If you’ve got a website, you could have a problem. Welcome to the COPPA Rule, a complicated FTC regulation with (a) potentially expensive ramification, and (b) some new provisions about to take effect.
If you operate a commercial website that collects personal information from visitors, you’d better be familiar with COPPA – the Children’s Online Privacy Protection Act – and the COPPA Rule adopted by the Federal Trade Commission pursuant to the Act. Even a single COPPA Rule violation can lead to a $16,000 penalty, and the FTC hasn’t been shy about doling out seven-figure fines for cumulative violations. (For the faint of heart unwilling to wade into the actual law or FTC rule, you can check out the FTC’s COPPA FAQs. But even that resource weighs in at the equivalent of 58 printed pages.)
The principal goal of COPPA is to ensure that personal information relating to children under the age of 13 is not collected or distributed by website operators without parental consent. Since many broadcast stations may be collecting information on their websites (even without realizing it), we figure it’s a good idea to remind all our readers about COPPA.
And now is an excellent time to do so because a number of important changes to the law are set to take effect on July 1, 2013.
I’ll address the five changes that I think are among the most important below, but be advised that I’m only scratching the surface. At minimum, anyone with a website that collects personal information from visitors, and that features links to advertisers who collect such information, would be well-advised at least to read the COPPA FAQs, if not everything on the FTC’s COPPA webpage.
Before we get into the changes that are about to kick in, though, let’s take a quick look at the basics of the law to get a fix on: (1) what types of websites are covered by the law; (2) what types of “personal information” trigger the consent requirements; and (3) what covered websites are expected to do.
You’re subject to COPPA if you operate either:
a commercial website or online service (including mobile Apps) directed to children under 13 that collects, uses, or discloses personal information from children;
a general audience commercial website or online service and you have actual knowledge either that you are collecting, using, or disclosing personal information from children under 13.
Under COPPA you could also be liable for the collection of information that occurs on or through your site(s) and service(s), even if you yourself do not engage in such collection. That means that it’s important that you (in the FTC’s words) “make informed decisions before you permit advertising to run on your sites and services.”
“Personal information” for COPPA purposes means “individually identifiable information about an individual collected online”. It includes the obvious stuff (e.g., first/last name, physical address, telephone number, social security number) and the (perhaps) less obvious, such as:
online contact information (including a screen or user name that functions as online contact information);
a “persistent identifier” (e.g., a customer number held in a cookie or a processor serial number) that can be used to recognize a user over time and across different Web sites or online services;
geolocation information sufficient to identify street name and name of a city or town; or
information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above.
Note that photos, videos, and audio recordings that contain a child’s image or voice are all “personal information”. And that term also encompasses “a combination of a last name or photograph of the individual with other information such that the combination permits physical or online contacting.”
Obligations of Covered Operations
Operators subject to the COPPA Rule are subject to seven basic requirements. According to the COPPA FAQs, such operators must:
- provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children;
- give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents);
- provide parents access to their child's personal information to review and/or have the information deleted;
- give parents the opportunity to prevent further use or online collection of a child's personal information;
- maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; and
- retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use.
So what are the five major aspects of the COPPA Rule set to take effect on July 1 that you need to be especially aware of?
The definition of a covered operator whose operation is “directed to children” has been refined to make it easier to trigger parental notice and consent requirements.
As noted, there are two ways in which a website operator might become subject to the requirements of the parental notice and consent process. The requirements apply, first, to an operator whose website is “directed to children” and collects personally identifying information from a child under the age of 13. Second, they apply to an operator of a general audience website who has actual knowledge that it is collecting personal information from a child under the age of 13. One big difference between these two alternatives: most sites that are “directed to children” cannot engage in “age screening” to prevent children under the age of 13 from even entering the site.
This may not seem like a big deal at first blush, since many sites have no intention of spending any extra time, money or effort to engage in age screening anyway, especially when they simply don’t collect personal information from anybody, child or adult. But, given the expanded definition of “personal information” (see below) and the changes affecting Plug-ins and Ad Networks (also see below), the fact that the FTC appears to have expanded its view as to what constitutes a site “directed to children” means this change has potentially wide-ranging ramifications.
