Privacy Alert: New COPPA Rule Effective July 1, 2013

New amendments to the Children’s Online Privacy Protection Rule go into effect today, July 1, 2013. Amongst the significant changes introduced by the new Rule, (1) the newly expanded definition of “personal information” and (2) new obligations upon third party data collectors warrant particular attention. Websites, online services, and mobile apps that directly or indirectly collect information about children under the age of 13 will need to evaluate their data collection practices in light of the new Rule. Businesses most likely to be impacted include mobile app developers, ad networks, ad tech companies, social networks, and any service that collects information about consumers across domains.

What is the Children’s Online Privacy Protection Act?
The Children’s Online Privacy Protection Act (COPPA) is a federal statute that imposes notice and consent requirements on the operators of websites or online services that are directed toward children under the age of 13, as well as operators of general audience sites who have actual knowledge they are collecting or storing personal information from children under the age of 13. The Children’s Online Privacy Protection Rule is the regulation by which the FTC enforces COPPA. For general context on COPPA, a review of its key terms, and a broader discussion of the new Rule going into effect July 1, 2013, please see our previous alert on this topic. The FTC has also released some helpful guidance in the form of Frequently Asked Questions and a Six Step Compliance Plan.

Expanded Definition of “Personal Information”
The amended Rule clarifies and expands the types of information considered to be “personal information” under COPPA to include: (1) screen names, where they function as online contact information; (2) photo, video, and audio files that contain a child’s image or voice; (3) geolocation data; and (4) persistent identifiers that can be used to recognize a user over time and across different websites or online services, such as an IP address, cookie ID, or unique device identifier.

Under the amendment, persistent identifiers do not need to be coupled with any other personal information to be considered personal information. To balance this expansion with the fact that nearly every website and online service collects a persistent identifier, the FTC clarified that if an operator need not obtain verified parental consent when it collects a persistent identifier for the sole purpose of providing support for its internal operations. In addition, the FTC expanded “support for internal operations” to include frequency capping of advertising and legal or regulatory compliance.

Third Party Data Collectors
Under the new rule, third party data collectors–such as ad networks, ad tech companies, social media plug-in providers, demographics and web metrics providers–must comply with COPPA if they obtain actual knowledge that they are collecting personal information about users of a child-directed site or service. Although third parties need not proactively investigate whether each of their partners is a child-directed site, the FTC has suggested that a third party data collector will have “actual knowledge” where (1) a site operator directly communicates the child-directed nature of its content to the data collector, or (2) a representative of the data collector recognizes the child-directed nature of a site from which it collects data. In some circumstances, third party data collectors who collect persistent identifiers from child-directed sites will be able to avail themselves of the “support for internal operations” exception where they use the identifier to cap the frequency of ads to a single visitor or provide contextual ads. However, the use of persistent identifiers for cross-site behavioral advertising or retargeting will not fall within the exception.

Directed to Children
As with the original Rule, the new Rule does not rigidly define when a site is “directed to children.” But it adds several indicators of sites “directed to children”, including child-oriented music, images of child celebrities and celebrities that appeal to children. If a site does not target children as its primary audience, it will not be deemed “directed to children” if it (1) collects age information before collecting any personal information, and (2) prevents the collection, use or disclosure of personal information of visitors that self-identify under 13 years of age. If a website or online service is directed to children and targets children as its primary audience, it must presume all visitors are children.

What’s Next?
The FTC has stated that it will “exercise its prosecutorial discretion in enforcing the COPPA Rule, particularly with respect to small businesses that have attempted to comply with the Rule in good faith in the early months after the Rule becomes effective.” However, the FTC has been active in bringing enforcement actions under COPPA in recent years, and there is no reason to believe that will change.​​​​