FTC Updates COPPA for the Age of Social Media, Mobile Apps
Just a week after the Federal Trade Commission released a harsh report on the state of mobile app privacy protections for children, the agency on Wednesday issued stricter rules under the Childrens Online Privacy Protection Act (COPPA).
The revisions update the 1998 law for the era of mobile technology, social media, and online data collectioncreating new liability for the operators of websites and services that are directed to children under the age of 13.
The definition of personally identifiable informationwhich triggers parental consent requirementsis now broader, and operators are responsible for how third parties collect user data on their sites. The new rules come into effect July 1, 2013.
The world of COPPA compliance has just gotten considerably bigger, says Jim Halpert, a partner at DLA Piper who helped draft the 1998 law.
The major thing the FTC was concerned about was different forms of tracking children online that didnt involve collecting their names and addresses, says Halpert.
Rather, the agency focused on the collection of information that can be used in behavioral advertising, or to track children across different websites, Halpert explains. Under the new definition, personally identifiable information includes photos, videos, geolocation, IP addresses, and device identifiersand it cant be collected without parental consent.
Behavioral advertising is now out for those sites, says Halpert. They can no longer do behavioral advertising without verifiable parental consent.
Another significant change makes operators liable for COPPA compliance of third parties on their sites. A website operator is going to be held strictly liable for any service provider that is plugging into [its] site, says Reed Smith partner John Feldman, who specializes in advertising regulation and consumer protection law.
In-house counsel should examine their companys relationships with third parties, Feldman says, because of the strict liability and the responsibility you have for the actions of others.
He adds: Your contracts are going to have to be carefully worded, and your due diligence is going to have to be done to understand what is collected.
The regulations also warn companies against holding onto childrens data for longer than is necessarywhich Linda Goldstein, a partner at Manatt, Phelps & Phillips, can see becoming an enforcement priority down the line.
The FTC will undoubtedly take a hard look at their data-retention policies if theyre collecting data from kids under 13, says Goldstein, who chairs the firms advertising, marketing, and media division.
The big picture for companies in this space is that they need to take a look at what theyre collecting, Goldstein says. They need to take a much closer look at who theyre passing it on to, and they need to take a look at their data-retention policies.
According to Halpert, the FTC enforces COPPA frequently, and there is some stigma attached to running afoul of those rules. This is something that should be a compliance priority for companies, Halpert says.
See also: Too Many Apps are Collecting Kids' Data, Says FTC, CorpCounsel, December 2012.