COPPA updates go into effect today, if anyone is watching

The FTC revised the Children’s Online Privacy Protection Rule (COPPA) in December 2012 to take into account the rapidly expanding move to mobile applications, social media and the evolving nature of personally identifiable information. Those rules go into effect July 1, 2013.

COPPA is supposed to inform parents of data being collected about their children and provide opportunities for the parents to consent or opt out of the service.[1] Unfortunately, in application, COPPA has been applied as an either/or test – a site either caters to children and therefore complies with COPPA or prohibits use of services by children and therefore takes no steps to comply with parental notification and consent rules.

Many operators provide non-children services but do nothing to discourage use by children under 13, a practice which has obviated the impact of COPPA. Social media sites, in particular, tend to avoid compliance with COPPA and instead post disclaimers requiring that the users are over 13. But these sites have no verification procedures as to identity or age.

The FTC hopes to change this with the new rules. The amendments to COPPA are intended to minimize this gamesmanship by reducing the ability for a company to ignore actual usage by under-age customers and hide behind age disclaimers. Only time will tell whether the new rules will have that effect.

A second aspect of the new rule will likely have more impact. Self-regulatory associations can submit their certification program to the FTC for pre-approval. Provided members remain within compliance of the certified program, the approval serves as a safe-harbor, protecting members of the association from FTC enforcement actions. Examples of those applications include the following:

The self-regulatory associations, particularly the ESRB, take member enforcement very seriously. The multi-billion dollar gaming industry has become the model for differentiating products based on market segment. It has a strong incentive to segregate its under-13 products from the other products. Of course, it remains to be seen whether this will result in fewer 10-year-olds sneaking onto 15+ (or 18+) platforms, but the video game industry has been more effective than most in reducing the casual avoidance of the age restrictions.

The biggest change under COPPA revisions is the type of information now covered as personally identifiable information. Mobile and social media have transformed the tools available to individually track a customer. Persistent identifiers such as unique IDs, computer or chip serial numbers, unique device identifiers, IP addresses, and geo-location tags all work individually or together to create unique identification. None of those tools include a name or address, yet serve to provide comprehensive, persistent information regarding the identity of each individual. COPPA therefore expands the definition of personally identifiable information to reduce personalized targeting of advertising at children.

As an example of how personally identifiable information has evolved, this paragraph describes the ESRB’s updated guidance on personally identifiable information:

Personally Identifiable Information means any information that can be used to identify an individual or which enables direct contact with an individual. This would include an individual’s name, online contact information (i.e. email addresses or other identifier that permits direct online contact with a person via instant messaging, video, voice over internet protocol or any other means not specifically defined herein), phone number, fax number, home address, social security number, driver’s license number, credit card number, photos, videos, or audio containing the image or voice of a child, persistent identifiers (such as a customer number held in a cookie or a processor serial number, a unique device identifier, or IP address), or geo-location information sufficient to identify a street name and name of town. Demographic information that is combined with personal information (including, but not limited to, gender, educational background, or political affiliation) also becomes Personally Identifiable information. Personally Identifiable Information does not include information that is encoded or rendered anonymous, or publicly available information that has not been combined with non-public Personally Identifiable Information (and has not been previously defined as Personally Identifiable Information.)

The expanded COPPA will take months to truly affect the marketplace. Even then, it will only be effective if companies take the obligations not to track seriously and treat their customers with respect – something missing from the past 15 years of COPPA compliance.

Some and perhaps a majority of people prefer to be served ads that are relevant and interesting, so they don’t mind the outcome of behavioral advertising even if they are squeamish regarding the methods used to select the ads. But Congress assumes that children have fewer defenses to advertising and these techniques can be manipulative and harmful. Targeting individual minors under 13 is therefore prohibited without the parents consent. Hopefully, the COPPA revisions will make this difference begin to matter.

For more information, see the additional guidance provided by the FTC:

The FTC has also released two new pieces designed to help small businesses that operate child-directed websites, mobile applications and plug-ins ensure they are compliant with upcoming changes to the rule.

