L-8 | December 20, 2012

COPPA Rule Announced

On December 19, 2012, the Federal Trade Commission (FTC) announced final amendments to the Children’s Online Privacy Protection Act (COPPA) that impose new obligations on websites and online services (including mobile apps) that may collect information from children under 13. The final amended Rule will go into effect on July 1, 2013.

The final Rule incorporates many of TIA’s recommendations in prior comments that should serve to reduce some of the compliance burdens. The following is a summary of the key points from the new Rule:

  • Collection of personal information generally requires parental consent. The definition of “personal information” will be modified to include geolocation information; a screen or user name where it functions as online contact information; photographs and videos; and “persistent identifiers,” except where the latter is used to support the internal operations of the website or online service.

  • Persistent identifiers include IP addresses and mobile devices IDs. In response to comments from TIA, persistent identifiers are defined as identifiers that can recognize users over time and across different websites or online services, allowing use at a site of family of sites.

  • Acknowledging comments from TIA and others, the FTC confirmed that the definition of a screen or user names nevertheless permits operators to use anonymous screen and user names for content personalization, filtered chat, public display (in game scores, etc.) and for operator-to-user communications via the screen or user name.

  • The COPPA Rule “closes the loophole” that allowed kid-directed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent. For child-directed properties, one entity must be strictly responsible for providing parents notice and obtaining consent when personal information is collected through the site.

  • Third parties collecting data that falls outside the exemption for “support for internal operations” also have to comply with COPPA.

  • The final Rule requires operators and online service providers to take reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential, but the FTC did not adopt its earlier proposal to require companies to “ensure” confidentiality.

  • Requires that covered website operators adopt reasonable procedures for data retention and deletion.

  • The final Rule creates a process for companies to seek approval for additional activities that might constitute “support for the internal operations of the website,” and alternative mechanisms to obtain parental approval.

  • Additional obligations will apply to self-regulatory safe harbor programs, giving the FTC additional oversight.

The FTC also specifically recognized TIA’s comments in:

  • Retaining the “e-mail plus” method for parental consent, and permitting electronic signatures;

  • Replacing the “100% deletion standard” under the definition of collects or collection with a “reasonable measures” standard to allow filtered chat;

  • Ensuring that intellectual property protections, payment and delivery functions, spam protections, optimization, statistical reporting, de-bugging and other activities are covered under support for internal operations;

  • Requiring that the notice provide the contact information for only one operator; and

  • Eliminating a proposed requirements that links to a privacy policy should appear in any location where mobile apps can be purchased or downloaded.

Website operators who violate the Rule can be held liable for civil penalties of up to $11,000 per violation. The amount of penalties the court assesses may turn on a number of factors, including the egregiousness of the violation, the number of children involved, the amount and type of personal information collected, how the information was used, whether it was shared with third parties, and the size of the company.

BACKGROUND INFORMATION

The announcement comes on the heels of a recent Federal Trade Commission (FTC) report on kids and mobile apps showing that parents are still not given the information they need from app developers to determine what data is being collected from their children, how it is being shared and who will have access to it. 

In “ Mobile Apps for Kids: Disclosures Still Not Making the Grade” (which is a follow-up to the FTC’s first report on kids and mobile apps released in February 2012), the FTC surveyed 400 children’s apps in the Google Play and Apple App stores and found that just 20% of the apps reviewed disclose any information about the app’s privacy practices, and 60% of the apps transmit private information (such as mobile device ID, geolocation or phone number) to ad networks, analytics companies or other third parties without disclosing such practices to parents.

A supporter of children’s privacy and guidelines that facilitate the ability to offer fun, safe online environments for children while remaining protective, TIA previously submitted industry commentsto the FTC on proposed COPPA revisions.

ADDITIONAL RESOURCES

TIA has provided members with a Checklist for Mobile Apps and Promotions. This is a framework for toy companies to examine and evaluate the risks and opportunities related to their app initiatives.

In early 2013, TIA will provide members with additional resources related to the new COPPA Rule that will educate toy companies on implementation requirements.

Questions on this matter may be directed to TIA’s Director of Federal Government Affairs, Rachel Hedge.