Updated COPPA Rules: 5 Tips to Consider When Assessing Your Compliance

daublairAs the FTC’s new COPPA rules come into force, the way mobile apps, websites and social networks are able to go about collecting data on their child users has changed dramatically. Privacy experts from MEF members Dentons, Todd Daubert and Andrew Blair provide their top tips to understanding the new regulations and how to ensure your business remains compliant.

On July 1, updated rules of the Federal Trade Commission (“FTC”) to implement the Children’s Online Privacy Protection Act (“COPPA”) became effective, making compliance with a heightened set of requirements for online service providers who collect personal information from kids under 13 mandatory. The updated rules are both broader in scope and stricter in application than the current regulations, and thus assessing whether you are in full compliance is critical. Here are five tips to consider when assessing your compliance with the COPPA rules.

  • Know your service

    The COPPA obligations are triggered when a web site, online service or app is directed to children or when the operator of the web site, online service or app has actual knowledge that personal information is collected from children. The rules identify several factors to be considered when determining whether a web site, online service or app is directed to children, including subject matter, visual content, and use of animated characters. Even if your site, service or app as a whole is not generally directed to children, portions or subpages may be directed at children, in which case the COPPA rules apply.

  • Know the FTC’s definition of “personal information”

    children-shotThe updated COPPA rules greatly expand the definition of “personal information” to include, among other things, audio or video that contains a child’s image or voice, geolocation data and any persistent identifier that can track a person across time or sites. While there are exceptions for internal use of persistent identifiers, device IDs, cookies, and other methods of tracking users generally qualify as personal information.

  • Know the types of information that you collect

    The growth of online advertising and analytics has driven many operators to include multiple tools for collecting web site and app usage data in their web sites and online services. With an expanded definition of personal information that includes the persistent identifiers often used for analytics and advertising, it is critical to know exactly what you are collecting when someone browses to your site or uses your app.

  • Know who else collects information through you

    A surprising number of operators do not know all of the embedded plug-ins or other code that runs on their web sites or online services and collect data for third parties. Old site versions, incomplete plug-in removal and other oversights can result in orphan code that continues to share data with third parties. Operators are on the hook for ensuring third-party code on their web sites and online services complies with the rules. The only way to be certain is to reassess your web site or online service on a regular basis.

    Phones

  • Know the disclosure and consent requirements

    Privacy policies that accurately describe data practices are a must for everyone. However, the updated COPPA rules impose additional specific requirements regarding the notification of parents about data collection, opt-out mechanisms and the deletion of children’s data from web sites, online services and apps. Verifiable parental consent is a cornerstone of the COPPA regulations, so the implementation of compliant verifiable consent mechanisms should be a core part of COPPA-compliant web sites, online services and apps rather than a bolted-on afterthought.

  • Bonus Tip: Do not underestimate the importance of COPPA compliance

    The FTC has strongly indicated that it intends to make COPPA enforcement a priority. Increased investment in personnel and tools to monitor web sites and online services makes reliance on obscurity or herd immunity a risky gamble. If you have questions about how COPPA applies to you or how to comply, get help. The benefits of ensuring compliance and reducing the risk of damaging and expensive enforcement actions far outweigh the short-term costs.

The updated COPPA rules signal a major evolution in the FTC’s approach to privacy regulation. Foundational changes to the scope and rigor of the rule make clear that the FTC remains very serious about children’s privacy. If you have yet to assess how COPPA affects you, now is the time to start.

Todd Daubert is a partner in Dentons DC office, chair of the legacy Communications and Technology Sectors and serves on the MEF North America Board of Directors. Andrew Blair is an associate in Dentons’ Intellectual Property and Technology group, specializing in matters related to federal and state regulatory compliance and enforcement, litigation, contracts and vendor management, privacy and security policies, intellectual property, risk management and data governance – Visit Dentons Website

Comments

  1. Simon Bates says:

    Cracking article, thanks Todd and Andrew. At our event in Washington in June we heard first-hand from FTC how seriously they intend to take this. Developers who don’t comply with the new rules could find themselves in serious trouble. This is an excellent primer for people who have heard about COPPA, but haven’t had time yet to engage yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: