publicly post PI, such as in chat boards or product reviews.
COPPA also covers the passive tracking of PI of children under 13 through a persistent identifier and not just active collection.
COPPA does not require operators to investigate the age of visitors. An operator of a general audience Web site or service that chooses to screen its users for age may rely on the age information its users enter, even if that age information is not accurate (in some circumstances, this may mean that the children are registering on a site or service in violation of the operator’s Terms of Service). However, if the operator later determines that a particular user is a child under 13, COPPA’s notice and parental consent requirements will be triggered.
SCREENING USERS FOR AGE: Web sites or online services (including apps) directed to children may NOT screen users for age, unless it falls under a narrow exception: the Website or online service does not target children under 13 as its primary audience (e.g., Disney.com is a child-directed site that targets children under 13 as well as parents and younger teens). An operator meeting these standards may age-screen its users if it: (i) does not collect PI from any visitor before collecting age information, and (ii) prevents the collection, use, or disclosure of PI from visitors who identify themselves as under the age 13 without first complying with the Amended Rule’s notice and parental consent provisions. An operator of a Web site or online service directed to children may NOT block children from participating in the Web site or online service; you may decide to offer different activities or functions to your users depending on age, but you may NOT altogether prohibit children from participating in your child-directed site or online service.
However, operators of a general audience Web site or online service MAY block children under 13 from participating if they choose to do so, the FTC staff recommends using a cookie to prevent children from back-buttoning to enter a different age.
COPPA does not apply to nonprofit entities, unless they operate for the profit of their commercial members (essentially COPPA only applies to entities that are subject to Section 5 of the FTC Act, i.e. all persons engaged in commerce, including banks). However, the FTC encourages such entities to post privacy policies online and to provide COPPA’s protections to their visitors who are children under 13.
Foreign-based Web sites and online services must comply with COPPA if they are directed to children under 13 in the U.S. OR if they knowingly collect personal information from children under 13 in the U.S. The definition of “operator” under COPPA includes foreign-based Web sites and online services that are involved in commerce in the U.S. or its territories. Also, U.S.-based sites that collect information from foreign children are also subject to COPPA.
One or more of the following elements:
- First and last name; OR
- A home or other physical address including street name and name of city/town; OR
- Online contact information; OR
- A screen or user name that functions as online contact information (includes not only an email address, but any other “substantially similar identifier that permits direct contact with a person online”); OR
- A telephone number; OR
- A social security number; OR
- A persistent identifier that can be used to recognize a user over time and across different Web sites or online services (such as a customer number held in a cookie, an IP address, a processor or device serial number, or a unique device identifier that can be used to recognize a user over time and across different sites, even where such identifier is NOT paired with other items of PI); OR
- A photo, video, or audio file, where such file contains a child’s imagine or voice [but NOT if facial features are blurred by operator before posting on the site, provided that all other PI is removed, such as geolocation metadata]; OR
- Geolocation information sufficient to identify street name and name of a city/town (including where an app take the user’s longitude and latitude coordinates and translates them into a precise location on a map); OR
- Information concerning the child or the parents of that child that an operator collects online from the child and combines with an identifier described above.
- Make reasonable efforts (taking into account available technology) to provide direct notice to parents of the operator’s practices with regard to the collection, use, or disclosure of PI from children under 13, including notice of any material change to such practices to which the parents has previously consented;
- Obtain verifiable parental consent, with limited exceptions, prior to any collection, use, and/or disclosure of PI from children under 13;
- Provide a reasonable means for a parent to review the PI collected from their child and to refuse to permit its further use or maintenance;
- Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of the PI collected from children under 13, including by taking reasonable steps to disclose/release such PI only to parties capable of maintaining its confidentiality and security; and
- Retain PI collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use.
- Operators are prohibited from conditioning a child’s participation in an online activity on the child providing more information than is reasonably necessary to participate in that activity.
The Amended Rule applies to any PI that is collected after the effective date of July 1, 2013. However, since the Amended Rule added 4 new categories of PI, operators that collected and used such information before it was considered PI will have the following obligations regarding use and disclosure as of July 1, 2013:
- GEOLOCATION INFORMATION: If you collected geolocation information (any geolocation info that provides information precise enough to identify the name of a street AND city/town) from a child prior to July 1, 2013 and have not obtained parental consent, you are required to obtain parental consent immediately. Operators are required to obtain parental consent prior to collecting geolocation information, regardless of when such data is collected.
