Federal Trade Commission Updates Online Privacy Rules For Pre-Teens

By David Bruggeman
December 21, 2012

On Wednesday the Federal Trade Commission (FTC) announced the final updated rules for implementing the Children’s Online Privacy Protection Act (COPPA). Passed in 1998, COPPA rules had not been updated to reflect changes in technology, most notably the rise of mobile internet access and mobile applications. The final rules will take effect on July 1, 2013.

A fundamental difference between 1998 and now is that information is not just collected through active visitor input, but can also be gathered without conscious knowledge of the visitor. As the FTC describes it, the changes in the rule will help address this change in online behavior and other notable differences in how kids operate online. The Commission has conducted two separate studies on mobile apps and kids, which inform the new rules. These rules will do the following:

  • modify the list of “personal information” that cannot be collected without parental notice and consent, clarifying that this category includes geolocation information, photographs, and videos;
  • offer companies a streamlined, voluntary and transparent approval process for new ways of getting parental consent;
  • close a loophole that allowed kid-directed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent;
  • extend coverage in some of those cases so that the third parties doing the additional collection also have to comply with COPPA;
  • extend the COPPA Rule to cover persistent identifiers that can recognize users over time and across different websites or online services, such as IP addresses and mobile device IDs;
  • strengthen data security protections by requiring that covered website operators and online service providers take reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential;
  • require that covered website operators adopt reasonable procedures for data retention and deletion; and
    strengthen the FTC’s oversight of self-regulatory safe harbor programs.

Responses to the rule changes are mixed. App developers and other industry groups see the rules as stifling innovation, in part because companies may opt not to serve kids rather than develop content for those under 13 and comply with the associated rules. Some supporters of the new rules have expressed concern that parts of the new rules are vague on exactly who must comply under certain circumstances.

Lawmakers have been generally supportive, in part because the revised COPPA rules signify forward motion in updating privacy laws – something Congress has had trouble achieving. Representatives Markey and Barton intend to reintroduce privacy legislation that would effectively expand COPPA through age 15. And it may be that if broad-based privacy legislation ever becomes law, it will be informed by how well COPPA and related legislation work (or don’t) in preserving the privacy of children.