The Federal Trade Commission (FTC) ended 2012 with a bang by adopting final amendments to the Children’s Online Privacy Protection Act (COPPA). For those of us who work in children’s advertising, these long awaited amendments came as no surprise. The final amendment, which goes into effect on July 1, 2013, came only weeks after the FTC issued a report that found that mobile applications have demonstrated “little progress” in addressing concerns about the privacy of children’s data.

COPPA was first enacted in 1998 and requires that operators of websites and online services that are either directed to children under thirteen or have actual knowledge that they are collecting personal information from children under thirteen notify parents and obtain their verifiable consent before collecting, using or disclosing personal information from children. The FTC initiated the review to ensure that keeps pace with evolving technology, such as mobile devices and social networking. In other words, the FTC wanted to ensure that COPPA protects the six year old child you see on the bus everyday playing with his parent’s iPhone.

Fast forward to the present. In a move intended to give parents greater control over data collected about their children online, the recent amendments to COPPA increase its scope, requiring additional types of companies to obtain parental consent before collecting personal information from children under thirteen. Specifically, child-directed sites or services that integrate outside services, such as plug‑ins and advertising networks, which collect personal information, are now covered by COPPA. Plug‑ins and ad networks whose operators have actual knowledge that they are collecting personal information through a child-directed website or online service are also now subject to COPPA. In addition to expanding the kinds of companies under COPPA’s purview, these amendments also expand the types of information sites and services are not permitted to collect, use or disclose without parental consent. Geolocation information, photos, videos, and audio files that contain a child’s image or voice, and persistent identifiers that can be used to recognize users over time and across different websites all require parental consent prior to collection. One important exception to the rule is any circumstance in which an operator collects a persistent identifier for internal operational purposes-for example, site analysis and network communications. In such instance, no parental consent is required.

Those are the major revisions to COPPA, but they are not all. The amendments also establish new methods of notice and parental consent, including electronic scans of signed parental consent forms, videoconferencing, government-issued IDs, and alternative payment systems. The heavily debated “email plus” consent method is still permitted as well. Additionally, the new amendments clarify requirements for sites that are not primarily directed at children, but whose audience may include them. Those sites can now screen visitors by age, and will only be required to obtain parental consent from those who identify as being under thirteen.

The Way I See It

  • I see the FTC further clarifying the meaning of these amendments and their impact on those subject to them in the months to come.
  • I see increased FTC enforcement of violations in the area of children’s privacy, with an increased focus on mobile apps directed to children.
  • I see that this is not the last we have heard from the industry and I expect to see the industry’s well‑crafted and well-reasoned responses in the near future.
  • In light of these increased online protections for children, I wonder if Mark Zuckerberg is still interested in allowing children under thirteen to join Facebook.