On December 19, 2012, the Federal Trade Commission (“Commission”) announced long-awaited amendments to its rule implementing the Children’s Online Privacy Protection Act (“Rule”). The changes—which take effect on July 1, 2013—are significant. They alter the scope and obligations of the Rule in a number of ways. We discuss the revisions in greater detail below.
- The Commission revised the Rule’s definition of “personal information” to include more types of data that trigger the Rule’s notice, consent, and other obligations. These include persistent identifiers when used for online behavioral advertising and other purposes not necessary to support the internal operations of the site or online service.
- The Commission expanded the Rule’s coverage to third-party services—such as ad networks and social plug-ins—that collect personal information through a site or service that is subject to COPPA. The host site or service is strictly liable for the third party’s compliance, while the third party must comply only if it has actual knowledge that it is collecting personal information through a child-directed site or from a child.
- The Commission streamlined the content of the parental notice and simplified the privacy policy.
- The Commission retained the “email plus” method of obtaining parental consent. It also added new methods of obtaining consent and established a process for pre-clearance of other consent mechanisms.
- The Commission imposed new data security pass-through requirements, as well as data retention obligations.
- The Commission revised the Rule to permit certain sites that are “directed to children” to comply only with respect to those users who self-identify as under 13.