COPPA Rule Strengthened to Address the Way Kids Connect Online Today

Lewis Barr, Janrain’s new Vice President of Privacy and Legal, kicks off his first of many articles discussing identity and privacy news and regulations that impact our customers’ business.

COPPA Rules

Back in 1998 when the Children’s Online Privacy Protection Act (COPPA) was enacted — in what some readers may think of as the age of digital dinosaurs — children could watch Barney on TV, but they sure couldn’t pay him a visit on the PBS kids website via their parents’ iPads, or extol his cheeriness on their Facebook pages.  Now, of course, they can.  With the intent of protecting children online in the ways they use the Internet today, including through mobile devices and social networking sites, the FTC recently updated its COPPA Rule.

COPPA applies to the operators of commercial websites and online services that are directed to children under 13 or that know they are collecting personal information from children under 13.

To address the ways in which children’s information can now be collected, the COPPA Rule expands the types of personal information that can’t be collected without parental notice and consent to include:

  • Geolocation information, photographs, and videos and audio files that contain a child’s image or voice;
  • Any user name that would permit direct contact with a user online, such as an email address, an instant message user identifier, a VOIP identifier, or a video chat; and
  • Persistent identifiers, such as IP addresses and mobile user IDs, if they are used to track children over time and across websites. Where the collection of personal information is used “for the sole purpose of supporting the website or online service’s internal operations, such as contextual advertising,” however, COPAA’s parental notice and consent requirements do not apply.

In another significant change, COPPA liability has been extended to websites and online services directed to children even if they don’t collect personal information for themselves but play host to ad networks and plug-ins like Twitter’s “tweet” button that collect personal information for their own use. In addition, the operators of plug-ins and ad networks with actual knowledge that they are collecting information from websites or online services directed at children will be required to meet the parental notification and consent requirements.

To strengthen the protection of children’s information, the amended COPPA Rule requires operators to keep children’s personal information only so long as necessary to meet the purpose for which it was collected and to make reasonable efforts to release children’s personal information to service providers which are capable of maintaining its security, integrity, and confidentiality and of deleting it securely and assure they will do so.

Although there are other important changes that need to be taken into account, the updated COPPA Rule provisions take effect on July 1, giving covered operators several months to implement any operational and other changes necessary for compliance.

Read the FTC’s lengthy discussion of the recent COPPA Rule changes and the revised rule itself.