- Published Articles
- In the Press
- Press Releases
Sign Up for Alerts
Sign up to receive receive industry-specific emails from our legal team.
Sign Up for Alerts
We provide tailored, industry-specific legal updates to our clients and other friends of the firm.
Areas of Interest
May 16th, 2013
FTC Answers 92 Questions About Its Revised Children’s Online Privacy Protection Act Rules
In an effort to provide clarity on it its revised Children's Online Privacy Protection Rule ("Rules"), the FTC recently published a list of Frequently Asked Questions ("FAQs") with information on how to comply. The FAQs should provide helpful guidance to operators of commercial websites and other online services (such as mobile apps) that are either directed to children under 13 or otherwise collecting, using and/or distributing information from children. The Rules, which implement the Children's Online Privacy Protection Act ("COPPA"), were amended by the FTC in December 2012 in an effort to "keep up with changing technology". The Rules appear to be a regulatory priority: on May 15th, the FTC sent letters to 90 companies highlighting the changes and warning that new compliance measures may be necessary -- including changes in privacy and data retention policies, notices, and parental consent mechanisms.
Below are some highlights from the FAQs:
- FAQ 4 clarifies when an operator needs to obtain parental consent for information collected prior to the effective date of the amended Rules. Specifically, operators who have collected geolocation data from children without parental consent, must obtain that consent immediately. Conversely, operators who, before the effective date, collected (i) photos, videos or audio files of children; (ii) screen or user names; or (iii) persistent identifiers, are not required to obtain consent. (Although the FTC recommends they do so.) However, operators should obtain consent if persistent identifiers or screen/user names are later associated with newly collected information.
- FAQ 32 describes in detail the format and content of information that operators must include in direct notices to parents.
- FAQ 41 makes clear that under the amended Rules, the website/online service operator is liable for the collection of information on its site or through its services (including through ads), even if the operator did not engage in the collection. For example, an operator of a child-directed website may be required to notify parents and obtain verifiable parental consent when data is collected through third-party advertising run on its site.
- FAQ 53 says a teen-focused website may be deemed "directed to children" if it attracts a substantial number of children under the age of 13. Where any website is determined to be directed to children, it may not block children under 13 from using the service. In those cases, the service must be fully COPPA compliant. However, where children under 13 are not the primary audience of the website/online service, operators may screen out those users who identify themselves as being under 13.
- FAQ 66 states that mobile app operators cannot rely on a parent's app store account and credit card information -- even with the password -- to serve as verifiable parental consent.
- FAQs 76-79 give additional clarity on the "support for internal operations" exception. A website may use certain information without consent for performing network communications, authenticating users or personalizing content for the site or service, serving contextual ads or capping the frequency of ads, protecting the security or integrity of the user, site or service, or ensuring legal or regulatory compliance. However, the FAQs also make clear that behavioral advertising and other similar practices will not fall under this exception.
- The FAQs also highlight in several areas that the new Rules require "reasonable" retention and deletion procedures for children's data. Companies are not allowed to keep data indefinitely, but only so long as is reasonably necessary for the operation of the business.
There's more to the FAQs and we encourage you to review them prior to July 1, 2013 -- the effective date of the new Rules.
If you have questions about the new COPPA Rules, or any other privacy-related matters, please contact Greg Boyd at 212.826.5581 or email@example.com, Terri Seligman at 212.826.5580 or firstname.lastname@example.org, Claudine Wilson at 212.705.4842 or email@example.com, or any other member of the Frankfurt Kurnit Advertising Group.
Other Privacy & Data Security Law Alerts
Business Takeaways from the FTC $5 Billion Settlement with Facebook
On July 24, 2019, the FTC announced a $5 billion settlement with Facebook to address Facebook’s alleged violations of the FTC Act and its 2012 consent order with the FTC. Read more.
July 26 2019
Are You Ready for the New York Cybersecurity Regulations’ September 3rd Deadline?
Financial institutions and insurance companies operating in New York have until September 3, 2018 to comply with the next phase of New York's Cybersecurity Regulations. Here's what you need to know to avoid regulatory scrutiny. Read more.
August 10 2018
New California Privacy Law Calls for Significant Changes
On the heels of the European General Data Protection Regulation (GDPR), California has now passed a digital privacy law that gives consumers more control over their personal information online. Read more.
June 29 2018