The first is a document, “The Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business, which is designed especially for small businesses and contains a step-by-step process for companies to determine if they are covered by COPPA, and what steps they are required to take to protect children’s privacy. The FTC also released a video aimed at businesses to help explain their obligations under the revised rule, including an explanation of the changes.

Finally, the FTC has updated a guide for parents, “Protecting Your Child’s Privacy Online,” that explains what COPPA is, how it works and what parents can do to help protect their children’s privacy online.

These new documents provide guidance from the FTC staff that supplements the rule and other COPPA–related material previously published by the FTC, including an updated set of frequently asked questions about the rule. FTC staff will periodically update the FAQs.

In addition to the guidelines and frequently asked questions, FTC staff maintain a “COPPA Hotline” email address, COPPAHotLine@ftc.gov, where industry members can send questions on how to ensure they are compliant with the rule. Comments on the FAQs or suggestions for new FAQs may also be submitted through the COPPA Hotline email address.


[1] The COPPA rule requires that operators of websites or online services that are either directed to children under 13 or have actual knowledge that they are collecting personal information from children under 13 give notice to parents and get their verifiable consent before collecting, using, or disclosing such personal information, and keep secure the information they collect from children.

COPPA Rule Supplemental Comments Extended to Sept. 24th

In an earlier post, I discussed the significance of proposed changes to the Children’s Online Privacy Protection Rule (COPPA Rule) recommended by the FTC. The FTC has extended the comment period regarding the revisions to the COPPA Rule until September 24, 2012.

The COPPA Rule is designed to protect children under 13 from unwanted privacy intrusion by providing parents control over what information websites and online services may collect from these children.

The revised rule expands the websites covered by the COPPA Rule, makes clear that targeted or behavioral advertising geared at protected minors is covered and expanded the definition of personal information to include persistent identifiers.

Some comments have already been filed. They can be read online.

According to the FTC, the extension was “in response to requests from several organizations.” The FTC now anticipates that “public comments on the Supplemental Notice of Proposed Rulemaking will now be accepted until September 24, 2012.”

Significant revisions to Children’s Online Privacy Protection Rule triggers supplement review

In 1998 Congress responded to the growing demand for protection from invasions of privacy and the potential for marketers or predators to target young children by passing the Children’s Online Privacy Protection Act (COPPA). The Children’s Online Privacy Protection Rule (16 CFR part 312) provides the rules governing the implantation of the law.

As described in the Federal Register, the COPPA Rule include three key features:

Among other things, the Rule requires that operators provide notice to parents and obtain verifiable parental consent prior to collecting, using, or disclosing personal information from children under 13 years of age. The Rule also requires operators to keep secure the information they collect from children and prohibits them from conditioning children’s participation in activities on the collection of more personal information than is reasonably necessary to participate in such activities. The Rule contains a ‘‘safe harbor’’ provision enabling industry groups or others to submit to the Commission for approval self-regulatory guidelines that would implement the Rule’s protections.

In April 2010 the FTC began a process to update the Rules. A notice was sent out in September 2011, generating 350 comments regarding the proposed changes. After receiving the comments and reviewing its own proposal, the FTC substantially changed the proposed update to the Rule. As a result, the FTC has issues a Supplemental Notice of Proposed Rulemaking under which comments will be accepted until September 10, 2012.

Instructions for submitting comments are found in the Notice. Comments can be submitted electronically by clicking here.

The FTC explains the changes as follows:

The proposed modifications to the definitions of “operator” and “website or online service directed to children” would allocate and clarify the responsibilities under COPPA when third parties such as advertising networks or downloadable software kits (“plug-ins”) collect personal information from users through child-directed websites or services. The Commission proposes to state within the definition of “operator” that personal information is “collected or maintained on behalf of” an operator where it is collected in the interest of, as a representative of, or for the benefit of, the operator. This change would make clear that an operator of a child-directed site or service that chooses to integrate the services of others that collect personal information from its visitors should itself be considered a covered “operator” under the Rule.

