Although changes were very necessary, the recent FTC amendments to the Children's Online Privacy Protection Act (COPPA) have sparked some confusion, and raised concerns that they will diminish innovative and educational content production.
To quickly review: COPPA restricts the online collection of personal information from children under 13 years of age in advance of parent consent. It applies to US companies or to US citizens, but in effect, applies globally. It details what a website (or any online service) operator must include in a privacy policy, when and how to seek verifiable consent from a parent or guardian, and what responsibilities an operator has to protect children's privacy and safety online. This includes restrictions on marketing to children under 13.
The FTC initiated a review in 2010 to ensure that the COPPA Rule keeps up with evolving technology and changes in the way children use and access the Internet, including the increased use of mobile devices and social networking. After a lengthy consultation period the revisions were announced in December 2012. In January, FOSI released an article outlining the changes the FTC has made to the Act, which comes into force on July 1 2013.
eModeration has taken a close look at the FOSI article, and consulted Denise Tayloe, CEO of PRIVO, the leading consultants on COPPA compliance, to help demystify a complex topic. Thanks to both FOSI and to Denise, for her invaluable help and direction.
Here is a summary of the changes and some analysis of what they mean to all online service operators
PII has been extended to include: geolocation data, persistent identifiers (such as an IP address, or unique device identifier), photos, audio and videos, plus usernames and screen names when they operate the same as online contact information.
The promotion of "Just in Time" notifications makes sense and will assist parents in making informed decisions about what their kids are doing online. (For example, informing parents of what is being collected, exactly when the information is collected by the company). The notice must include:
- What information has already been collected and what additional COPPA triggering features will be enabled allowing for additional collection
- Purpose of the notice
- Actions the parents must take
- Description of how the information will be used
- A hyperlink to the website privacy notice
However, this requirement makes it difficult for a company to offer blanket COPPA protections, which are opt-in, rather than opt-out post data share.
The retention of "email plus"[i] provides websites and apps with an easy, cost-effective way of obtaining verifiable parental consent for information collected and used solely for internal purposes (i.e. NOT shared with any third parties).
(PRIVO has commented that the FTC didn't retain email plus because it was reliable - but rather that there was nothing better that was as cost-effective and simple for all parties.)
More methods of obtaining verifiable parental consent have been introduced: In general, any method will be permitted if it meets the test of "Any method to obtain verifiable parental consent must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent." These methods include:
- electronic scans of signed consent forms and video conferencing;
- collecting government issued identification and checking identification against a database of such information (provided such information is deleted after verification);
- monetary transaction on a credit card, debit card, or other online payment system that notifies or records each discrete transaction to the primary account holder.
(PRIVO notes: "As you can see, none of the enumerated methods on their own accomplish the goal of establishing a reliable parent/child relationship")
Increased oversight of the safe harbor program [ii], along with allowing them to approve consent mechanisms not yet enumerated by the FTC. Online operators are encouraged to participate in an annual assessment and certification process with an approved safe harbor under COPPA.
Expansion of the "support for internal operations" definition [iii] allows operators to collect the necessary information for the running of their services without going through expensive and time-consuming consent procedures.
Releasing children's data to third parties: Operators must take reasonable steps to release children's personal information only to service providers and third parties that are capable of maintaining the confidentiality, security and integrity of such information and provide assurances that they will do so. This new requirement does not require operators to ensure compliance, but does require them to inquire about the entities' data security capabilities and, either by contract or otherwise, receive assurances about how the information will be treated.
A strict liability standard on websites or services that incorporated a third party service, such as social networking plug-ins or advertising networks; stating that:
- the first party site was best placed to know the age of their users and to request the relevant consent from parents
- the first party site derived significant benefit, financial or otherwise, from the third party service
The plug-ins and advertising networks themselves are now subject to the COPPA Rule in their own right. Plug-ins where they have "actual knowledge" that they are collecting information from a child-directed property are subject to the same laws. What constitutes "actual knowledge" remains unclear.
As expected, app developers, small businesses and large companies have raised specific concerns:
- First party sites or services will be reluctant to incorporate third party plug-ins if they have liability for their compliance.
- They asked the FTC to consider situations where, despite agreements to the contrary, a third party service collects data from a child, and the first party will still be contravening the COPPA Rule and subject to enforcement actions.
- Regarding the cost and feasibility of compliance with some of the new terms; many believe the cost has been massively underestimated by the FTC and will result in many organizations ceasing to create any material for children, especially those aged under 13.
- There are also legal considerations and the question as to whether or not the revised Rule has exceeded the scope of the original Act (COPPA) and that the FTC is exceeding their statutory authority overall.
Hopefully, this will give you some insight in to the changes and the objections raised. We feel that clearer communication of the impact, and anything left open-ended (such as how to handle existing accounts and whether mobile push alerts are COPPA triggering) needs to be cleared up soon if companies are to begin compliance by July 1, 2013.
Many thanks once again to Denise Tayloe of Privo for her guidance and also to eModeration's Child Safety Liaison Officer, Jennifer M Puckett, who co-authored this article.
Notes and further reading on the changes to COPPA:
For more information and background reading please see FOSI's article, COPPA FAQs (Just updated: April 26 2013), Privacy and Security Matters, Mondaq.com's review of the changes, 7 Ways to be More COPPA Compliant (Inversoft) and our own blog posts on the subject:
- The changes to US COPPA legislation - do you have questions or comments? (Sept 4 2012)
- FTC revisions to proposed changes to COPPA (August 8 2012)
- COPPA - is it doing children online more harm than good? (Nov 4 2011)
- The proposed changes to COPPA: Can they work? We think not. (Oct 21 2011)
- COPPA attempting to update itself (July 5 2010)
[i] The "email plus" mechanism allows you to request (in the direct notice to the parent) that the parent provides consent in an email message. However, this mechanism requires that you take an additional step after receiving the parent's email consent to confirm that it was, in fact, the parent who provided consent (the "plus" factor). These additional steps include:
Requesting in your initial email seeking consent that the parent include a phone or fax number or mailing address in the reply email, so that you can follow up to confirm consent via telephone, fax, or postal mail; or
After a reasonable time delay, sending another email to the parent to confirm consent. In this confirmatory email, you should include all the original information contained in the direct notice, inform the parent that he or she can revoke the consent, and inform the parent how to revoke the consent.
[ii] Safe Harbor: The Rule contains a "Safe Harbor" provision enabling industry groups or others to submit to the Commission for approval of self-regulatory guidelines that would implement the Rules's protections. This program under COPPA, not to be confused with the EU Safe Harbor between the US Department of Commerce and the European Commission, provides for the same or greater protections for children as the COPPA Rule; the program must provide effective, mandatory mechanisms for assessing participants' compliance with the requirements; and offer compliance incentives that provide for effective enforcement of the Rule.
Five groups have been approved as COPPA safe harbor programs so far: PRIVO, the Children's Advertising Review Unit of the Better Business Bureaus (CARU); the Entertainment Software Rating Board (ESRB); TRUSTe; and Aristotle International, Inc.
[iii] Support for internal operations: Under the amendment, persistent identifiers do not need to be coupled with other personal information to be considered personal information. To balance this expansion, the FTC clarified that if an operator collects a persistent identifier for the sole purpose of providing support for its internal operations, then the operator is not required to provide notice or obtain prior parental consent for such collection and use. In addition, the FTC expanded "support for internal operations" to include frequency capping of advertising and legal or regulatory compliance.
Image courtesy of Flickr: David Tao Photography