Earlier today, FTC Chairman Leibowitz announced the agency’s update to the COPPA rule at a press conference alongside Sens. Jay Rockefeller (D-W.Va.) and Mark Pryor (D-Ark.), and Congressmen Ed Markey (D-Mass.) and Joe Barton (R-Tex.). The changes to COPPA were two years in the making and were the result of two proposed rule revisions and comment periods. As anticipated, the new rule comes with a broadened scope. Sen. Rockefeller provided the opening remarks to the press conference, expressing his approval that the new COPPA rule “captures the new online reality” to address the rise of social networks, smartphones, tablets, and apps. Some highlights from the new COPPA rule include:
- Expanded scope of personal information – the collection of which requires parental notice and consent – to include geolocation information, photographs, and videos. The chairman noted that this kind of information can be used to cause physical harm to children.
- Expanded scope of personal information to also include persistent identifiers, such as mobile device unique identifiers and IP addresses, to the extent they can recognize users over time and across different websites. Chairman Leibowitz noted that these types of information can be used to build massive profiles by behavioral marketers. The definition would not be extended to include persistent identifiers if they are used for the sole purpose of supporting the site or its internal operations.
- Closed a “loophole” that allowed covered websites or online services to permit third parties to collect personal information through plug-ins or ad networks that the covered websites or online services would not have otherwise been allowed to collect without parental consent. Third-party collectors are now also required to comply with COPPA if they have “actual knowledge” of the child-directed nature of the site from which they are collecting personal information.
- Offer companies a “streamlined, voluntary and transparent” approval process for new ways of getting parental consent. The chairman encouraged companies to create additional “simple, low-cost means” of obtaining verifiable parental consent.
- Strengthened data security protections by requiring that covered websites or online services take reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential.
- Strengthened requirement that covered websites or online services adopt reasonable procedures for data retention and deletion, and the FTC’s oversight of self-regulatory safe harbor programs.
Notably, the chairman said that advertisers can continue to advertise to children, but not behavioral advertising, without the consent of parents. The chairman bluntly stated: “Until and unless you get parental consent, you may not track children to build massive profiles for behavioral advertising principles. Period.”
The amendments are expected to come into effect July 1, 2013. Companies need to consider these amendments now, both with respect to their operations for websites and in the mobile space. This is especially true considering the FTC recent focus on children’s privacy in the mobile app environment. We will continue to follow this issue closely.