Industry Must Comply by July 1, 2013, Can Look to Expanded FAQs for Guidance on Updated Rules for Information Collection and Disclosure, Parental Notice, and Requirements for Mobile Apps
By: Ronald G. London
The FTC has voted to retain the July 1, 2013 effective date
for the revisions to its Children’s Online Privacy Protection Act (COPPA Rule), shortly after issuing revised “Frequently Asked Questions” (FAQs) to aid compliance efforts
. The FAQs are a key interpretive resource, because there are few enforcement orders – and no real court precedents – that apply COPPA.
This post highlights some key clarifications and a few areas of uncertainty that remain in the FAQs, as a companion to our earlier advisory
on the COPPA Rule revisions. Among other points, we explore guidance provided by the FTC staff in the FAQs regarding:
- How websites and online services subject to COPPA can handle newly added categories of personal information.
- The relationship between websites and online services subject to COPPA and third parties that collect personal information through such sites or services.
- The applicability of COPPA to mobile apps and some of the steps app developers/operators must take toward compliance.
- Additional detail on providing parental notice as streamlined by the COPPA Rule revisions.
- Steps required before children’s personal information may be disclosed to third parties.
Generally, the FAQs underscore how COPPA’s coverage of websites and online services includes mobile apps, as well as “Web sites or online services that have actual knowledge [ ] that they are collecting personal information directly from users of another [ ] Web site or online service directed to children.” Other notable points among the changes to the FAQs, from those that were posted before the COPPA Rule revision, also include:
Definition of “Personal Information”
The revised FAQs highlight the addition of new items of “personal information” under the COPPA Rule, specifically:
- Screen or user names that function as online contact information;
- Persistent identifiers that can be used to recognize a user over time and across different websites or online services;
- Photo, video, or audio files that contain a child’s image or voice; and
- Geolocation information sufficient to identify street name and name of a city or town.
The FAQs provide the following key qualifications and instructions about these categories of newly included personal information:
Definition of “Operator”
- Screen/user names that now constitute personal information if they function as online contact information (and not just if they reveal a person’s email address), if collected before the updated COPPA Rule’s July 1, 2013, effective date, will not be covered by the updated Rule – i.e., it is not necessary to go back and get verifiable parental consent.
- However, the FTC “encourages” getting parental consent if possible, as a “best practice.”
- Moreover, a previously collected screen/user name becomes subject to the revised Rule once any new information is associated with it after the effective date.
- Persistent identifiers that now constitute personal information if usable to recognize users over time and across different websites or online services (rather than only when combined with individually identifiable information) do not require parental consent if collected prior to July 1, 2013, i.e., again, no retroactive effect.
- However, if after the effective date a persistent identifier continues to be used to collect information, or has new information associated with it (such as information about a child’s activities on a website or online service), that collection triggers COPPA obligations.
- Regarding the exception that persistent identifiers are not “personal information” if used only to “support the internal operations” of a website or online service:
- Child-directed sites and third-party plug-ins may rely on this exception regardless of whether the identifiers support only a plug-in’s own internal operations, or both its own internal operations and those of the website as well.
- However, “personalizing” ad-delivery does not qualify as “support for internal operations.” The FAQs make clear that the internal operations exception was not intended to include behavioral advertising, but rather, seeks to permit maintenance of user-driven preferences, such as game scores, or character choices in virtual worlds. The exception does also allow for collection or use of persistent identifiers in connection with contextual ads.
- Photos, videos or audio-recordings were newly added as personal information, but those acquired prior to the effective date do not require parental consent.
- However, the FTC staff “recommends,” again, as a “best practice,” either discontinuing use or disclosure of photos, video and/or audio files after July 1, 2013, or, if possible, obtaining parental consent.
- The FAQs also clarify that, for moderated websites directed to children that prescreen children’s submissions to delete personal information before postings go live, they must either prescreen and delete any photos, videos, or audio recordings of children, even if accompanied by no other information, or first give parents notice and obtain their consent prior to permitting children to upload such files.
- For child-directed apps that may allow children to upload pictures of subjects other than themselves, their parents, their friends, etc. – i.e., such as places, pets and the like – the app operator must:
- Pre-screen children’s photos to delete either any photo depicting the child(ren) or that portion of the photo in which they appear, if possible.
- Remove prior to posting any other personal information – including, for example, geolocation metadata – that the photos may contain.
- Ensure that persistent identifiers are used only to support internal operations of the app and are not used or disclosed to contact a specific individual or for any other purpose.
- Notice to and consent from parents is not required if the facial features of children in photos are blurred before posting, provided that any other personal information (such as geolocation metadata) is also removed, and persistent identifiers are used only for internal operations, and are not used or disclosed to contact specific individuals or for other purposes.
