The FTC recently changed the Children's Online Privacy Protection (COPPA) Rule.
The rules gives parents control over what information is collected from children under 13 on websites. The COPPA statute, which came effective in 2000, forces website owners to obtain verifiable consent from parents before collecting, using, or disclosing such information from children.
This year the FTC has made significant changes to COPPA rule. This includes changing the definitions of certain terms like personal information and collection. There are a number of other changes as well.
In this era of rapid technological change, kids are often tech savvy but judgment poor. We want to ensure that the COPPA Rule is effective in helping parents protect their children online, without unnecessarily burdening online businesses, said FTC Chairman Jon Leibowitz. We look forward to the continuing thoughtful input from industry, children's advocates, and other stakeholders as we work to update the Rule.
Here's a look at some of the major changes.
Definitions: As noted, the definitions of certain words have changed under the new COPPA rule. The biggest change is to personal information. It now includes geolocation information and as well as identifiers for functions other than the website's internal operations, such as tracking cookies used for behavioral advertising. The FTC also changed the definition of collection to allow children to participate in interactive communities, without parental consent, as long as the website operators take reasonable measures to delete all or virtually all children's personal information before it is made public.
Email-Plus: The FTC wants to get rid of the controversial email-plus method of obtaining consent. This method allows operators to obtain consent through an email to the parent, coupled with another step, such as sending a delayed email confirmation to the parent after receiving consent. Instead, the FTC would like to see better verification methods such as electronic scans of signed parental consent forms, video-conferencing, and use of government-issued identification checked against a database.
Confidentiality: The FTC proposed strengthening the rule's current confidentiality and security requirements. They want operators to obtain information for only as long as reasonably necessary and that they delete it without leaving it available for unauthorized access.
Safe Harbor: The FTC is looking to change the oversight of self-regulatory safe harbor programs by having members audited at least annually and report periodically to the Commission the results of those audits.