St. Ledger-Roty & Olson LLP


June 2013

A bimonthly update of trends and developments in privacy law & policy

Special Edition

Karen Neuman, Editor

  • You are receiving this publication because of your interest in privacy and data security. It is for informational including advertising purposes only and not a substitute for legal advice.
  • Not interested? Unsubscribe or forward to someone who might be.
  • Did someone send you this Update? Subscribe to receive your own or view past issues.


By Karen Neuman

If your business interacts with children online, including via mobile apps, you must understand the Children's Online Privacy Protection Act (COPPA) Rule. Chances are, you will be subject to its stringent requirements, including strict penalties for noncompliance.

The COPPA Rule

Subject to very limited exceptions, the COPPA Rule prohibits operators of commercial websites and online services from collecting personal information from children who are under 13 years of age without obtaining prior verifiable parental consent. The Rule specifies how long this information may be retained and what measures must be employed to protect its confidentiality, integrity and security. The Rule also imposes a number of requirements on operators that integrate third party services into their sites or services.

Since it was issued in 2000, the COPPA Rule has been aggressively enforced by the Federal Trade Commission (FTC) against child-directed sites and services, as well as operators of general audience sites and services with actual knowledge that they collect personal information from underage children. State Attorneys General (AGs) are also empowered to enforce the Rule, and have done so with increasing frequency. Both the FTC and AGs have made it clear that COPPA enforcement is a top priority.

As reported here, the FTC amended the Rule at the end of 2012 to reflect rapidly evolving changes in technology and behavior, including the widespread adoption of interactive services over mobile devices by young children. Starting July 1, the Rule, which has been a tripwire for established companies and new entrants alike, expands the definition of personal information to include cookies and persistent identifiers that are used to track children over time and across the web. It also expands the types of businesses that are subject to the Rule's reach. The FTC recently issued updated COPPA "FAQs" to help companies comply with the changes. However, the FAQs merely represent the Staff's interpretation of the Rule, and many ambiguities remain. These ambiguities will likely be clarified through a series of targeted enforcement actions. Accordingly, all businesses that attract children to their sites or services face significantly heightened risk.

What Changed?

  • Expanded Definition of Personal Information. Prior to the amendments, the definition of personal information was relatively straightforward. It included first and last name, email address, telephone number, physical home address, social security number, and certain types of screen names. Starting July 1, the definition will include:
    • Certain types of geolocation data.
      • If geolocation data was previously collected the FAQs recommend either obtaining parental consent or deleting the information.
    • Persistent identifiers (such as IP or MAC addresses, cookies or unique device identifiers) that can recognize a child over time and across websites (unless required for certain specified "internal operations").
    • Online contact information such as a VoIP, video chat or IM identifier.
    • Certain audio or video files.
      • If these files were previously collected the FAQs recommend obtaining parental consent.
  • New Type of Operator. One of the most significant changes to the COPPA Rule involves its application to third party plug-ins or ad networks. The new Rule effectively treats these businesses as "operators" who are subject to COPPA if they have actual knowledge that they collect information from underage children. In the commentary accompanying the amended Rule, the FTC explained that this new category of operator does not apply to app stores, as long as those stores merely offer access to child directed content without otherwise engaging children.
  • New Type of Child-Directed Site. Another change involves how the FTC will determine whether a site is directed toward children. Prior to the amendments, the FTC examined a website's characteristics, including its subject matter, and whether it used animated characters, music, or celebrities that appeal to children. Starting July 1, if a site or service is found to be directed toward children, but the majority of users are over 13, the FAQs imply (although the rule does not explicitly require) that these sites or service may not prohibit underage children from using them. This change could be extremely challenging for operators of online games, virtual worlds, and mobile apps.
  • New Methods for Obtaining Parental Consent. Starting July 1, the FTC will permit several new methods for obtaining prior verifiable parental consent, including electronic scans of signed consent forms. In addition, the FTC will implement a process by which companies can seek approval for consent methods that employ innovative technologies. These methods must be submitted to the FTC for review and public comment.

What it means for Business. Operators of online websites or services (including mobile apps) must ascertain whether they are covered by the COPPA Rule. This involves determining: (1) if the site or service engages children; (2) whether and to what extent the site itself, or integrated services provided by a third party, collects personal information from children who are under 13. If so, the operator must post a COPPA-compliant privacy policy; comply with the Rule's notice and consent protocol; employ measures to protect personal data; allow parents to access, correct, and delete their child's personal data or prevent its further use; and comply with other requirements. In order to manage risk, companies should routinely monitor their COPPA compliance programs, and make any modifications that are warranted by operational changes, or changes to the legal and regulatory environment.

The amended COPPA Rule reflects the FTC's effort to modernize the regulatory framework for protection children's online. In doing, the FTC focused on changes in technology, business practices and consumer behavior that were emerging in 2010 when the agency initiated proceedings to update the Rule. The FTC can be expected to keep COPPA current by extending the Rule's application to new products and services through enforcement actions -- just as it did in 2011 when it determined that COPPA applies to mobile apps -- a technology that was not explicitly addressed by the Rule when it was first issued. Accordingly, companies should consider how the integration of future technologies into online products and services, and corresponding changes to information practices, might trigger the Rule and create previously unforeseen risk and compliance obligations.

Forward Article Back to Top

Copyright © 2012 St. Ledger-Roty & Olson, LLP.
1250 Connecticut Avenue, N.W., Suite 200, Washington D.C 20036