FTC Releases Updated COPPA FAQs
By M. Lily Woodland
New Categories of Personal Information. The amended Rule added four new categories of information to the definition of “personal information.” The FAQs provide category-specific advice for “personal information” in each of these four categories collected prior to July 1, 2013, the effective date of the revised Rule. Specifically:
Geolocation Data. Parental consent is – and was – required under COPPA. Per the FAQs, inclusion of geolocation data as a separate category in the definition of personal information was merely a clarification of existing policy.
Photos, Videos or Audio Files, Screen or User Names & Persistent Identifiers. If collected before July 1, 2013, then such information is not covered by COPPA and parental consent is not required. However, with pictures, videos and audio files, FTC recommends discontinuing use of such previously collected information or obtaining parental consent. Adding new information to previously collected user names that “permit direct contact with a person online” triggers the COPPA provisions. And, if an operator keeps using or associates new information with a persistent identifier that recognizes a user over time and across different websites or online services after July 1, 2013, it too will be covered.
Teenagers. The FAQs also contain an interesting point about COPPA and teens, noting that while COPPA applies only to children under the age of 13, “FTC is concerned about teen privacy and does believe that strong, more flexible, protections may be appropriate for this age group.” FTC then links to the March 2012 FTC privacy report and notes that the Commission has published a number of guidance documents for teens and parents. Such statements indicate that the Commission is looking closely at teen privacy issues and, while COPPA is not directly applicable, we may see enforcement actions under the Commission’s Section 5 authority in the future.
Privacy Polices & Apps. The FAQs highlight many of the new requirements related to privacy policies, including the new, streamlined approach outlined in the revised COPPA Rule. FTC reminds operators to review any existing privacy policies to make sure that they are updated to disclose, and properly obtain consent for the collection of, new categories of “personal information” in the revised Rule. The links to such privacy policies must be “clearly and prominently labeled” and located on the home or landing page of the website or online service, as well as on each area of the site where personal information is collected.
With apps, FTC recommends and encourages providing access to privacy policies at the point of purchase. If the app immediately begins to collect personal information upon being downloaded, disclosure and consent at the point of purchase or prior to the complete download of the app is necessary. Also, operators of child-directed apps must inquire into the information collecting practices of all third parties who collect info through their app in order to provide adequate notice and obtain consent.
Websites and Users Directed at Children. If a website meets the definition of a “web site or online services directed to children” under the revised Rule, then the operator may not block children from participating altogether, even if the operator does not intend children to be the primary target audience. Operators can, however, use an age screen to differentiate between child and non-child users, and offer different activities or functions depending on age. (General audience websites, in contrast, can block children under 13.)
Actual Knowledge. When will an advertising network service have “actual knowledge” sufficient to trigger obligation under COPPA? Pretty simple – if someone tells you or if you recognize the child-directed nature of the content. However, per the FAQs, it is unlikely that mere collection of a URL will constitute actual knowledge.
Pictures & Videos. A picture alone, without any other personal information, can be sufficient to trigger the revised Rule. If, however, the operator screens and blurs the facial features of children in photos before posting them on its website (and removes all other personal information or metadata), parental notification and consent is not necessary. Additionally, an app that permits a kid to upload photos, but that does not transmit the photo from the child’s device, is not “collecting personal information” under the Rule.
Even though COPPA only covers information collected from children – not pictures uploaded by grandma – operators of websites primarily directed to children (as defined by the Rule) must assume that the person uploading the photo is a child and either give notice and obtain parental consent, remove child images and metadata prior to posting or create a special area for posting by adults.
Geolocation Data. Merely collecting geolocation data – even if the operator does not use it – is sufficient to trigger the Rule. Moreover, notification and consent is required if the data collected is “sufficient” to identify a street name and name of a city or town. So, latitude and longitude coordinates constitute “personal information.”
Consent. “Email-Plus” will remain an approved form of consent for personal information used for internal purposes – e.g., where children’s personal information is not “disclosed” – permanently. The FAQs also state that proper use of a credit card as a form of verifiable parental consent is sufficient, when connected to a monetary transaction, without additional investigation to confirm if the adult providing the credit card is a parent, assuming the revised Rule is followed. An operator cannot, however, rely on collection of a parent’s app account number or password as sufficient.
Support for Internal Operations. The amended Rule provides an exception for “support for the internal operations of the website or online service,” which means activities necessary for the website to perform properly – e.g., maintain or analyze functioning, perform network communications, authenticate users, perform site analytics, etc. Persistent identifiers collected solely for these purposes do not require parental consent – and both the website and third-party plug-ins can rely on the exception. “Support for internal operations” does not, however include behavioral advertising. The types of “personalization” permitted are user driven preferences, e.g., those that allow operators to maintain user preferences, game scores, character choices, etc.
Caveat Vendor is Paul Hastings’ Consumer Issues blog. We welcome your feedback. Please contact our blog editor with any thoughts or suggestions.