- PHOTOS OR VIDEOS CONTAINING A CHILD’S IMAGE OR AUDIO FILES WITH A CHILD’S VOICE FROM A CHILD: If you collected photos or videos containing a child’s image or audio files with a child’s voice from a child prior to July 1, 2013 and have not obtained parental consent, you are not required, but encouraged by the FTC (as a best practice) to either obtain parental consent if possible or discontinue use or disclosure of such information after July 1, 2013.
- SCREEN OR USE NAME: If you collected any screen or user name that functions in the same manner as online contact information from a child prior to July 1, 2013 and have not obtained parental consent, you are not required, but encouraged by the FTC (as a best practice) to obtain parental consent if possible. However, if after July 1, 2013, an operator associates new information with a previously collected screen or user name, you are required to obtain parental consent.
- PERSISTENT IDENTIFIERS: If you collected any persistent identifiers that can be used to recognize a user over time and across different Web sites or online services from a child prior to July 1, 2013 and have not obtained parental consent, you are not required, but encouraged by the FTC (as a best practice) to obtain parental consent if possible. However, if after July 1, 2013, an operator continues to collect or associates new information with such persistent identifier (such as info about a child’s activities on the operator’s site or online services), this collection of information triggers COPPA and parental consent is required, unless collection falls under an exception such as support for the internal operations of the site or online service.
- BOTTOM LINE: Parental consent is NOT REQUIRED for the following categories of information that were collected from children under 13 before July 1, 2013:
- Photos, videos, and audio files containing a child’s image or voice;
- Screen or user names that function as online contact information UNLESS the operator combines them with new information after July 1, 2013; and
- Persistent identifiers, UNLESS the operator continues to collect the persistent identifiers or combines them with new information after July 1, 2013.
- Name, address, telephone number, and email address of ALL operators collecting or maintaining PI through the Web site or service (or, after listing the names of all such operators, provide the contact information for just one that will handle all inquiries from parents;
- A description of what information the operator collects from children, including whether the operator enables children to make their PI publicly available, how the operator uses such information, and the operator’s disclosure practices for such information; AND
- “Support for internal operations of the Web site or online service,” as defined in §312.2, means activities necessary for the site or service to:
- Maintain or analyze its functioning;
- Perform network communications;
- Authenticate users or personalize content; (NOT behavioral advertising!)
- Serve contextual advertising or cap the frequency of advertising;
- Protect the security or integrity of the user, Web site, or online service;
- Ensure legal or regulatory compliance; or
- Fulfill a request of a child as permitted by COPPA §312.5(c)(3) [Where the operator collects online contact information from a child to be used to respond directly more than once to a specific request from the child, and where such information is not used for any other purpose.] and (4) [Where the operator collects a child’s name and online contact information to the extent reasonably necessary to protect the safety of a child participant on the website or online service, and the operator uses reasonable efforts to provide a parent notice as described in § 312.4(c), where such information is: (i) Used for the sole purpose of protecting the child’s safety; (ii) Not used to re-contact the child or for any other purpose; and (iii) Not disclosed on the website or online service].
- Persistent identifiers collected for the sole purpose of providing support for the internal operations of the Web site or online service do not require parental consent, so long as no other PI is collected AND the persistent identifiers are not used or disclosed to contact a specific individual (including through behavioral advertising) or for any other purpose.
- Both a child-directed Web site and a third-party plug-in that collecting persistent identifiers from children under 13 can rely on the “support for internal operations” exception, if the only PI collected are persistent identifiers for purposes outlined in the “support for internal operations” definition above.
- A statement that the parent can review or have deleted the child’s PI and refuse to permit its further collection or use, and state the procedures for doing so.
- “Delete” is defined as “to remove personal information such that it is not maintained in retrievable form and cannot be retrieved in the normal course of business.”
