Last month, the Federal Trade Commission announced that it had updated the Children’s Online Privacy Protection Act (COPPA). The Rule, which is now almost 13 years old, was originally designed to minimize the collection of personal information from children and, in the words of FTC Chairman Jon Leibowitz, to ensure that parents are “the gatekeepers who get to decide whether or not to let others collect personal information from their children online.”
In the updated version of the rule, definitions have been changed, requirements modified and provisions added. In general, the revisions strengthen some of the protections that had been in place, and give parents more control over their children’s data.
If you’re up for a good read, the new rule came out as part of a 167-page document, which explains all the whys, when’s and a few of the how’s of compliance. But, if you prefer your policy in smaller doses, here are a few of the basics to help you get started.
1. You probably already know that the Rule requires that collection of personally identifiable information (PII) from children under 13 may only be done with prior, verifiable parental consent. But, the definition of PII has been expanded. Geolocation information is now emphasized as PII. In addition, photos, videos, audio files and in some cases, persistent identifiers such as IP addresses and mobile device IDs, are now covered.
2. Think you’re off the hook because your primary target audience isn’t children? Think again. The Rule now applies to plug-ins and ad-networks that “have actual knowledge” that they are collecting PII from a child-directed site or service. Also, if you are a general audience site with pages that are for children, you’re going to want to be sure you’re in compliance on those pages.
3. Do you have plug-ins or ad networks on your child-directed site or service? If so, pay close attention, as you’re now responsible for compliance related to data that those services collect from your users.
4. Don’t forget about data security. You need to have “reasonable procedures” in place to protect the security of the PII you have collected, and for deleting it when the data is no longer needed. Also, if you release the data to any third parties, you need to take “reasonable steps” to ensure that they can protect the data as well.
And yes, there is more.
This all goes into effect on July 1. Your lawyer and your compliance representative have already read through the Rule, and they’re ready for you. Take some time to talk to them now to be sure you understand the changes and how they might apply to your site, service or app.
How do you manage COPPA compliance for your kid or teen targeted social marketing campaigns?