1. Home
  2. |Insights
  3. |What You Need to Know About the FTC's COPPA Revisions

What You Need to Know About the FTC's COPPA Revisions

Client Alert | 6 min read | 02.27.13

On December 19, 2012, the Federal Trade Commission ("FTC") issued final amendments to the Children's Online Privacy Protection Rule ("COPPA Rule"). These amendments implement the Children's Online Privacy Protection Act ("COPPA")1 and will go into effect on July 1, 2013. Advertisers should be aware of the changes to the COPPA Rule, especially because the changes provide for increased FTC enforcement in the area of children's privacy protection. Most notably, the revised COPPA Rule expands the scope of who may be subject to the rule, and the kind of information that is covered by the rule. Some online operators and marketing practices that were not covered before may now be considered within the bounds of FTC's COPPA enforcement powers, and potentially subject to fines if they fail to comply.

Who is subject to the amended COPPA Rule? 

If you or your organization operates a website or online service that gathers information from children under 13 years old, the COPPA Rule may apply to you. The rule is implicated in two primary circumstances: (1) where either the website or the service is directed to children; or (2) where the operator has "actual knowledge" that the website or service is collecting "personal information" from children. Once triggered, the rule obligates covered operators to acquire the verifiable permission of parents before collecting, using, or disclosing personal information from children. 

How has the COPPA Rule changed? 

The following provides some highlights of the FTC's final amendments with a focus on the information that is most pertinent to those in the advertising industry:

1) Operators of child-directed websites and online services will be held strictly liable for third-party collection of personal information 

The FTC broadened the definition of "operator" under the amended rule to mean an operator of a website or online service directed to children, or an operator that has actual knowledge that specific users are children.2 This modification departs from the prior definition which was focused on actual knowledge. Accordingly, operators will now be strictly liable for the third-party collection of personal information from its website or online service.3 

2) The term "operators" will include ad networks and other third parties, if these parties have actual knowledge that they gather personal information from users of a child-directed website or online service

Third-party operators of websites or online services (including ad networks and social media services) will be covered "co-operators" if they have actual knowledge of the practice of collecting personal information from users of a website or online service that is directed to children.4 Consequently, the third-party operator will be required to provide notice to parents and obtain verifiable parental consent prior to collecting such information to be in compliance with the COPPA Rule. 

The FTC has advised that "actual knowledge" is present when (1) a child-directed first party operator directly communicates the child-directed nature of its content to the third-party operator, or (2) a representative of the third-party operator identifies the child-directed nature of the content on the first party operator's website or online service.5 

3) New categories of "personal information"

The amended COPPA Rule classifies new types of information as "personal information" that cannot be collected from a child without parental notice and consent, including (1) photographs, videos, and audio files that contain a child's name or voice6; (2) screen or user names that function as "online contact information7; and (3) geolocation information sufficient to identify the names of streets, cities, or towns.8 

The amended COPPA Rule also includes "persistent identifiers" that can be used to recognize a user over time and across websites and online services as within the definition of "personal information."9 There is, however, an exception to the requirement to obtain verifiable parental consent for situations in which an operator collects a persistent identifier for its internal operations. The new definition of "support for internal operations of [a] website or online service" includes activities that are required to (1) maintain or analyze a website or online service; (2) perform network communications; (3) authenticate users of, or personalize the content on, the website or online service; (4) serve contextual advertising on the website or online service or cap the frequency of advertising; (5) protect the security or integrity of the user, website, or online service; (6) ensure legal or regulatory compliance; or (7) fulfill a child's request as permitted by two exceptions to COPPA's verifiable parental consent requirements.10

4) New definition for a "website or online service directed to children"

The FTC utilizes a totality of the circumstances test to determine whether a website or online service is directed to children.11 To do this, the FTC considers many factors, including the website's subject matter, visual or audio content, musical content, the presence of child celebrities, subject matter of advertisements, evidence regarding intended audience, and whether a site uses animated characters and/or child-oriented activities and incentives.

5) New methods for obtaining "verifiable parental consent"

Under the new COPPA Rule, operators must "make reasonable efforts to obtain verifiable parental consent . . . [that is] reasonably calculated in light of available technology to ensure that the person providing consent is the child's parent."12

The amended COPPA Rule provides a list of reasonable methods to obtain verifiable consent. This list is not exhaustive. It includes, however, obtaining electronic scans of signed parental consent forms, videoconferencing, and the use of government-issued identification checked against a database. The amended rule also allows an operator's acceptance of a digitally signed consent form where the signature provides other indicia of reliability that the signor is an adult, such as an icon or certificate.

What steps should advertisers take in response to this revised rule?

If you are not already complying with the COPPA Rule, advertisers should review the expanded coverage of the Rule to determine if you are now subject to the revised rule. In some instances, this will be a straightforward, but the revised COPPA definitions create some potential questions about how far the FTC will push the new definitions, such as those for "operator" and "personal information." Now is the time, prior to the revised rule taking effect, to carefully evaluate the grounds for treating any website, online service or ad network as outside these definitions, and for making sure these grounds remain supportable under the revised rule. 

Once you ascertain whether you or your advertising methods are covered by the expanded rule, you have six months to evaluate your policies to ensure that efforts are in place to obtain parental consent and to meet the other requirements of the revised rule. Those advertisers who do not evaluate their current practices may find themselves in serious discussions with the FTC—or subject to serious fines. The Commission has a newly revised rule to enforce, and one with broader reach in a political and social climate where privacy concerns are of the highest priority in Washington and among many state attorneys general. 

 


1 See Federal Trade Commission, 16 C.F.R. Part 312: Children's Online Privacy Protection Rule: Final Rule Amendments and Statement of Basis and Purpose (Dec. 19, 2012), available at http://ftc.gov/os/2012/12/121219copparulefrn.pdf (Final Rule and SBP); see also Children's Online Privacy Protection Rule, 16 C.F.R. § 312.

2 See Federal Trade Commission,at *20 n. 59; see also 16 C.F.R. § 312.3.

3 See Federal Trade Commission, at *15-24.

4 See id. at *24-27.

5 See id. at *27.

6 See id. at *40-43; see also 16 C.F.R. § 312.2.

7 See Federal Trade Commission, at *28-30.

8 See id. at *43-46.

9 See id. at *31-39; see also 16 C.F.R. § 312.2.

10 See Federal Trade Commission, at *37-38.

11 See NPR, 76 Fed. Reg. at 59,814; 16 CFR § 312.2.

12 16 CFR § 312.5(b)(1).


Insights

Client Alert | 6 min read | 03.26.24

California Office of Health Care Affordability Notice Requirement for Material Change Transactions Closing on or After April 1, 2024

Starting next week, on April 1st, health care entities in California closing “material change transactions” will be required to notify California’s new Office of Health Care Affordability (“OHCA”) and potentially undergo an extensive review process prior to closing. The new review process will impact a broad range of providers, payers, delivery systems, and pharmacy benefit managers with either a current California footprint or a plan to expand into the California market. While health care service plans in California are already subject to an extensive transaction approval process by the Department of Managed Health Care, other health care entities in California have not been required to file notices of transactions historically, and so the notice requirement will have a significant impact on how health care entities need to structure and close deals in California, and the timing on which closing is permitted to occur....