FTC amendments to COPPA Rule effective soon

The COPPA Rule imposes requirements on operators of websites or online services directed to children under 13 and on such operators that have actual knowledge they are collecting personal information, as defined under COPPA (PI), from children under 13. Most notably, the Rule requires operators to provide notice and obtain verifiable parental consent (VPC) before collecting, using, and disclosing PI from children. Parents must be able to review and delete their child’s PI and prevent further use or collection of their child’s PI. Operators must keep PI secure, including by implementing retention and deletion requirements. Finally, the Rule contains a “safe harbor” provision that allows organizations to submit to the FTC for approval self-regulatory guidelines that would implement the Rule’s protections.

Below we provide a summary of the key amendments to the Rule. 

Definitions

The Commission made several changes to the definitions included in the Rule, including:

• Adding a new stand-alone definition of “mixed audience website or online service.”

• A mixed audience website or online service is defined as a website or service that is “directed to children” but that does not target children as its primary audience and does not collect PI from visitors, unless allowed under certain exceptions, prior to determining whether the visitor is a child. Any collection of age information, or other means of determining whether a visitor is a child, must be done in a neutral manner that does not default to a set age or encourage visitors to falsify age information.

• The inclusion of this definition is a codification of guidance provided in the FTC’s COPPA FAQs and does not impose new requirements on operators. The FTC, when determining whether a site is “mixed audience,” will continue to first determine whether the site is “directed to children,” then determine whether the site targets children as its primary audience. Sites that are deemed “mixed audience” may age-screen their visitors to determine which are under 13 and then determine whether they wish to (1) not collect PI from the under 13 users or (2) obtain VPC from these users. 

• Adding mobile telephone numbers to the definition of “online contact information.”  

• Such phone numbers may only be used to text parents to obtain VPC.

• Expanding the definition of PI to include biometric and government-issued identifiers.

• Amending the definition of “support for the internal operations of the website or online service” to clarify that persistent identifiers collected in order to carry out activities to provide such support (e.g., to maintain or analyze the functioning of the website or online service) can also be used and disclosed in connection with such activities.

• Adding more factors to consider when determining if a website or service is “directed to children,” including (1) marketing or promotional materials or plans; (2) representations to consumers or other third parties; (3) reviews by users or other third parties; and (4) the age of users on similar websites or services.  

Notices

The Commission updated the Rule to include additional requirements for the content in direct and website notices.

• Direct notices must now include (1) how the operator intends to use PI collected from children and (2) the identities or specific categories of third parties to whom children’s PI is disclosed and the purposes of the disclosure. 

• Website notices (i.e., privacy policies) must now include (1) the identities and specific categories of third parties to whom children’s information is disclosed and the purposes of such disclosures; (2) if the operator collects persistent identifiers to support internal operations, how the operator uses those identifiers to support its operations and how the operator will ensure the identifiers are not used for any other purpose besides supporting the internal operations of the site; (3) if the operator collects audio files containing a child’s voice under the VPC exception, an explanation of how the operator uses such audio files and a statement that the audio files are immediately deleted after the operator responds to the request for which they were collected. 

Verifiable Parental Consent 

The FTC made the following amendments with respect to its requirement that an operator must obtain VPC prior to collecting personal information from a child. 

• Separate VPC, apart from that obtained to collect children’s PI, is now required in order to disclose a child’s PI to third parties unless such disclosure is integral to the website or online service. Note the FTC has indicated disclosures made for advertising purposes are not integral to the site or service.

• Operators can use the following additional methods to obtain VPC: 

• Knowledge-based authentication, which involves asking parents dynamic multiple-choice questions where (1) there are enough questions with enough choices and (2) the questions are difficult enough that a child 12 years old or younger could not guess or know the answers.

• Matching the parent’s face to a photo ID by having the parent submit a government-issued ID and using facial recognition technology to compare it to an image of the parent’s face taken by a phone or web camera. The parent’s ID and image must be promptly deleted after the match is confirmed. 

• “Text plus” method, which involves the operator using a text message coupled with additional steps (e.g., sending a confirmatory text to the parent following receipt of consent) to ensure the person providing the consent is the parent.

• The FTC also introduced a new exception, where VPC is not required when an operator only collects audio file containing a child’s voice to respond to a child’s specific request and where the operator uses it for no other purpose, does not disclose it, and deletes it immediately after responding to the child’s request.

Confidentiality, Security, and Integrity of Personal Information

The updated Rule specifies requirements that operators must meet to protect children’s PI. In particular, operators must establish and maintain a written children’s personal information security program that contains safeguards appropriate to the sensitivity of PI collected from children and the operator’s size, complexity, and nature and scope of activities. To establish such a program, an operator must designate employees to coordinate it; conduct relevant risk assessments; implement safeguards to address identified risks; regularly test and monitor the effectiveness of the safeguards; and annually evaluate the program. 

Operators disclosing children’s PI to third parties must also confirm the third parties have reasonable security practices in place to protect children’s PI and obtain written assurances that the third parties will protect the information. 

Data Retention and Deletion Requirements 

The new Rule requires operators to (1) delete children’s PI when the PI is no longer reasonably necessary for the purposes for which it was collected and (2) establish and maintain a written data retention policy addressing information collected from children that specifies the purposes for which children’s PI is collected, the business need for retaining the information, and the time frame for deleting it. Operators do not have to establish a separate children’s retention policy if they already have one applicable to children’s PI that addresses the Rule’s requirements. The policy should be included in an operator’s direct and website notices. 

Safe Harbor Programs

The COPPA Rule currently allows organizations to submit for FTC approval, self-regulatory guidelines that implement substantially the same requirements as the Rule. The amended Rule includes updates to enhance oversight of, and transparency regarding, these FTC-approved safe harbor programs.

• These updates include:

• Requiring programs to annually review their operators’ security policies, practices, and representations.

• Strengthening the FTC’s oversight by requiring programs to include in their annual reports to the FTC (1) the names of all program-approved operators and each of their approved websites or online services; (2) any operators that left the program during the previous year; (3) a description of the program’s business model; (4) copies of available consumer complaints related to operators’ violation of the program’s guidelines; and (5) a description of how the program determines if operators should be disciplined. 

• Increasing transparency by requiring programs to publicly post each of their approved operators, and for each operator, a list of approved websites or online services.

The FTC’s publication of its amendments underscores a bipartisan focus on children’s privacy. US states are also passing legislation to protect children’s online safety at a rapid pace. Many US states have passed legislation focused on youth issues that range from efforts to protect minors on social media, gaming platforms, and other online services to providing teens additional consent rights and data protections and protecting minors from harmful content. Due to an increased focus on protecting children from online harm, businesses may want to assess their current data practices and policies to ensure their processing of children’s information is compliant with both COPPA (and its implementing regulations) and new state laws.