On June 21, 2017, the Federal Trade Commission (FTC) updated its guidance for compliance with the Children’s Online Privacy Protection Act (COPPA).  COPPA regulates websites and other online services in connection with collection of information from children under 13.  The full version of the FTC’s updated guidance is available at https://www.ftc.gov/tips-advice/business-center/guidance/childrens-online-privacy-protection-rule-six-step-compliance

The FTC guidance instructs businesses to:

  • Determine if a company’s website or online service collects information from children under 13
  • Post a privacy policy that complies with COPPA
  • Directly notify parents before collecting personal information from children
  • Get parents’ verifiable consent before collecting personal information from children
  • Honor parents’ ongoing rights regarding personal information collected from children
  • Implement reasonable security procedures to protect the personal information collected from children

The FTC’s updated guidance addresses new models used to obtain personal data, such as voice activated devices used to collect personal information.  The guidance incorporates reference to new products, like connected toys and other products intended for children that collect information like voice recordings or geolocation data.  It also introduces two new methods for obtaining parental consent: (1) asking knowledge-based authentication questions and (2) using facial recognition to match a verified photo ID.

“Website or online service” under COPPA, according to the updated guidance, includes mobile apps that send or receive information online (like network-connected games, social networking apps, or apps that deliver behaviorally-targeted ads), internet-enabled gaming platforms, plug-ins, advertising networks, internet-enabled location-based services, voice-over internet protocol services, and connected toys or other Internet of Things devices.  In addition, “[p]ersonal information” includes each of the following:  full name; home or other physical address, including street name and city or town; online contact information like an email address or other identifier that permits someone to contact a person directly — for example, an IM identifier, VoIP identifier, or video chat identifier; screen name or user name where it functions as online contact information; telephone number; Social Security number; a persistent identifier that can be used to recognize a user over time and across different sites, including a cookie number, an IP address, a processor or device serial number, or a unique device identifier; a photo, video, or audio file containing a child’s image or voice; geolocation information sufficient to identify a street name and city or town; or other information about the child or parent that is collected from the child and is combined with one of these identifiers.  Evident from the foregoing list, personal information is defined broadly under COPPA.

The FTC’s updated guidance also notes that if Company A collects personal information through Company B’s child-directed site or service — through an ad network or plug-in, for example — Company B is responsible for complying with COPPA, even if Company B does not collect the personal information.  Moreover, a company’s privacy policy, to be posted on the homepage and on any page where a company collects personal information from children, must describe the company’s practices, and the practices of any other companies collecting personal information on the company’s site or service.

The FTC’s updated guidance shows regulators are concerned with adapting to new technology that collect children’s personal information and providing clear notice to parents. If you need assistance reviewing your business’s compliance with COPPA in light of the updated guidance provided by the FTC, please contact Cindy Motley, 312-849-1972, cindy.motley@sedgwicklaw.com or Nora Wetzel, 415-627-3478, nora.wetzel@sedgwicklaw.com.