- The FAQs reinforce that geolocation information qualifies as personal information if it is precise enough to identify the name of a street and city or town. They also explain that, although the Rule revision newly added geolocation information to the definitional list of “personal information,” that change merely clarified a pre-existing FTC view. The FAQs also explain that:
- Parental consent is required prior to the collection of geolocation information regardless of the date the collection occurred.
- Collecting “coarse geolocation information, tantamount to collecting a ZIP code,” but nothing more does not trigger COPPA. Collecting longitude and latitude coordinates does.
- The FAQs do not elaborate on whether 5-digit ZIP codes and ZIP+4 codes should be treated differently, however. The notice of proposed rulemaking that lead to the COPPA Rule revisions asked whether ZIP+4 is the equivalent of a physical address that should be included as personal information, but the final rule did not answer that question.
- The FAQs reinforce that COPPA covers the collection of geolocation information, not just its use or disclosure – so, simply giving users a choice to turn off geolocation does not avoid COPPA obligations, as the child user makes that choice, not the parent.
“Website or Online Service Directed to Children”
- The FAQs remind websites and online services directed to children that they are ultimately responsible for the collection of personal information from their users, no matter who does the collecting – therefore, absent an applicable exception, they must:
- Refrain from collecting or allowing others to collect personal information, or
- Provide notice and obtain prior parental consent before collecting or allowing any entity to collect personal information (along with providing all other COPPA protections).
- While the FAQs explain that the amended Rule does not require websites and online services directed to children to inform third parties (e.g., ad networks and other plug-ins) of the child-directed nature of the site or service, the FAQs also emphasize that, even if the site or service does so inform third parties, that will not, without more, relieve the site or service of its COPPA obligations. The “recommendation” in the FAQs is that child-directed websites or services do inform third parties and then arrange with them to provide adequate COPPA protections.
- In addition, children-directed websites and online services through which third parties collect personal information should also confirm, where possible, whether the third-party collection falls into an exception (e.g., “internal support” persistent identifiers), or is encompassed within the site’s or service’s notice and consent.
- Ultimately, collections of personal information by third parties at child-directed sites and services will in many cases require interaction between the site/service and the third party in order to ensure that all COPPA restrictions and requirements are honored. Alternatively, in some cases external sources and/or indicia may be used to confirm that a third party collecting information at the site/service is doing so in a manner that does not include personal information, or that includes personal information but satisfies an exception in the rules.
- To that end, the revised Rule imposes liability for information collection by or through child-directed sites and services, even if they do not engage in the collection directly. The FAQs recommend that COPPA-covered sites and services take great care with their advertising arrangements, including as follows:
- The FAQs indicate that websites and online services directed to children must understand, before entering an agreement with any entity to serve ads to the site or service, whether there is any way to control the type of ads that appear on the sites and services (by, e.g., stipulating or contracting for only contextual ads, or prohibiting behavioral ads or retargeting).
- COPPA-covered sites should also understand what categories of information will be collected from users on the sites and services in connection with any ads served.
- In particular, the FAQs emphasize examining whether persistent identifiers are collected for purposes other than support for internal operations, and whether geolocation information will be collected in connection with ads.
- Further, operators of child-directed apps must inquire into the practices of every third party that can collect information via the app, in order to determine whether their presence requires parental notice of and/or prior parental consent to the collection of personal information from children.
- The FAQs explain that the COPPA Rule “broadly covers any service available over the Internet, or that connects to the Internet or a wide-area network,” and offer as examples services directed to children that:
- allow users to play network-connected games
- engage in social networking activities
- purchase goods or services online
- receive online advertisements, or
- interact with other online content or services.
- The FAQs also stress that “mobile applications that connect to the Internet, Internet-enabled gaming platforms, voice-over-Internet protocol services, and Internet-enabled location-based services” may also fall under the COPPA Rule.
- If a child-directed app is designed to collect personal information as soon as it is downloaded, it would be required to provide notice to parents and obtain verifiable consent at the point of purchase, or to insert a landing page where a parent can receive notice and give consent before the download is complete.
- The FAQs also stress that sites or services that target children as one of the audiences – even if not the primary audience – are still “directed to children.”
- However, the revised COPPA Rule also provides an accommodation that allows a subset of sites “directed to children” the option of not treating all visitors as children, if the site does not target children as its primary audience andit opts to use age-screening to apply COPPA’s safeguards only to visitors who self-identify as younger than 13.
- In those cases, the FAQs underscore that it is forbidden to age-screen and completely block users who identify as being under age 13 from participating in any aspect of the site, even if the site does not target children as the primary audience.
- Rather, the age screen may be used to differentiate between child and non-child users, after which children may be offered different activities or functions that do not collect personal information – but it is not permitted to altogether prohibit children from participating in child-directed sites or services.
