Here is a reminder that the Federal Trade Commission’s revisions to its Children’s Online Privacy Protection Rule become effective on July 1. If you haven’t already, now is the time to make sure you have revisions to meet the rule in place as FTC and state attorney general inquiries and formal investigations are sure to follow the extensive public notices about the new rule as well as the need to comply on time.
First, the revisions significantly expand the types of “personal information,” that trigger compliance with COPPA. Prior to the revisions, personal information included categories such as the name, address, email, phone number and Social Security number of the child. As of July 1, “personal information” includes:
- “online contact information”, including instant messaging user identifiers, voice over internet protocol (VOIP) identifiers and video chat user identifiers;
- a “screen or user name where it functions in the same manner as online contact information”;
- “persistent identifiers”, including an Internet Protocol (IP) address or mobile device IDs that can be used to recognize a user over time and across different websites or online services;
- a photograph, video, or audio file where such file contains a child’s image or voice; and
- geolocation information sufficient to identify street name and name of a city or town.
Pre-enforcement notifications have already begun. Last month the FTC sent “educational letters” to over 90 businesses that appear to collect “personal information,” as defined by the Children’s Online Privacy Protection Rule (the “Rule”), from children under 13. One form of letter went to companies that may be collecting images or sounds of children and another letter went to companies that may be collecting persistent identifiers from children. In addition, the Commission has made available copies of similar letters to companies located outside the US that may be collecting images or sounds of children as well as to non-US based companies that may be collecting persistent identifiers from children. According to the FTC, the letters are “designed to help businesses come into compliance with the rule’s requirements,” and do not provide any official evaluation by the Commission regarding any of the individual company’s practices.
In addition the revised Rule:
- Expands its coverage to include third-party services that collect personal information;
- Imposes new data retention obligations and data security requirements with respect to sharing of data with other companies;
- Adds additional methods of verifying parental consent while retaining the “email plus” method; and
- Provides a narrow exception for certain websites to that are “directed to children” to comply only with respect to those users who identify themselves as under age 13.
The Commission has posted additional information regarding the changes as well as the full text of the revised Rule at http://www.ftc.gov/opa/2012/12/coppa.shtm. In addition, the Commission posted online its FAQ regarding COPPA, which it revised in April of this year.