With the New FTC Guidance, what are the Six Steps for COPPA Compliance?
The amendments were released in December 2012 after the Federal Trade Commission (“FTC”) conducted an extensive review of COPPA and determined that the current rule did not adequately address the technological landscape. Revised in June 2013, the FTC’s Bureau of Consumer Protection released its updated guidance “Complying with COPPA: Frequently Asked Questions” to help companies prepare to meet their obligations under the revised Rule. After the Rule was implemented on July 1, the agency has followed up the date with additional resources, including guidance entitled "The Children's Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business," and "Protecting Children's Privacy Under COPPA," which is a video that details the rule changes and explains business obligations under the rule.
The Six Step Guidance highlights the following:
1. How to determine if COPPA applies to your company. This includes, but is not limited to, advertising networks, mobile apps that send or receive information online (like network-connected games, social networking apps, or apps that deliver behaviorally-targeted ads), geolocation services, plug-ins and voice over internet protocol services.
According to the FTC, the agency “looks at a variety of factors” to see if a site or service is directed to children under 13. This can include not only the subject matter, but many other things from animation and graphics or age of models to ads on the site or service.
In addition to name, social security numbers, phone numbers, addresses or screen names and email addresses, the definition of “Personal Information” has been expanded to include:
• A persistent identifier that can be used to recognize a user over time and across different sites, including cookies, an IP address, a processor or device serial number, or a unique device identifier;
• A photo, video, or audio file containing a child’s image or voice;
• Geolocation information sufficient to identify a street name and city or town; or other information about the child or parent that is collected from the child and is combined with one of these identifiers
2. Privacy Policies. You must post a clear, conspicuous, easy to understand policy that details your practices specifically in regards to children and additionally describes the practices of any others collecting personal information on your site or service. Privacy policies should include:
• A description of the personal information collected and how and why it is used. This should be a thorough list of all types of information collected, how it is collected, used, disclosed or shared. If shared with third parties, you must list the types of businesses you share with and how they use the information.
• A description of parental rights. This should provide details on how the parents can: review their child’s information, with options that limit disclosure to third parties, direct you to delete information, or refuse collection entirely. Your privacy policy must explain the procedures to follow that allow parents to exercise their rights.
3. Parental notification. Parents must be given notice before any Information is collected about their children. It is the obligation of the site or service operator to provide parents with updated information on why they are being contacted. You must inform them of their rights and provide links to your privacy policy and allow them a reasonable, limited time to reply with consent before deleting their contact information.
4. Parental verifiable consent. The guidance includes a chart that outlines the extremely limited exceptions to what qualifies as verifiable parental consent, such as when a persistent identifier is used solely to support the internal operation of the site or service. However, in general, operators of child directed sites must obtain verifiable parental consent before they can collect any personal information from children under the age of 13, including: users' screen names, photo, video and audio files that contain a child's image or voice, geolocation data precise enough to identify a street and city; and persistent identifiers, such as cookies, an IP address, or unique mobile device identifier. Acceptable methods of verifiable consent are:
• Signed consent forms returned to you via fax, email or electronic scan;
• Credit card, debit card, or other online payment system that provides notification of each separate transaction to the account holder;
• Parents can call a toll-free number staffed by trained personnel;
• Connect to trained personnel via a video conference; or
• Provide a copy of a form of government issued ID that you check against a database, as long as you delete the identification from your records when you finish the verification process.
5. Ongoing parental rights. You must always take reasonable steps to ensure that you are communicating with the parents. After that, your obligation is to inform and allow parents to review the personal information collected from their child, revoke their consent at any time and you must securely delete their child’s personal information if they refuse further collection or use of it. Parents must be informed if any changes are made.
6. Procedures to implement and maintain compliance. It is always best practice to maintain procedures to protect the confidentiality, security, and integrity of personal information. Under COPPA, you must establish procedures to do this specifically in regards to children under the age of 13. Don’t collect what you don’t need. Retain and share personal information only when absolutely necessary. Use secure methods to dispose of unneeded personal information. Know who you share the information with and get assurances that third parties are acting in compliance as well.
For more information, see here: https://www.ftc.gov/legal-library/browse/rules/childrens-online-privacy-protection-rule-coppa
These materials were obtained directly from the Federal Government public websites and are posted here for your review and reference only. No Claim to Original U.S. Government Works. This may not be the most recent version. The U.S. Government may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.