Website operators’ obligations expand with new COPPA rule definition of personal information

April 16, 2013

Child Online ProtectionI’ve been doing a short series of posts on the substantial changes to the Children’s Online Privacy Protection Rule (“Rule”) in 16 C.F.R. Part 312 that become effective on July 1, 2013.  The Rule has been developed and enforced by the Federal Trade Commission (“FTC”) to implement the Children’s Online Privacy Protection Act (“COPPA”) (15 U.S.C.A. §§ 6501 et seq.), which prohibits unfair or deceptive acts or practices in connection with the collection, use and/or disclosure of personal information from and about children on the Internet.

Last month I discussed changes in the rules that determine whether or not your clients would be deemed website operators and thus subject to the requirements of COPPA and the Rule.  If your clients are covered the next thing they need to understand is how the Rule will define “personal information” on and after July 1, 2013, since this is the data that your clients will need to protect.

Since its inception COPPA and the Rule have required protection of easily understood personally identifiable information such as a child’s full name, home address, e-mail address, telephone number, or any other information that would allow a third person to identify or contact the child. [64 Fed. Reg. 59888, 59892 (Nov. 3, 1999)] COPPA was also understood to be covering other types of information, including hobbies, interests, and information collected through the use of cookies or other types of online tracking mechanisms, whenever such information was associated with a particular child. [16 C.F.R. § 312.2]

The changes to the Rule that are going into effect are based on the recognition that communications technology has changed substantially over the last few years and the definition of “personal information” for purposes of the Rule has been expanded to include “online contact information”, including instant messaging user identifiers, voice over internet protocol (VOIP) identifiers and video chat user identifiers; a “screen or user name where it functions in the same manner as online contact information”; “persistent identifiers”, including an Internet Protocol (IP) address or mobile device IDs that can be used to recognize a user over time and across different websites or online services; a photograph, video, or audio file where such file contains a child’s image or voice; and geolocation information sufficient to identify street name and name of a city or town.

Obviously the expansion of the definition of “personal information” will cause your clients to make changes in the security procedures.  Next month I’ll finish this series by discussing how the general requirements on website operators will look from July 1, 2013 going forward.

For further discussion of the issues raised in this article, and examples of forms that can be used to strengthen the enforceability of employee intellectual property agreements, see Electronic Commerce (§§63:1 et seq.) and Privacy and Data Security (§§100A:1 et seq.) in Business Transactions Solutions, which is available on the West Web site and through Westlaw Next at Business Counselor.