The Federal Trade Commission (FTC) ended 2012 with a bang by adopting final amendments to the Children’s Online Privacy Protection Act (COPPA). For those of us who work in children’s advertising, these long awaited amendments came as no surprise. The final amendment, which goes into effect on July 1, 2013, came only weeks after the FTC issued a report that found that mobile applications have demonstrated “little progress” in addressing concerns about the privacy of children’s data.
COPPA was first enacted in 1998 and requires that operators of websites and online services that are either directed to children under thirteen or have actual knowledge that they are collecting personal information from children under thirteen notify parents and obtain their verifiable consent before collecting, using or disclosing personal information from children. The FTC initiated the review to ensure that keeps pace with evolving technology, such as mobile devices and social networking. In other words, the FTC wanted to ensure that COPPA protects the six year old child you see on the bus everyday playing with his parent’s iPhone.
Fast forward to the present. In a move intended to give parents greater control over data collected about their children online, the recent amendments to COPPA increase its scope, requiring additional types of companies to obtain parental consent before collecting personal information from children under thirteen. Specifically, child-directed sites or services that integrate outside services, such as plug‑ins and advertising networks, which collect personal information, are now covered by COPPA. Plug‑ins and ad networks whose operators have actual knowledge that they are collecting personal information through a child-directed website or online service are also now subject to COPPA. In addition to expanding the kinds of companies under COPPA’s purview, these amendments also expand the types of information sites and services are not permitted to collect, use or disclose without parental consent. Geolocation information, photos, videos, and audio files that contain a child’s image or voice, and persistent identifiers that can be used to recognize users over time and across different websites all require parental consent prior to collection. One important exception to the rule is any circumstance in which an operator collects a persistent identifier for internal operational purposes-for example, site analysis and network communications. In such instance, no parental consent is required.