FTC Issues Guidance on Children’s Online Privacy Law
The Federal Trade Commission (FTC) has issued guidance to answer stakeholder questions about changes to the Children’s Online Privacy Protection Act (COPPA) slated to take effect on July 1, 2013. According to FTC, the new rules apply not only to the operators of Websites and mobile apps directed at children younger than age 13, but the operators of general audience sites and apps “with actual knowledge that they are collecting, using, or disclosing personal information from children under 13,” as well as third-party operators “that have actual knowledge that they are collecting personal information directly from users of another Web site or online service directed to children.”
In addition to describing the types of personal information covered by COPPA,
which for the first time will class IP addresses as persistent identifiers, the
guidance addresses, among other things, (i) new online privacy policy rules,
including requirements for displaying the policy; (ii) disclosure requirements
for the collection and use of geolocation data; (iii) when and how to acquire
parental consent if necessary; (iv) the disclosure of collected information
to third parties; and (v) limitations on data collection. It also discusses how
industry groups and other parties adhering to self-regulatory guidelines
can qualify as an FTC-approved “COPPA safe harbor program,” which under
the amended rules must offer protections that are equal to or greater than
the agency’s standards; a mandatory assessment mechanism; and “effective
disciplinary actions for member operators who do not comply with the safe
harbor program guidelines.”
“A court can hold operators who violate the Rule liable for civil penalties of
up to $16,000 per violation,” states FTC, noting that foreign-operated sites
directed at U.S. children must still comply with COPPA. “The amount of civil
penalties a court assesses may turn on a number of factors, including the
egregiousness of the violations, whether the operator has previously violated
the Rule, the number of children involved, the amount and type of personal
information collected, how the information was used, whether it was shared
with third parties, and the size of the company.”