The Federal Trade Commission (“FTC”) recently revised the Children’s Online Privacy Protection Act (“COPPA”) Rule, which took effect on July 1, 2013. Congress enacted COPPA in 1998 to place parents in control over information collected from their children online. Operators of websites and online services, including mobile apps, that collect personal information from children under 13 must comply with COPPA, which requires that such operators give notice to parents and obtain their consent before collecting, using, or disclosing their child’s personal information. Noncompliance may result in penalties of up to $16,000 per violation.

The revised COPPA Rule aims to strengthen children’s privacy protections and give parents greater control over the personal information that websites and online services can collect. Among the more significant changes in the revised Rule are an expanded definition of the term “personal information” and revisions to how companies may obtain parental consent. Some of these key revisions to the COPPA Rule are discussed below.

Definition of “Personal Information”

The revised COPPA Rule reflects the changing reality of online data collection by expanding the definition of personal information. The original COPPA Rule defined personal information as only including a user’s name, address, online contact information, phone number, and social security number. The revised definition of personal information now also includes geolocation information, photographs or videos of children, and audio files of children’s voices. It also treats a screen or user name as personal information if it functions as a means to contact the user online. Personal identifiers that permit recognition of a user over time, across different websites or online services, also qualify as personal information.

Third-Party Information Collection

Under COPPA, verifiable parental consent is required whenever children’s information is collected. However, under the original COPPA Rule, third-party plug-ins[1] were able to collect information on child-directed websites without first obtaining parental consent. The revised COPPA Rule closes this loophole and makes website and online service operators that target children under 13 responsible for any collection of personal information on their website or service, even if a third party is doing the collecting. Operators are required to conduct an inquiry into the information collection practices of their third-party service providers that collect personal information through their website, and ultimately face more liability for the conduct of these third-party service providers.  

Third parties must also comply with COPPA when they have “actual knowledge” that they are collecting personal information from users of a child-directed website or service. “Actual knowledge” will likely be met if the operator of a child-directed website or service communicates the nature of its child-directed content to the third party or if a representative of the third party recognizes the child-directed nature of the content.

Verifiable Parental Consent

COPPA requires an operator to obtain verifiable parental consent before collecting personal information from a child. Under the original COPPA Rule, the type of verifiable parental consent that was appropriate was judged on a “sliding scale”; it only required “any reasonable effort . . . to ensure that a parent of a child receives notice of [and gives authorization to] the operator’s personal information collection, use, and disclosure practices.”[2] Under the revised COPPA Rule, operators must “make reasonable efforts to obtain verifiable parental consent . . . [that is] reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent.”[3] The revised Rules also adds several new methods of obtaining consent: electronic scans of signed forms, video conferencing, checking of government-issued identification against a database, and use of a credit or debit card that sends the parent discrete online notification of the transaction.

In addition, if children’s personal information will only be used internally, the “email plus” method of consent is still available. Under this method, an operator can send a direct notice to the parent’s online contact address requesting the parent indicate consent in a return message. Following this consent, an additional confirmation step is required, such as a follow-up phone call, fax, or letter, or, after a reasonable time delay, the operator can send another message via the parent’s online contact information to confirm consent.  

Direct Notice and Privacy Policy

Under the revised COPPA Rule, the requirements for the content of the parental notice that operators must provide change depending on whether personal information is collected, used, or disclosed. The direct notice must now also include a link to the operator’s privacy policy. The privacy policy must describe the operator’s information practices for personal information collected online from children and must also state and explain how the parent can review their child’s personal information or have it deleted and prohibit its further collection or use.

Data Retention and Security

Operators should consider what information is collected, how it is collected, how it is used, and whether it is necessary for the website’s or service’s activities. Under the original COPPA Rule, the language related to data retention and security was very vague: an operator was only required to “establish and maintain reasonable procedures to protect the confidentiality, security, and integrity” of information collected from children.[4]

The revised COPPA Rule now requires operators to strengthen data security protections by ensuring they are able to maintain the confidentiality, security, and integrity of the information. This new requirement means operators must take reasonable steps to release children’s personal information only to parties that can maintain the confidentiality, security, and integrity of the information. Operators must evaluate a third party’s data security capabilities and receive assurances about how the information will be treated.

The revised COPPA Rule also requires operators to employ reasonable data retention and deletion procedures as part of its data security strategy. In other words, operators can only retain children’s personal information for “as long as is reasonable necessary,” and when they dispose of it, they will take reasonable measures to prevent unauthorized access to the information.

Companies that fall under the scope of COPPA should ensure that they are compliant with the new revisions. They should determine whether any of their practices collect any information that now qualifies as personal information under COPPA’s expanded definition. If they do collect personal information, they should be aware of the new policies surrounding obtaining verifiable parental consent, privacy, and data retention and security. Companies should be particularly mindful that the revised COPPA Rule now makes them liable for the conduct of third-party service providers that collect personal information through the company’s website or online service, and likewise, third parties collecting personal information through a child-directed website should be aware that they may now be subject to COPPA.

* The authors wish to thank Mayer Brown summer associate Natasha Chu for her work on this article.

[1] An example of a plug-in is Adobe Flash Player.

[2] Children’s Online Privacy Protection Act of 1998, 13 U.S.C. § 1302(9) (1998).

[3] Children’s Online Privacy Protection Rule: Parental Consent, 16 C.F.R. § 312.5(b)(1) (2013).

[4] Children’s Online Privacy Protection Act of 1998, supra note 1, at § 1303(b)(1)(D).