The Commission also proposes to modify the definition of “website or online service directed to children” to:

  1. Clarify that a plug-in or ad network is covered by the Rule when it knows or has reason to know that it is collecting personal information through a child-directed website or online service;
  2. Address the reality that some websites that contain child-oriented content are appealing to both young children and others, including parents. Under the current Rule, these sites must treat all visitors as under 13 years of age. The proposed definition would allow these mixed audience websites to age-screen all visitors in order to provide COPPA’s protections only to users under age 13; and,
  3. Clarify that those child-directed sites or services that knowingly target children under 13 as their primary audience or whose overall content is likely to attract children under age 13 as their primary audience must still treat all users as children.

Finally, the Commission proposes to modify the Rule’s definition of “personal information” to make clear that a persistent identifier will be considered personal information where it can be used to recognize a user over time, or across different sites or services, where it is used for purposes other than support for internal operations. In connection with this change, the Commission proposes to modify the definition of “support for internal operations” in order to explicitly state that activities such as: site maintenance and analysis, performing network communications, use of persistent identifiers for authenticating users, maintaining user preferences, serving contextual advertisements, and protecting against fraud and theft will not be considered collection of “personal information” as long as the information collected is not used or disclosed to contact a specific individual, including through the use of behaviorally-targeted advertising, or for any other purpose.

Taken together, these changes attempt to deal with the increasing use of cross-platform sign-ins and authentication. They do not, however, deal directly with social media or other websites that have no provisions for compliance with the Rule but instead encourage users under the age of 13 to mis-identify themselves to the benefit of the website operator.

As the Washtington Post noted, “vague language … could allow companies supplying online ads — or even Facebook and Twitter which sometimes appear as little icons on Web sites — to avoid the parental consent process.”

Still, the update addresses at least some of the important changes to the structure of internet communications and the importance of mobile apps as a platform for communications.

September 10th is coming fast. Public comments will be critical in effectively shaping the update to the Rule.

Proposed Revisions to COPPA add Photos and other Protections, Comments Sought

On September 15, 2011 the FTC issued proposed revisions to the Children’s Online Privacy Protection Rule (“COPPA”), which establishes the requirements to protect the personal data of children younger than 13 on web sites. The rules specify that parents must consent to the collection of a child’s personal information.

The FTC provides the following summary:

The primary goal of COPPA and the Rule is to place parents in control over what information is collected from their young children online. The Rule was designed to protect children under age 13 while accounting for the dynamic nature of the Internet. The Rule applies to operators of commercial websites and online services directed to children under 13 that collect, use, or disclose personal information from children, and operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13.
Operators covered by the Rule must:

  1. Post a clear and comprehensive privacy policy on their website describing their information practices for children’s personal information;
  2. Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information from children;
  3. Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties;
  4. Provide parents access to their child’s personal information to review and/or have the information deleted;
  5. Give parents the opportunity to prevent further use or online collection of a child’s personal information;
  6. Maintain the confidentiality, security, and integrity of information they collect from children.

In addition, the Rule prohibits operators from conditioning a child’s participation in an online activity on the child’s providing more information than is reasonably necessary to participate in that activity.

Even a brief review of the COPPA FAQ shows how varied the use of personal information is for websites. Responding to emails falls within an exception to COPPA – but only if the email is not kept by the website, for example.

At the same time, a Sept. 13, 2011 EU report finds that while “Member States and industry are increasingly making efforts to implement EU Recommendations dating from 1998 and 2006 … the measures taken have been insufficient overall.” Facebook, in particular, has come under criticism for its lack of protection for minors 13 or older and for its limited efforts to exclude minors 13 or under. Facebook has no mechanism to comply with COPPA and instead officially does not offer its services to the Tween and pre-teen set, requiring those minors merely to submit a different year of birth to utilize the site.

The proposal retain the under 13 cut-off for COPPA but expand the personal information covered to include audio files, photographs and video that contain images or sound of the minor as well as geolocation information. Some privacy advocates wanted the rules to include zipcode information, gender and date of birth data, but the proposals did not extend that far.

Filling the gap between COPPA and a system that looks away when the child provides the wrong date of birth may be the most important next step.

The FTC is seeking comments on the proposed revisions, which are due on or before November 28, 2011.