- Also, when age-screening, personal information cannot be collected from any visitor prior to collecting age information, and the collection, use, or disclosure of personal information from visitors who identify themselves as under age 13 is prohibited without first complying with the Rule’s notice and parental consent provisions.
- This does not change the fact, however, that general audience sites and online services that do not target children (as the only, primary or sub-category of audiences) are not required to permit children under 13 to participate in the site or service at all, and may accordingly deny them access entirely.
- The above dovetails with important, more generally applicable acknowledgements in the updated FAQs that children may lie about their age to gain access to sites that age-screen, and that where websites “screen  users for age in a neutral fashion, [they] may rely on the age information  users enter, even if that age information is not accurate,” and even if that “may mean that children are able to register on a site or service in violation of the operator’s Terms of Service.” (However, if it is later determined a particular user is a child under 13, COPPA’s notice and parental consent requirements are triggered.)
Parental Consent Mechanisms
- The COPPA Rule requires websites directed to children, or that knowingly collect personal information from children, to post parental notice of their information collection, use, and disclosure practices, in a “prominent and clearly labeled” manner at the site’s home page and at each location where the information is collected.
- The notice must set forth the items of personal information already obtained from the child (generally, contact information only), the purpose of the notice, actions the parent must or can take, and the operator’s use of information collected.
- The Rule also requires direct notice to parents in certain circumstances, in which case the notice must also contain a hyperlink to the operator’s information practices.
- And for apps directed to children, direct notice must be sent to parents prior to collection of any personal information from a child, with the limited exception that collecting parents’ online contact information is permitted for the sole purpose of sending the direct notice.
- As an alternative, the direct notice may be sent by other means, such as through the device onto which the app is downloaded.
- However, such device-based delivery of parental notices is allowed only if that mechanism both provides the notice and obtains consent before any collection of personal information, and is reasonably designed to ensure it is the parent who receives the notice and provides consent.
Confidentiality and Security Requirements
- The FAQs clarify that mobile apps may not rely on a parent’s app store account to serve as verifiable parental consent even if a credit card is attached to it – mere entry of an app store account number or password, absent other indicia of reliability (e.g., knowledge-based authentication questions, verification of government IDs, etc.) does not sufficiently assure that the person entering the account or password information is the parent rather than the child.
- The FAQs also explain that if a third party discovers it has been collecting information via a child-directed service, it must take steps to comply with COPPA, as follows:
- First, it must immediately cease collecting further personal information from users of the child-directed site or service.
- Second, for users from whom it already has collected personal information, the service must either:
- delete the personal information and close the relevant user accounts, or
- take the user information offline and initiate the parental notification and consent process, and where the required consent is not promptly obtained, it must delete the personal information and close the account.
- The FAQS are silent on whether this means that, if segments of personal information that a third party has collected cannot be tracked back to specific sites from which they were collected, only some of which are learned to be child-directed, the third party must delete (or get parental consent for) allof the information in order to comply with COPPA.
- If that personal information is not segregable, the third party nonetheless may not have to delete all the information. Rather, whether it should (or must) do so, and what other steps it might take, will likely be a highly fact-specific inquiry.
- In some cases, information obtained from what is later learned to be a child-directed site or service may comprise such a small proportion of information the third party collected overall that it would not be necessary to try to identify which subset of the information came from the child-directed site/service.
- In other cases, one option would be working with site(s) or service(s) from which unsegregable information was obtained in order to identify which came from a later-discovered child-directed site, then taking appropriate steps for only identification confirmed to have originated with the later-discovered child-directed site.
- Third parties that collect information, if they have not done so already, may want to ensure they can identify the origin of all information collected.
- The FAQs reinforce the requirement to retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected, and to thereafter delete the information via reasonable measures that protect against unauthorized access or use.
- The revised COPPA rule extends this obligation so that disclosing children’s personal information to third parties requires inquiring into that entity’s data security capabilities as follows:
- The website or online service that discloses the information must obtain (by contract or otherwise) assurances about how the third party treats the information it receives.
- And, in evaluating whether those security measures are “reasonable,” all expectations should expressly appear in the contract (or other arrangement), and reasonable means – such as periodic monitoring – must be used to confirm those expectations are met.
* * * *
Finally, the FAQs also provide important information about COPPA enforcement and how continuing questions about the Rule’s interpretation and applicability might be raised. In a somewhat noteworthy shift, the revised FAQs delete a statement from the prior FAQs that the FTC “monitors the Internet for compliance,” leaving enforcement to complaints generated by parents, consumer groups, industry members, and others who believe they have identified violations. The FAQs also herald the creation of a new “COPPA hotline” at CoppaHotLine@ftc.gov
for questions or comments.