The FTC’s new rules for the revised Children’s Online Privacy Protection Act (COPPA) go into effect today. The revisions will enforce stronger protection policies, including stricter rules to protect a child’s identity online and more stringent requirements for parental consent. The changes directly impact any company that aims to collect data from children under the age of 13, including for online sweepstakes and contests.
The act has been in use since 1998 but was forced to include changes to accommodate new technologies, social media, and other online marketing strategies including behavioral-based advertising. Peder Magee, senior staff attorney at the FTC, says that the biggest change is the expansion of the definition of “personal information”—resulting in stronger security provisions for child-focused sites and services that have users under 13.
“We undertook a review of [COPPA] to see how effective it was in light of the changes to technologies, new business models, and the new ways that kids are accessing the Internet,” Magee says. “We undertook that review starting around 2010 and had a robust and open public noticing comment period.”
A major addition to COPPA is the requirement for obtaining parental consent. With this stricter rule, businesses are open to new ways to gain consent: via electronic scans, parental payment system, video or phone conference, or through the use of government-issued ID. In addition, the new rules state that any site using safe harbors must gather audits of their members and submit the information to the FTC—which the Commission must approve.
Magee says that any company operating a child-directed website must operate under the expansion of the new “personal information definition”—that now includes plug-ins, apps, and advertising networks—which COPPA did not accommodate prior.
“[Marketers] should be aware of the new types of information that are covered and to the extent that they are allowing third parties on their website to collect information,” Magee says. “They should understand who’s on their site and what their data practices are.”
In April the Direct Marketing Association, along with 18 other trade associations, sent a letter to the FTC requesting an extension for implementing changes but was rejected. Violators of the new COPPA rules will be subject to the same civil penalties under the act just as before the new rules went live.
