Complying with COPPA 2.0: FAQs
COPPA 2.0 compliance is just around the corner (July 1st, 2013). Whether your site is ready or not, you need to be asking, enquiring, and doing whatever you can to come up to par with the current regulations. There is a laundry list of provision's the FTC has put in to place, and on their behalf, have offered reasonable responses and substantial time to comply.
Over the next week, Inversoft will supply shortened versions of the 'Business and Parents and Small Entity Compliance Guide'.
Please remember, this is merely a simplified reference. For more detailed information refer to the link at the bottom of this page.
GENERAL QUESTIONS (1 - 7) of 14
1. What is the Children’s Online Privacy Protection Rule?
The Children's Online Privacy Protection Act of 1998 (COPPA) is a United States federal law. Effective April 21, 2000, applies to the online collection of personal information by persons or entities under U.S. jurisdiction from children under 13 years of age.
The Rule applies to all Internet entities that collect, use, or disclose personally identifiable information from children under the age of 13.
The Commission issued the amended Rule December 19, 2012. It becomes effective as of July 1, 2013.
Operators covered by the Rule must:
- Provide direct notice to parents and obtain verifiable parental consent...
- Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties...
- Provide parents access to their child's personal information to review and/or have the information deleted
- Give parents the opportunity to prevent further use or online collection of a child's personal information
- Maintain the confidentiality, security, and integrity of information they collect from children...
- Retain personal information collected online from a child for only as long as is necessary...
2. Who is covered by COPPA?
The Rule applies to operators of commercial Web sites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children. Additionally it applies to operators of general audience Web sites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13...
3. What is Personal Information?
The amended Rule defines personal information to include:
- First and last name
- A home or other physical address including street name and name of a city or town
- Online contact information
- A screen or user name that functions as online contact information
- A telephone number
- A social security number
- A persistent identifier that can be used to recognize a user over time and across different Web sites or online services
- A photograph, video, or audio file, where such file contains a child’s image or voice
- Geolocation information sufficient to identify street name and name of a city or town
- Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above.
4. What should I do about information I collected from children prior to the effective date that was not considered personal under the original Rule but now is considered personal information under the amended Rule?
Below is the amended ruling with 4 new categories of information on personal information. The amended rule covers the (additional) obligations and responsibilities regarding disclosure of previously collected information deemed personally identifiable information once the amended Rule goes into effect:
- Geolocation information: if the site operator has not obtained parental consent, do so immediately... operators are required to obtain parental consent prior collecting such geolocation information, regardless of when such data is collected.
- Images or videos containing audio of the child's voice/from a child: obtaining parental consent is not necessary based on collecting prior data to effective date of the Rule. It is suggested as a best practice to discontinue the use or disclosure of such information, or if possible, obtain parental consent.
- Screen or user name: is considered personal information if it functions as online contact information. Including, email or any other identifier that permits direct contact with a person online...
- Persistent Identifiers: any identifier that can be used to recognize a user over time and across platforms. Operators need not seek parental consent for these newly-covered persistent identifiers if they were collected prior to the effective date of the Rule. Unless obtained consent from parents or strictly for use for internal operations of online service (support), the collection of any information reflecting the scope of 'persistent identifier' will trigger COPPA.
5. I don’t collect any of the newly-covered types of personal information. Other than the changes to the definition of personal information, in what ways is the new Rule different?
The amendments to the Rule helps to ensure that COPPA continues to meet its originally stated goals to minimize the collection of personal information from children and create a more safe, secure online experience. The final Rule amendments, among other things:
- Modify the definition of “operator” to make clear that the Rule covers an operator of a child-directed site or service where it integrates outside services, such as plug-ins or advertising networks, that collect personal information from its visitors...
- Streamline and clarify the direct notice requirements to ensure that key information is presented to parents in a succinct ‘‘just-in-time’’ notice
- Expand the non-exhaustive list of acceptable methods for obtaining prior verifiable parental consent;
- Create new exceptions to the Rule’s notice and consent requirements
- Strengthen data security protections
- Require reasonable data retention and deletion procedures
- Strengthen the Commission’s oversight of self-regulatory safe harbor programs
- Institute voluntary pre-approval mechanisms for new consent methods and for activities that support the internal operations of a Web site or online service.
6. Where can I find information about COPPA?
The FTC has a comprehensive Web site, www.ftc.gov, which provides information to the public on a variety of agency activities. Clicking on the Privacy & Security link in the Featured Topics section of the FTC’s home page will take you to the Privacy and Security portion of the FTC’s Business Center. Clicking on the link labeled Children’s Privacy will take you to the Children’s Privacy section, which also is accessible by cutting and pasting the following link into a web browser: http://business.ftc.gov/privacy-and-security/children’s-privacy. The Children’s Privacy section includes a variety of materials regarding COPPA, including all proposed and final Rules, public comments received by the Commission in the course of its rulemakings, guides for businesses, parents, and teachers, information about the Commission-approved COPPA safe harbor programs, and FTC cases brought to enforce COPPA. Many of the educational materials on the FTC Web site also are available in hard copy free of charge by calling the FTC Consumer Response Center’s toll free number at (877) FTC-HELP.
7. What should I do if I have questions about the COPPA Rule?
The first thing you should do is read the FTC’s Children’s Privacy guidance materials. If, after reviewing the FTC’s online materials, you continue to have specific COPPA questions, please send an email to our COPPA hotline at CoppaHotLine@ftc.gov.