Updates to the Children’s Online Privacy Protection Rule

March 8, 2013

Expansion of Parties Subject to the Rule

Child Online ProtectionGiven the tremendous popularity of the Internet among children and the potential for unscrupulous Internet actors to prey on the inexperience and naivety of young people, it is not surprising that the federal government intervened early on in the development of the online world with the enactment of the Children’s Online Privacy Protection Act (“COPPA”),

In general, COPPA prohibits unfair or deceptive acts or practices in connection with the collection, use and/or disclosure of personal information from and about children on the Internet and tasked the Federal Trade Commission (“FTC”) with developing regulations for implementation of certain provisions of COPPA which have been documented as the Children’s Online Privacy Protection Rule (“Rule”).

Persons involved in the operation of commercial websites and online services directed to children under the age of thirteen that collect personal information from children have been required to comply with the Rule for over a decade and in December 2012, following several years of soliciting comments and internal debate, the FTC adopted substantial changes to the Rule at become effective on July 1, 2013 and which have been touted as bringing online child protection into the 21st Century.

As the starting date for these changes approaches, clients of yours that are operating commercial websites should be advised of the need to check and update their online privacy policies and notices.  In order to help you with the process of counseling your clients in this area we are presenting a series of posts, beginning this month, on the most important revisions and additions to the Rule.

The obvious threshold issue for your client is whether or not they are subject to COPPA and the Rule and there have been changes in the Rule that expand the net.  From the time it was first adopted COPPA applied to commercial websites or online services (1) directed to children under the age of thirteen that collected personal information from children, or (2) that operated general audience websites and had actual knowledge that they collect personal information from children.

The definition of a “website or online service directed to children” provided several factors the FTC could use to determine whether a site is directed at children.  The original Rule defined the term “operator”, for purposes of determining who would be subject to COPPA, to include any person (i) who operated a website located on the Internet or an online service and who collected or maintained personal information from or about the users or visitors or (ii) on whose behalf such information was collected or maintained.

The intent was to be sure that website operators who explicitly engaged “agents” to act on “their behalf” to collect personal information from children would be covered by COPPA.  As time went by, however, new tools were developed that did not fit within the original notion of “agent” but nonetheless allowed website operators to collect information in ways that arguably should be subject to COPPA.  In response, the Rule has been revised to provide that: “Personal information is collected or maintained on behalf of an operator when: (a) it is collected or maintained by an agent or service provider of the operator; or (b) the operator benefits by allowing another person to collect personal information directly from users of such website or online service.”

From July 1, 2013, website operators will need to comply with COPPA if they enable third party apps that collect personal information about children or integrate outside services, such as plug-ins or ad networks, that collect such information.  Attorneys need to be sure that their clients conduct a thorough investigation of their practices with respect to third party apps and other outside services to determine whether COPPA is applicable to their online activities.

In our next article we’ll consider the changes that have been made in the scope of the Rule’s definition of “personal information”.  For further discussion of the issues raised in this article, and examples of forms that can be used to strengthen the enforceability of employee intellectual property agreements, see Electronic Commerce (§§63:1 et seq.) and Privacy and Data Security (§§100A:1 et seq.) in Business Transactions Solutions, which is available on the Thomson Reuters legal solutions site and through Westlaw Next at Business Counselor.