Does your company offer mobile apps with animated characters or with “kids” in the title or description? Does your website have a section aimed at students, explaining your goods or services in a fun and educational way? Does your company run a contest for students to submit artwork or essays on your social media site?
It doesn’t matter if your company is involved in healthcare or financial services or manufacturing, these offerings could bring your company within the scope of the Children’s Online Privacy Protection Act (COPPA) and the Federal Trade Commission’s new amended regulation, which goes into effect on July 1, 2013.
On September 27, 2011, the FTC proposed updates to its COPPA regulation, which initially went into effect in 2000. 76 Fed. Reg. 59804 (Sept. 27, 2011). The current regulation imposes restrictions on companies that operate websites or provide online services directed at children under the age of 13, and those that have actual knowledge that they are collecting personal information online from children under 13. Those site operators must obtain parental consent before obtaining and using a child’s “personal information.”
On December 19, 2012, the FTC announced the final version of its amendments to the COPPA rule. See FTC Announcement. The new amendments do not change many of COPPA’s guiding principles—so everyone who had been subject to COPPA will likely continue to be—but the new amendment does expand the scope and adds a strict liability standard for site operators with respect to certain third-party actions.
Among many other changes, the FTC’s new amendments added an exception to the parental notice and consent requirements that is probably very important to many companies: the parental notice and consent requirements do not apply for personal identifiers used “solely to support for internal operations” of the web site. This new “internal operations” exception contains a broad swath of services that many web sites currently provide for themselves:
- authentication of users,
- contextual advertising,
- frequency capping,
- legal compliance,
- maintaining or analyzing site functioning,
- network communications,
- security and integrity, and
- site analysis.
The COPPA requirements of parental consent still apply, however, with respect to any uses or disclosures of information collected to contact a specific person, including through behavioral advertising, regardless of whether that information was collected to create a profile on that person or for any other purpose.
When the COPPA regulations were first promulgated, plug-ins and advertising networks were not commonly in use. The FTC wrestled with these topics in 2011, and had initially considered amending the COPPA rule to make the creator of the plug-in a “covered co-operator” of the child-directed site and thus subject to COPPA’s requirements.
In response to the comments received, however, the FTC has instead focused the regulatory obligations on the site operator, but has placed strict liability on that operator if the operator allows other online services—such as plug-ins or advertising networks—to collect personal information through the child-directed site. Note that the FTC stated that it will “deem a plug-in or other service to be a covered co-operator only where it has actual knowledge that it is collecting information through a child-directed site.” 78 Fed. Reg. at 3975.
Sources: 76 Fed. Reg. 59804 (Sept. 27, 2011); 78 Fed. Reg. at 3972 (Jan. 17, 2013); “FTC Strengthens Kids’ Privacy, Gives Parents Greater Control Over Their Information By Amending Children’s Online Privacy Protection Rule,” Dec. 19, 2012.
This article was prepared by Sue Ross (sross@fulbright.com / 212 318 3280) of Fulbright’s Privacy, Competition and Data Protection Practice.