New COPPA Regulations Coming: Are You Sure You are Ready?
Data Privacy and Security Law Update 06/20/13 Heather L. Buchta
Less than two weeks remain before the effective date of amended regulations for the Children's Online Privacy Protection Act ("COPPA"). With the new and expanded definitions under the amended regulations, COPPA may have an impact on you now, even if it didn't previously. If you haven't already done so, now is the time to review your processes in anticipation of compliance, as the requirements become effective July 1, 2013.
COPPA was first passed in 2000, prohibiting website operators from knowingly collecting personally identifiable information from children under the age of 13 without notice and verifiable parental consent. However, as technology has continued to advance, the FTC has recognized a need to amend the definitions under the regulation to sustain the intent of COPPA. "Personally Identifiable Information" has been expanded to include (i) geolocation; (ii) audio, photo, and video files that contain a child's image or voice; and (iii) persistent identifiers that can recognize users over time and across different websites or online services such as IP addresses and mobile device IDs. None of these items is traditionally (at least within the United States) considered to be personally identifiable; nevertheless, under the new regulations, a website operator cannot collect them from a child under 13 years of age without parental consent, and "collection" now includes even passive tracking.
There are a few limited exceptions to this prohibition under the new regulation: No parental notice or consent is required when an operator collects a persistent identifier for the sole purpose of supporting the website or online service's internal operations, such as contextual advertising, frequency capping, legal compliance, site analysis, and network communications. Further, under the new definitions, "collection" of personal information now permits operators to allow children to participate in interactive communities without parental consent, so long as the operators take reasonable measures to delete any personally identifiable information before it is made public.
On the other hand, with the expanded burdens on the restriction of data collection come a bit more flexibility, as the new regulations also expand the acceptable types of verifiable parental consent. The new definition of "verifiable parental consent" expressly contemplates electronic scans of signed parental consent forms, video-conferencing, the checking of government-issued IDs against known databases, and requiring a parent to use alternative payment systems such as debit cards and electronic payment systems in connection with a monetary transaction.
The new regulation also closes a loophole that had previously existed with use of third-party ad networks by expanding the definitions of "operator" and "website" to include third-party data collectors. For example, third parties will no longer be permitted to use plug-ins on kid-directed apps to collect personal information from children without parental notice and consent.
In addition to the change to the current definitions, the new regulations impose tighter data security obligations, focusing on the release of data to third parties and on stricter processes for data retention and deletion. The FTC now requires reasonable steps to ensure children's personal information is released only to companies that are capable of keeping it secure and confidential. Finally, the regulation requires reasonable procedures for data retention and deletion to help ensure information is not kept longer than reasonably necessary and to ensure it is securely deleted.
On a final note, if you have previously applied to be, and have been approved as, a member of a COPPA safe harbor, be prepared for an audit. The FTC is requiring enhanced oversight of such organizations by requiring the self-regulatory safe harbors to audit their members.
With each new wave of internet sophistication and technology, we will likely continue to see expansion of the applicability of COPPA. More and more entities are building their business models off of "big data" and the collection and use of such data online. With that kind of business, however, comes the privacy regulations, and the FTC considers COPPA a useful tool in its toolbox to continue to enforce online data privacy.
Take a deep breath and dive into the definitions - the fully revised rule can be found at 16 C.F.R. Part 312 (http://www.ftc.gov/os/2012/12/121219copparulefrn.pdf). Contact your data privacy counsel to help you sort through the new definitions and see what your obligations might be under the new regulatory scheme. The earlier you can sort through your potential compliance issues, the sooner you will be able to minimize any potential liability and exposure, and thus protect your business, its assets, and its reputation.
For more information on data privacy issues of all kinds, contact Heather Buchta at (602) 229-5228 / firstname.lastname@example.org, or your Quarles & Brady attorney.