There are four (4) instances where a direct notice is required or appropriate and operators must make reasonable efforts, taking into consideration available technology, to ensure that the parent receives such notice. An operator will not be deemed to have made reasonable efforts to ensure that a parent receives notice where the notice to the parent was unable to be delivered:
- Operator seeks to obtain a parent’s verifiable consent prior to the collection, use, and/or disclosure of a child’s PI. The notice must:
- State that the operator has collected the parent’s online contact information from the child, and, if such is the case, the name of the child or the parent, in order to obtain the parent’s consent;
- State that the parent’s consent is required for the collection, use, or disclosure of such information, and that the operator will not collect, use, or disclose any personal information from the child if the parent does not provide such consent;
- Set forth the additional items of PI the operator intends to collect from the child, or the potential opportunities for the disclosure of PI, should the parent provide consent;
- Provide the means by which the parent can provide verifiable consent to the collection, use, and disclosure of the information; and
- State that if the parent does not provide consent within a reasonable time from the date the direct notice was sent, the operator will delete the parent’s online contact information from its records.
- Operator voluntarily seeks to provide notice to a parent of a child’s online activities that do not involve the collection, use or disclosure of PI. The notice must:
- State that the operator has collected the parent’s online contact information from the child in order to provide notice to, and subsequently update the parent about, a child’s participation in a Web site or online service that does not otherwise collect, use, or disclose children’s PI;
- State that the parent’s online contact information will not be used or disclosed for any other purpose;
- State that the parent may refuse to permit the child’s participation in the Web site or online service and may require the deletion of the parent’s online contact information, and how the parent can do so; and
- Operator intends to communicate with the child multiple times via the child’s online contact information and collects no other information. The notice must:
- State that the operator has collected the child’s online contact information from the child in order to provide multiple online communications to the child;
- State that the operator has collected the parent’s online contact information from the child in order to notify the parent that the child has registered to receive multiple online communications from the operator;
- State that the online contact information collected from the child will not be used for any other purpose, disclosed, or combined with any other information collected from the child;
- State that the parent may refuse to permit further contact with the child and require the deletion of the parent’s and child’s online contact information, and how the parent can do so;
- State that if the parent fails to respond to this direct notice, the operator may use the online contact information collected from the child for the purpose stated in the direct notice; and
- Operator’s purpose for collecting a child’s and a parent’s name and online contact info if to protect a child’s safety and the information is not used or disclosed for any other purpose. The notice must:
- State that the operator has collected the name and the online contact information of the child and the parent in order to protect the safety of a child;
- State that the information will not be used or disclosed for any purpose unrelated to the child’s safety;
- State that the parent may refuse to permit the use, and require the deletion, of the information collected, and how the parent can do so;
- State that if the parent fails to respond to this direct notice, the operator may use the information for the purpose stated in the direct notice; and
The Rule enumerates several non-exhaustive options described below to obtain verifiable parental consent [See § 312.5(b)], any method must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent. Operator can also file a written request with the FTC for pre-approval of a new consent mechanism.
If the operator is going to disclose a child’s PI to third parties, or allow children to make it publicly available (e.g., through a social networking service, online forums, or personal profiles), the operators must use of the methods below:
- Providing a consent form to be signed by the parent and returned via U.S. mail, fax, or electronic scan (the “print-and-send” method); OR
- Requiring the parent, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder; OR
- Having the parent call a toll-free telephone number staffed by trained personnel, or have the parent connect to trained personnel via video-conference; OR
- Verifying a parent’s identity by checking a form of government-issued identification against databases of such information, provided that the operator promptly deletes the parent’s identification after completing the verification.
If the operator is going to use the child’s PI only for internal purposes and does not disclose the PI, the operators can use of the methods described above or the “email plus” method of parental consent. “Email plus” allows an operator to request, in the direct notice sent to the parent’s online contact address that the parent indicate consent in a return message to the operator. To properly use this method, the operator must take an additional confirming step after receiving the parent’s message — this is the “plus” factor and can be either:
- Requesting in the initial message to the parent that the parent include a phone or fax number or mailing address in the reply message so that the operator can follow up with a confirming phone call, fax or letter to the parent; OR
- After a reasonable time delay, sending another message via the parent’s online contact information to confirm consent. In this confirmatory message, the operator should include all the original information contained in the direct notice, inform the parent that he or she can revoke the consent, and inform the parent how to do so.
