Protecting Children’s Privacy Under COPPA | Federal Trade Commission

Protecting Children’s Privacy Under COPPA | Federal Trade Commission

Speakers – Cristina Miranda,
Peder Magee When it comes to information
that companies collect online from kids under 13, parents
should be in control. That’s the thinking behind the
Children’s Online Privacy Protection Act and
the COPPA rule. The rule has been in
place for years. But the Federal Trade
Commission, the nation’s consumer protection agency, has
revised COPPA to keep pace with technology. If your company has been
complying with COPPA, the basics still apply. You still have to give notice
to parents and get their verifiable consent before you
collect, use, or disclose personal information from
children under 13. You still have to keep kids
information secure. And the revised COPPA rule
retains Safe Harbor provisions so that groups can submit
programs for FTC approval. But five key changes to COPPA
take effect July 1, 2013. Here’s what your business
needs to know. I’m Peder Magee, an attorney
with the FTC. So what’s new about COPPA? The first important change is
that the FTC has revised some definitions to expand who’s
covered by COPPA and the kinds of information that require
companies to comply with the rule. The rule has always applied if
you operate a website, an online service, or an app
directed to children under 13. It also applies if you have a
site, a service, or an app directed to a general audience
and you have actual knowledge that you’re collecting personal
information online from kids in that under
13 age group. Revisions to the rule make it
clear that COPPA also covers an operator of a child-directed
site or service where it allows outside services
like plug-ins or advertising networks to collect
personal information from visitors. In addition, if a plug-in
or ad network has actual knowledge that it’s collecting
personal information through a child-directed site or service,
the plug-in or ad network is covered
by COPPA too. The upshot? The rule applies to companies
that may be new to COPPA compliance. The FTC also has revised the
definition of the types of information COPPA covers. The rule has always applied if
companies collect certain kinds of personal information
from kids under 13, like their first and last name, a home
address, a phone number, an email address, online contact
information, or a screen or user name that functions as
online contact information. But the FTC has clarified
that definition. The COPPA rule covers
geolocation information that can identify a street name
and the city or town. And we’ve expanded the rule to
include photos, videos, and audio files that contain a kid’s
image or voice as well. Something else covered under
the revised COPPA rule, persistent identifiers that
can be used to recognize a user over time and
across different sites or online services. But there’s a notable
exception here. COPPA’s parental notice and
consent requirements don’t apply if the identifier is
used just to support your site’s internal operations. Take a look at the rule for
more about the meaning of internal operations
in this context. Another change to COPPA relates
to what operators need to tell parents. It’s still the law that you
have to notify parents directly and get their
verifiable consent before collecting personal information online from their kids. But now you need to know to
put certain key pieces of information upfront within
the notice you send. You’ll want to read the rule
for the specifics. But the big picture is that it’s
not enough just to give parents a link to something on
your site and expect them to figure things out
for themselves. This change will make it easier
for parents to get the important details they need
when they need them. The rule also streamlines what
you have to include in your online privacy policy about
your information practices The third change involves new
ways to get the parental consent COPPA requires. In addition to the methods
already in the rule, including FTC approved Safe Harbor
Programs, COPPA now gives businesses more ways to
get a parent’s OK. For example, electronic scans of
signed consent forms, video conferencing, the use of
government issued IDs, and alternative payment systems,
assuming they meet the same stringent criteria
as credit cards. The sliding scale mechanism of
parental consent, often called e-mail plus, is still an
acceptable method for operators that collect personal
information just for their own internal use. Technology changes quickly. So to encourage innovation in
this area, the revised rule sets up a voluntary process
for businesses to get FTC approval for other methods
of parental consent. The fourth change strengthens
provisions for keeping kids information confidential
and secure. Under the revised rule,
operators must take reasonable steps to make sure that before
releasing information to service providers or other third
parties, those companies are capable of maintaining the
confidentiality, security, and integrity of the information. It’s not enough if they
just talk the talk. You also need to get assurances they’ll follow through. Under COPPA, you can retain
kids’ personal information only as long as it’s reasonably
necessary. And when you dispose of it, you
have to take reasonable steps to protect against
unauthorized access. The fifth change to COPPA
deals with additional monitoring of self-regulatory
safe harbors. The new rule strengthens
the FTC’s oversight of Safe Harbor Programs. It requires them to audit
members and report the combined results of those audits
to the FTC every year. That’s just a brief recap
of changes to COPPA. For compliance resources, visit
the children’s privacy page on the FTC business center
at For more how-to guidance, read
the Children’s Online Privacy Protection Rule and Complying
With COPPA, frequently asked questions. Have a question that’s not
answer there, send us an email at [email protected]

16 Replies to “Protecting Children’s Privacy Under COPPA | Federal Trade Commission”

  1. Do you think that under this law, electronic devices must to be sold or posessed by people that are at least 13 years old? Do you think that non-commercial websites or websites that do very little collection of personal information (registration form includes only username, password and CAPTCHA) should also disallow services to underage children, even with parental consent?

  2. all this did was have sites largely exclude children from sites that people didn't want to bother with it. we just ask if your 13 and if your not, we don't want your business because your too costly to deal with. oh you have an account and your not 13,we deleted your account please come back at 13 and all purchases are now gone..thanks for your business but we don't want it.


  4. COPPA if you launch, you can make many Youtubers lose their jobs and money. FTC, don't you realize what you're doing?

Leave a Reply

Your email address will not be published. Required fields are marked *