Sign Up for Alerts
Sign up to receive receive industry-specific emails from our legal team.
Sign Up for Alerts
We provide tailored, industry-specific legal updates to our clients and other friends of the firm.
Areas of Interest
May 16th, 2013
FTC Answers 92 Questions About Its Revised Children’s Online Privacy Protection Act Rules
In an effort to provide clarity on it its revised Children's Online Privacy Protection Rule ("Rules"), the FTC recently published a list of Frequently Asked Questions ("FAQs") with information on how to comply. The FAQs should provide helpful guidance to operators of commercial websites and other online services (such as mobile apps) that are either directed to children under 13 or otherwise collecting, using and/or distributing information from children. The Rules, which implement the Children's Online Privacy Protection Act ("COPPA"), were amended by the FTC in December 2012 in an effort to "keep up with changing technology". The Rules appear to be a regulatory priority: on May 15th, the FTC sent letters to 90 companies highlighting the changes and warning that new compliance measures may be necessary -- including changes in privacy and data retention policies, notices, and parental consent mechanisms.
Below are some highlights from the FAQs:
- FAQ 4 clarifies when an operator needs to obtain parental consent for information collected prior to the effective date of the amended Rules. Specifically, operators who have collected geolocation data from children without parental consent, must obtain that consent immediately. Conversely, operators who, before the effective date, collected (i) photos, videos or audio files of children; (ii) screen or user names; or (iii) persistent identifiers, are not required to obtain consent. (Although the FTC recommends they do so.) However, operators should obtain consent if persistent identifiers or screen/user names are later associated with newly collected information.
- FAQ 30 says that when an app is directed to children, the amended Rules require privacy policies to appear on a home or landing screen, but the Rules do not expressly require those policies to appear at point of purchase. Nevertheless, the FTC encourages app operators to include a link to the privacy policy at point of purchase. However, if an app collects personal information upon download, it will be necessary to provide direct notice and obtain verifiable parental consent as required by COPPA.
- FAQ 32 describes in detail the format and content of information that operators must include in direct notices to parents.
- FAQ 41 makes clear that under the amended Rules, the website/online service operator is liable for the collection of information on its site or through its services (including through ads), even if the operator did not engage in the collection. For example, an operator of a child-directed website may be required to notify parents and obtain verifiable parental consent when data is collected through third-party advertising run on its site.
- FAQ 53 says a teen-focused website may be deemed "directed to children" if it attracts a substantial number of children under the age of 13. Where any website is determined to be directed to children, it may not block children under 13 from using the service. In those cases, the service must be fully COPPA compliant. However, where children under 13 are not the primary audience of the website/online service, operators may screen out those users who identify themselves as being under 13.
- FAQ 66 states that mobile app operators cannot rely on a parent's app store account and credit card information -- even with the password -- to serve as verifiable parental consent.
- FAQs 76-79 give additional clarity on the "support for internal operations" exception. A website may use certain information without consent for performing network communications, authenticating users or personalizing content for the site or service, serving contextual ads or capping the frequency of ads, protecting the security or integrity of the user, site or service, or ensuring legal or regulatory compliance. However, the FAQs also make clear that behavioral advertising and other similar practices will not fall under this exception.
- The FAQs also highlight in several areas that the new Rules require "reasonable" retention and deletion procedures for children's data. Companies are not allowed to keep data indefinitely, but only so long as is reasonably necessary for the operation of the business.
There's more to the FAQs and we encourage you to review them prior to July 1, 2013 -- the effective date of the new Rules.
If you have questions about the new COPPA Rules, or any other privacy-related matters, please contact Greg Boyd at 212.826.5581 or gboyd@fkks.com, Terri Seligman at 212.826.5580 or tseligman@fkks.com, Claudine Wilson at 212.705.4842 or cwilson@fkks.com, or any other member of the Frankfurt Kurnit Advertising Group.
Other Privacy & Data Security Law Alerts
Six Steps to Help Your Team Comply with the New SEC Public Company Cybersecurity Rules
On July 26, 2023, the Securities Exchange Commission (“SEC”) approved final Rules entitled Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (the “Rules”). The Rules require certain cybersecurity incident disclosures on Form 8-K, generally within 4 business days after the determination that a cybersecurity incident is material. Read more.
August 1 2023
Five Action Items to Help You Prepare for the Wave of Privacy Enforcement Starting July 2023
Mark your calendars - July 2023 is an important month for US privacy enforcement. Read more.
June 21 2023
Washington “My Health My Data” Act Dramatically Alters Health Data Compliance Landscape
Washington State’s My Health My Data Act (“the Act”) introduces a sweeping set of obligations for nearly all entities that do business in the state and that handle “consumer health data,” a broad new class of health-related data separate from that regulated by the federal Health Insurance Portability and Accountability Act (“HIPAA”). Read more.
April 24 2023