The FTC has always taken a pretty contextual approach in determining whether a site is “directed to children”. The FTC considers “subject matter, visual or audio content, age of models, language or other characteristics of the website or online service, as well as whether advertising promoting or appearing on the website or online service is directed to children.” But the site owner’s own intent was also a factor, as evidenced by enforcement actions where the FTC had applied the “directed to children” label only to sites that (a) knowingly targeted children under 13 as a primary audience or (b) were likely, based on the site’s overall content, to attract children under 13 as their primary audience. However, sites that did not appear likely to attract children under 13 were generally left alone, even in cases where some such sites may have happened in fact to attract an unexpectedly disproportionate number of under 13 visitors.
In its August, 2012 Second Notice of Proposed Rulemaking the FTC provided a distinction along these lines: on the one side were sites primarily targeting children or whose content is likely to attract children under 13 as the primary audience cannot engage in age-screening; on the other, those that simply have the unintended consequence of a disproportionate amount of child users can engage in age-screening. Its final rules reflect this distinction.
According to the FTC, Congress never intended to require the website operator’s subjective intent to factor into the determination of whether a site is “directed to children”. As it specifically stated, “Certainly, a website or online service that has the attributes, look and feel of a property targeted to children under 13 will be deemed to be a site or service directed to children, even if the operator were to claim that was not its intent”. The FTC seemed to underscore this by expanding the non-dispositive list of likely “directed to children” factors to include: musical content, the presence of child celebrities, and celebrities who appeal to children. It specifically noted that, even where it is asked to determine that a site is allowed to engage in age-screening (because the site has a disproportionate amount of visits from children under the age of 13), the FTC will first look at this context-based “totality of the circumstances” test.
So, why might this affect you? Imagine that you create a new site, a mobile version of your current site, especially a Mobile App. Further imagine that you have no intent to direct your site or App to children. But now imagine that the FTC takes a look at your site and because you have, say, Justin Bieber (based on a look at my not-yet-13-year old niece’s iPod, this appears to be a relevant example) featured because he’s coming in concert soon. And, if the mobile version of your site or App doesn’t happen to have a significant amount of other content, you might be viewed as a site that is “likely to attract children” – which in turn would mean that you can’t age-screen before collecting personal information. But hold on there – you might be collecting such information in the form of geolocation information anyway, even if you don’t intend to. That could put you in violation of COPPA.
Plug-ins and Advertising Networks can now trigger COPPA obligations.
COPPA’s reach has been expanded beyond mere commercial “websites and online services” in a way that means you’ll have to get real cozy with the suppliers of all the advertisements or plug-ins to your site. Two of the changes in particular are important.
First, the definition of “covered operator” has been fleshed out to make clear that the website operator is responsible for everything on the site, even if you didn’t physically put it there or review it at all. So, if you’re a general purpose site and you take ads directed at kids, you might have a COPPA problem. Advertisers collecting personally identifying information from children might trigger COPPA parental notice and consent obligations for you.
Second, “the definition of a website or online service directed to children is expanded to include plug-ins or ad networks that have actual knowledge that they are collecting personal information through a child-directed website or online service”. So if you’re a site directed at children, your advertisers – who may think they don’t have a COPPA problem, might now have one.
The definition of “personal information” has been expanded to include four new categories.
The term “personal information”, while always somewhat broad, was also pretty understandable: things like name, phone number, address, email address, etc. The new rules add four key categories to that definition:
Geolocation Information: If you collect “geolocation information sufficient to identify a street name and name of city or town”, you are collecting “personal information”. (While this was not expressly stated in the original version of COPPA, the FTC has apparently been treating it as such all along. The new rule makes that treatment explicit.) Since virtually all mobile devices provide this information and many, if not most, sites (especially Apps) collect it, the potential to trigger the parental notice and consent requirements has significantly increased.
Photos or videos or audio files: Any photo, video or audio file that contains a child’s image or voice is considered personal information and will trigger the parental notice and consent requirements if submitted by the child (although such a file submitted by the parent does not trigger the requirements). As the COPPA FAQs indicate, operators covered by COPPA must either: (a) prescreen and delete from children’s submissions any photos, videos, or audio recordings of themselves or other children; or (b) first give parents notice and obtain their consent prior to permitting children to upload any photos, videos, or audio recordings of themselves or other children.