PLEASE NOTE that with respect to mobile apps, the mere entry of an app store account number or password, without other indicia of reliability (e.g., knowledge-based authentication questions or verification of government id), does NOT provide sufficient assurance that the person entering the account or password info is the parent, and not the child [See FTC FAQs].
An operator can collect the parent’s “online contact information” to obtain or confirm parental consent, defined as:
- An email address;
- An IM user identifier;
- A VoIP identifier;
- A video chat user identifier; or
- Other substantially similar identifier.
BUT NOT the parent’s mobile phone number. However, once an operator connects with the parent, it may request the mobile phone number for further communication.
- Where the sole purpose of collecting the name or online contact info of the parent or the child is to provide notice and obtain parental consent, if parental consent has not been obtained after a reasonable time from the date the info is collected, the info must be deleted.
- Where the purpose of collecting a parent’s online contact information is to provide voluntary notice to, and subsequently update the parent about the child’s participating in a Web site or online service that does not otherwise collect, use, or disclose the child’s PI. Must make reasonable efforts to provide to the parent the notice required under §312.4(c)(2).
- Where the sole purpose of collecting online contact information from a child is to respond directly on a one-time basis to a specific request from the child, AND such information is not used to re-contact the child or for any other purpose, such information is not disclosed, AND is deleted by the operator from its records promptly after responding to the child’s request (the “one-time contact” exception).
- Where the purpose of collecting a child’s and a parent’s online contact information is to respond directly more than once to the child’s specific request, and not used for any other purpose, disclosed or combined with other info collected from the child. Must make reasonable efforts to provide to the parent the notice required under §312.4(c)(3).
- Where the purpose of collecting a child’s and a parent’s online contact information is to protect the safety of the child, and not used or disclosed for any purpose other than the child’s safety. Must make reasonable efforts to provide to the parent the notice required under §312.4(c)(4).
- Where the purpose of collecting a child’s name and online contact information is to: (i) protect the security or integrity of the Web site or online service, (ii) take precautions against liability, (iii) respond to judicial process; or (iv) to the extent permitted under other provisions of law, to provide info to law enforcement agencies for an investigation on a matter related to public safety; and where the child’s info is not use for any other purpose.
- Where an operator collects a persistent identifier and no other PI and such identifier is used for the sole purpose of providing “support for internal operations” of the Web site or online service.
- Where a third party provider such as an ad network or plug-in integrated into a children-directed Web site or online service collects a persistent identifier and no other PI from a user who affirmatively interacts with the provider and whose previous registration with such provider indicates that the user is not a child under 13.
Industry groups or other persons may apply to the FTC for approval of safe harbor programs. Several of the FTC-approved COPPA safe harbor programs offer parental notification and consent systems for operators who are members of their programs. Examples: TRUSTe COPPA Safe Harbor Program, Aristotle International, Inc. COPPA Safe Harbor Program, Entertainment Software Rating Board COPPA Safe Harbor Program, PRIVO COPPA Safe Harbor Program. The providers of these programs can carry out the notice and consent obligations for its members.
COPPA is enforced by the FTC as well as by states (TX brought a COPPA action in 2007 and NJ in 2012) and other certain federal agencies (Dept. of Transportation, Office of the Comptroller of the Currency) with respect to entities over which they have jurisdiction.
A court can hold operators who violate the Rule liable for civil penalties of up to $16,000 per violation. The amount of civil penalties a court assesses may turn on a number of factors: (1) the egregiousness of the violations, (2) whether the operator has previously violated the Rule, (3) the number of children involved, (4) the amount and type of PI collected, (5) how the PI was used, (6) whether it was shared with third parties, and (7) the size of the company.
REMEMBER that the operator of a child-directed Web site or online service is held liable under COPPA for the collection of information that occurs on or through their site and services, even if the operator itself does not engage in such collection. The operator has a duty to conduct an inquiry into the info collection practices of every third party that can collect info via the operator’s Web site or online service or app so that the operator can make an informed decision of whether it is required to give parents notice and obtain consent prior to such third party’s collection of PI from children.
The Amended Rule mandates that operators take reasonable steps to release children’s PI only to service providers and third parties who are capable of maintaining the confidentiality security and integrity of such information AND who provide assurances that they will maintain the information in such a manner.
* * *
View Mintz Levin’s Privacy & Security attorneys.
Read and subscribe to Privacy & Security Matters blog.