On June 21, 2017, the Federal Trade Commission (FTC) updated its guidance for compliance with the Children’s Online Privacy Protection Act (COPPA). COPPA regulates websites and other online services in connection with collection of information from children under 13. The full version of the FTC’s updated guidance is available at https://www.ftc.gov/tips-advice/business-center/guidance/childrens-online-privacy-protection-rule-six-step-compliance
The FTC guidance instructs businesses to:
- Determine if a company’s website or online service collects information from children under 13
- Directly notify parents before collecting personal information from children
- Get parents’ verifiable consent before collecting personal information from children
- Honor parents’ ongoing rights regarding personal information collected from children
- Implement reasonable security procedures to protect the personal information collected from children
The FTC’s updated guidance addresses new models used to obtain personal data, such as voice activated devices used to collect personal information. The guidance incorporates reference to new products, like connected toys and other products intended for children that collect information like voice recordings or geolocation data. It also introduces two new methods for obtaining parental consent: (1) asking knowledge-based authentication questions and (2) using facial recognition to match a verified photo ID.
“Website or online service” under COPPA, according to the updated guidance, includes mobile apps that send or receive information online (like network-connected games, social networking apps, or apps that deliver behaviorally-targeted ads), internet-enabled gaming platforms, plug-ins, advertising networks, internet-enabled location-based services, voice-over internet protocol services, and connected toys or other Internet of Things devices. In addition, “[p]ersonal information” includes each of the following: full name; home or other physical address, including street name and city or town; online contact information like an email address or other identifier that permits someone to contact a person directly — for example, an IM identifier, VoIP identifier, or video chat identifier; screen name or user name where it functions as online contact information; telephone number; Social Security number; a persistent identifier that can be used to recognize a user over time and across different sites, including a cookie number, an IP address, a processor or device serial number, or a unique device identifier; a photo, video, or audio file containing a child’s image or voice; geolocation information sufficient to identify a street name and city or town; or other information about the child or parent that is collected from the child and is combined with one of these identifiers. Evident from the foregoing list, personal information is defined broadly under COPPA.
The FTC’s updated guidance shows regulators are concerned with adapting to new technology that collect children’s personal information and providing clear notice to parents. If you need assistance reviewing your business’s compliance with COPPA in light of the updated guidance provided by the FTC, please contact Cindy Motley, 312-849-1972, firstname.lastname@example.org or Nora Wetzel, 415-627-3478, email@example.com.