Screen or user name: A screen or user name is personal information if it functions as online contact information – so use of an email address as the online contact information will not relieve you of COPPA obligations.
Persistent identifiers: We’re talking cookies here, people – “cookie” as in a computer file containing an IP address, a processor or device serial number, or a unique device identifier that can be used to recognize a user over time and across different Web sites or online services. A cookie in that sense is “personal information” even if it’s not overtly paired with a name, email address, screen name, etc.
One possibly unexpected manner in which this is likely to arise is via the use of Mobile Apps, which aren’t generally thought of as “websites” (but, under the rule changes, clearly are) and which often rely heavily on the use of geolocation information and allow for simplified sharing of photos and videos. So, while everybody is rushing to create that new App for your station or company, many don’t realize that the streamlined, functionally superior contact with the world these Apps offer often comes with a hidden price tag.
The direct notice requirements have been streamlined and clarified.
Under the new version of Section 312.4 of the COPPA rule, the notice you must place on your website has gotten somewhat easier. You must simply provide:
- the name, address, telephone number, and email address of all operators collecting or maintaining personal information through the site or service (or, after listing all such operators, you can simply provide the contact information for one that will handle all inquiries from parents);
- a description of what information the operator collects from children, including whether the operator enables children to make their personal information publicly available, how the operator uses such information, and the operator’s disclosure practices for such information; and
- notification that the parent can review or have deleted the child’s personal information and refuse to permit its further collection or use, and state the procedures for doing so.
This must be posted via a “clearly and prominently labeled link” on the home or landing page of the site or service and anywhere personally identifying information is collected from children. One wrinkle here is that a general audience site with a portion directed at children must post this separate COPPA-focused notice on that children-focused page.
However, the rule has gotten much more stringent with regard to the direct notice given to parents when personal information is being collected. These changes, in fact, are so extensive that it’s not worth even listing them here. You should certainly consult with an attorney before providing direct notice to a parent.
The non-exhaustive list of acceptable methods for obtaining prior verifiable parental consent has been expanded.
You must get verifiable parental consent before collecting a child’s personal information. The COPPA Rule does not dictate precisely how that is to done. The COPPA FAQs advise that you can use “any number of methods to obtain verifiable parental consent, as long as the method you choose is reasonably calculated to ensure that the person providing consent is the child’s parent.” However, the permissible methods are somewhat broader if you plan to use the personal information only for your own internal purposes.
If you are going to use such personal information externally or share it with third parties, you can:
- provide a consent form to be signed by the parent and returned via U.S. mail, fax, or electronic scan (the “print-and-send” method);
- require the parent, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder;
- have the parent call a toll-free telephone number staffed by trained personnel, or have the parent connect to trained personnel via video-conference; or
- verify a parent’s identity by checking a form of government-issued identification against databases of such information, provided that you promptly delete the parent’s identification after completing the verification
If you are only going to use the information internally, you can simply use any of the above methods, or you can use the “email plus” approach, which involves the following steps:
- request in your initial message to the parent that the parent include a phone or fax number or mailing address in the reply message, so that you can follow up with a confirming phone call, fax or letter to the parent; or
- after a reasonable time delay, send another message via the parent’s online contact information to confirm consent. In this confirmatory message, you should include all the original information contained in the direct notice, inform the parent that he or she can revoke the consent, and inform the parent how to do so.
Finally, one more word about penalties for non-compliance. As mentioned above, COPPA provides for a penalty of up to $16,000 per violation. Even a single violation would definitely hit just about any small- to medium-sized business hard. And it seems more than likely that, if you haven’t been complying with the law, the FTC would be able to determine that you’re really on the hook for multiple violations, which would only worsen the blow.
Again, it’s important to recognize that COPPA is a very complicated law whose general applicability and requirements cannot be easily summarized. This post provides, at most, only a quick glimpse at some of the highlights. If you need guidance in determining whether your website is subject to COPPA obligations and, if so, how to ensure compliance, we strongly urge you to contact an FCC attorney or any other attorney familiar with COPPA.