The United States Federal Trade Commission announced today that it has adopted final amendments to the Children's Online Privacy Protection Rule (otherwise known as COPPA Rule). According to the Commission, parents are to have greater control over the personal info that websites and online services may collect from children under the age of 13.
The FTC's review of the rule has been going on since 2010, and has been aimed at making sure the rule evolves along with technology, specifically with regards to mobile devices and social media.
“The Commission takes seriously its mandate to protect children’s online privacy in this ever-changing technological landscape,” said FTC Chairman Jon Leibowitz. “I am confident that the amendments to the COPPA Rule strike the right balance between protecting innovation that will provide rich and engaging content for children, and ensuring that parents are informed and involved in their children’s online activities.”
Here's the list of final amendments:
- modify the list of “personal information” that cannot be collected without parental notice and consent, clarifying that this category includes geolocation information, photographs, and videos;
- offer companies a streamlined, voluntary and transparent approval process for new ways of getting parental consent;
- close a loophole that allowed kid-directed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent;
- extend coverage in some of those cases so that the third parties doing the additional collection also have to comply with COPPA;
- extend the COPPA Rule to cover persistent identifiers that can recognize users over time and across different websites or online services, such as IP addresses and mobile device IDs;
- strengthen data security protections by requiring that covered website operators and online service providers take reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential;
- require that covered website operators adopt reasonable procedures for data retention and deletion; and
- strengthen the FTC’s oversight of self-regulatory safe harbor programs.
The final rule also comes with some modified definitions. For example, the definition of "operator" has been updated to make clear that the rule covers a child-directed site or service that integrates with outside services. This includes plug-ins or ad networks that collect info from visitors. It does not extend liability to platforms like Google Play or the App Store. The definition of a "website or online serivce directed to children" is expanded to include plug-ins and ad networks that have "actual knowledge" that they are collecting personal info through a child-directed website or online service.
The definition of "personal information" now includes geolocation info, in addition to photos, videos, and audio files that contain a child's image or voice. The definition can also be used to recognize users over time and across different sites or online services.
These are just a few examples. You can peruse the FTC's announcement in its entirety here.