Privacy & Cybersecurity Law Blog

Today, July 1, 2013, the Federal Trade Commission’s changes to the Children’s Online Privacy Protection Rule (the “Rule”) officially come into effect. On December 19, 2012, the FTC announced that it had published the amended Rule following two years of public comments and multiple reviews of various proposed changes.

Now that the enforcement date has arrived, businesses subject to the Rule are expected to have brought their privacy practices into compliance with the amended Rule. As we reported previously, the updated Rule includes a number of key changes. For example:

• The definition of “personal information” has been broadened to include photographs, “geolocation information sufficient to identify street name and name of a city or town,” videos or audio files “where such file contains a child’s image or voice,” and persistent identifiers that “can be used to recognize a user over time and across different websites or online services.” Persistent identifiers include customer numbers held in a cookie, IP addresses, processor or device serial numbers and unique device identifiers.
• The FTC expanded and clarified its guidance regarding the methods companies may use to obtain verifiable parental consent.
• The revised Rule requires apps and websites directed at children to give parental notice and obtain consent before permitting third parties to collect children’s personal information through plug-ins.
• The amendments require that personal information collected from children be retained only “as long as is reasonably necessary to fulfill the purpose for which the information was collected” and deleted “using reasonable measures to protect against unauthorized access to, or use of, the information in connection with its deletion.”
• Operators are required to take reasonable steps to ensure that children’s personal information is disclosed only to service providers and third parties capable of maintaining the confidentiality, security and integrity of such information.

Since publication of the new Rule, the FTC has announced updates to the Frequently Asked Questions (“FAQs”) documents that were provided to supplement compliance materials posted on the FTC website. In recent weeks the FTC issued additional updated FAQs, including two questions regarding notice and parental consent requirements in connection with (1) sending push notifications, and (2) adding the Facebook Like button to child-directed websites.

On June 25, 2013, the video game industry’s self-regulatory body, the Entertainment Software Rating Board (“ESRB”), announced that it had broadened its privacy seal certification program to help companies manage their mobile app privacy practices and comply with their new obligations under the amended Rule. ESRB Privacy Certified is one of five FTC-approved Safe Harbor programs.

As we reported on May 15, 2013, the FTC sent educational letters to over 90 companies that appeared to the FTC to be collecting personal information (as the term is more broadly defined under the amended Rule) from children under the age of 13. Although these letters did not provide an official evaluation of the companies’ practices, the letters were intended to demonstrate that the FTC will not delay enforcement for companies that fail to comply with the updated Rule. Previously, on May 6, 2013, the FTC announced that it would not postpone its July 1, 2013 implementation deadline, despite industry groups’ assertions that they needed more time to comply with the amended Rule.

View the text of the updated COPPA Rule.