The FTC rolled out updates to the Children's Online Privacy Protection Act (COPPA) yesterday, adding provisions designed to better protect kids who use smartphone apps and social networking. Among other things, parents must now offer their consent before entities can gather kids' photos, videos or geographic location.
From the FTC website:
SUMMARY: The Commission amends the Children’s Online Privacy Protection Rule (“COPPA Rule” or “Rule”), consistent with the requirements of the Children’s Online Privacy Protection Act, to clarify the scope of the Rule and strengthen its protections for children’s personal information, in light of changes in online technology since the Rule went into effect in April 2000. The final amended Rule includes modifications to the definitions of operator, personal information, and website or online service directed to children. The amended Rule also updates the requirements set forth in the notice, parental consent, confidentiality and security, and safe harbor provisions, and adds a new provision addressing data retention and deletion.
EFFECTIVE DATE: The amended Rule will become effective on July 1, 2013.
The FTC started working on an update in 2010 to ensure that the COPPA Rule keeps up with evolving technology and changes in the way children use and access the Internet, including the increased use of mobile devices and social networking. "The updates to the COPPA Rule reflect careful consideration of the entire record of the rulemaking, which included a public roundtable and several rounds of public comments sought by the agency," the FTC said in a statement.
Here are the final amendments:
--modify the list of “personal information” that cannot be collected without parental notice and consent, clarifying that this category includes geolocation information, photographs, and videos;
--offer companies a streamlined, voluntary and transparent approval process for new ways of getting parental consent;
--close a loophole that allowed kid-directed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent;
--extend coverage in some of those cases so that the third parties doing the additional collection also have to comply with COPPA;
--extend the COPPA Rule to cover persistent identifiers that can recognize users over time and across different websites or online services, such as IP addresses and mobile device IDs;
--strengthen data security protections by requiring that covered website operators and online service providers take reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential;
--require that covered website operators adopt reasonable procedures for data retention and deletion; and
--strengthen the FTC’s oversight of self-regulatory safe harbor programs.