Privacy & Information Security Law Blog

On July 26, 2013, the Federal Trade Commission announced updates to its frequently asked questions regarding the Children’s Online Privacy Protection Act of 1998 (“COPPA”). The updated FAQs, which have replaced the June 2013 version on the FTC’s Business Center website, provide additional information in the sections addressing websites and online services directed to children and disclosure of information to third parties.

• Sharing on Social Media and via Email - The updated FAQs include a new question and answer regarding child-directed mobile applications that include buttons or plug-ins to allow children to email or share user-generated content through social media. The FTC indicates that verifiable parental consent is required, even if the mobile application does not otherwise collect personal information, because the COPPA Rule’s definition of “collection” includes “requesting, prompting, or encouraging a child to submit personal information online, and enabling a child to make personal information publicly available in identifiable form.”
• Actual Knowledge - The revised FAQs provide additional guidance on what it means for an advertising network to have actual knowledge that it is collecting personal information from children or websites and services directed to children.
  • Whether or not an advertising network is deemed to have acquired actual knowledge is very fact-specific, but if (1) the child-directed content provider directly communicates the child-directed nature of its content to the advertising network, or (2) a representative of the advertising network recognizes the child-directed nature of the content, the standard likely will be met.
  • The receipt of a list of allegedly child-directed websites from a parents’ organization or advocacy group alone probably would not constitute actual knowledge, and there would be no duty to investigate.
  • Advertising networks may choose to participate in a system requiring websites to certify whether or not they are child-directed. If a website affirmatively verifies that it is not child-directed, the advertising network ordinarily may rely on this representation.
• Disclosure Obligation Regarding Information Collected from a Child-Directed Site - If an advertising network discovers after the effective date of the COPPA Rule that it has been collecting personal information via a child-directed website, the FAQs provide guidance on steps that should be taken.
  • If the advertising network continues to collect new personal information through the website, or uses or discloses the previously collected personal information, it should provide notice and obtain verifiable parental consent unless an exception applies.
  • If the advertising network continues to use or disclose previously collected personal information, the advertising network only must obtain verifiable parental consent if it has actual knowledge that the information was collected from a child-directed site. If the advertising network no longer knows the source of the information, then it may continue to use the information without providing notice or obtaining verifiable parental consent.
  • If, however, the advertising network, is aware that the previously-collected personal information came from users of a child-directed site, the advertising network must comply with parental requests to delete the personal information that was collected even if the ad network will not use or disclose the personal information.

The FTC’s recent revisions to the COPPA Rule became effective July 1, 2013. The July 2013 FAQ updates reflect the FTC’s efforts to provide guidance and clarification as questions regarding implementation of the new Rule arise.