by Amy Kleinschmit, Director of Compliance

The COPPA Rule, which became effective on April 21, 2000, imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.  Per the discussion to the final amendments, “these amendments to the final Rule will help to ensure that COPPA continues to meet its originally stated goals to minimize the collection of personal information from children and create a safer, more secure online experience for them, even as online technologies, and children’s uses of such technologies, evolve.” In its release that announced the final amendments, the FTC summarized the following final amendments to the COPPA Rule:

·         modify the list of “personal information”  that cannot be collected without parental notice and consent, clarifying that this category includes geolocation information, photographs, and videos;

·         offer companies a streamlined, voluntary and transparent approval process for new ways of getting parental consent;

·         close a loophole that allowed kid-directed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent;

·         extend coverage in some of those cases so that the third parties doing the additional collection also have to comply with COPPA;

·         extend the COPPA Rule to cover persistent identifiers that can recognize users over time and across different websites or online services, such as IP addresses and mobile device IDs;

·         strengthen data security protections by requiring that covered website operators and online service providers take reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential;

·         require that covered website operators adopt reasonable procedures for data retention and deletion; and

·         strengthen the FTC’s oversight of self-regulatory safe harbor programs.

Part 312 of Title 16 of the Code of the Federal Regulations, COPPA Rule, defines a “child” as an individual under the age of 13. An “operator” means “person who operates a website located on the Internet or an online service and who collects or maintains personal information from or about the users of or visitors to such website or online service, or on whose behalf such information is collected or maintained, or offers products or services for sale through that website or online service, where such website or online service is operated for commercial purposes involving commerce:

(a) Among the several States or with 1 or more foreign nations;

(b) In any territory of the United States or in the District of Columbia, or between any such territory and

(1) Another such territory, or

(2) Any State or foreign nation; or

(c) Between the District of Columbia and any State, territory, or foreign nation. This definition does not include any nonprofit entity that would otherwise be exempt from coverage under Section 5 of the Federal Trade Commission Act (15 U.S.C. 45).

Personal information is collected or maintained on behalf of an operator when: (a) it is collected or maintained by an agent or service provider of the operator; or (b) the operator benefits by allowing another person to collect personal information directly from users of such website or online service.”

Under the COPPA Rule, it is unlawful for any operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting or maintaining personal information from a child, to collect personal information from a child in a manner that violates the rule.  Some of the requirements under this Rule include requiring an operator to provide notice on the website or online service of what information it collects from children, how it uses such information and its disclosure practices for such information.  An operator must also obtain verifiable parental consent prior to any collection, use and/or disclosure of personal information from children.  Operators must provide a reasonable means for a parent to review the personal information collected from a child and to refuse to permit its further use or maintenance and also must not condition a child’s participation in a game, the offering of a prize, or another activity on the child disclosing more personal information than is reasonably necessary to participate in such activity.  Finally, the operator must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.

Should you have any questions or concerns on this or any other compliance topic, please do not hesitate to contact Amy Kleinschmit at akleinschmit@cuad.coop or 701.214.9721.