FTC Gives App Developers ‘Heads Up' On Complying with COPPA Rule Changes

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

In an effort to educate companies that may be affected by the updated Children's Online Privacy Protection Rule, the Federal Trade Commission May 15 sent more than 90 letters to mobile application developers about the changes.

The letters are part of the agency's ongoing effort to help businesses comply with the new requirements, which go into effect July 1. According to a May 15 statement by the commission, these letters do not provide an official evaluation by the FTC of each company's practices; instead, “they are designed to help businesses come into compliance with the rule's requirements.”

The FTC sent letters to: domestic companies that may be collecting images or sounds of children; domestic companies that may be collecting persistent identifiers from children; foreign companies that may be collecting images or sounds of children; and foreign companies that may be collecting persistent identifiers from children.

COPPA Rule Changes

The FTC released the final amendments to its rule implementing the Children's Online Privacy Protection Act (COPPA) in December 2012 (11 PVLR 1833, 12/24/12). The COPPA Rule imposes parental notice and consent requirements on websites and online services collecting information from children younger than 13.

Among other changes, the amended COPPA Rule:

• modifies the list of “personal information” that cannot be collected without parental notice and consent, clarifying that this category includes geolocation information, photographs, and videos;

• closes a loophole that allowed child-directed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent;

• extend coverage in some of those cases so that the third parties doing the additional collection also have to comply with COPPA; and

• extend the COPPA Rule to cover persistent identifiers that can recognize users over time and across different websites or online services, such as internet protocol addresses.

 

The FTC released its updated FAQs on the COPPA Rule April 25 (12 PVLR 733, 4/29/13).

On May 6, the Federal Trade Commission announced that it would retain the July 1 implementation date for the amended rule despite claims by the business community that it would struggle to comply by then (12 PVLR 827, 5/13/13).

Prosecutorial Discretion

In the letters from Maneesha Mithal, associate director of the FTC's Division of Privacy and Identity Protection, the FTC encouraged the app developers to review their apps, policies, and procedures in light of the COPPA Rule changes.

The commission clarified that, beginning July 1, the “personal information” definition “will broaden to include a photograph or video with a child's image, or an audio file that has a child's voice.” In addition, the FTC said the definition “also will include screen or user names that function as online contact information, and persistent identifiers, such as cookies, IP addresses and mobile device IDs, that can recognize users over time and across different websites or online services (subject to certain important exceptions for support for the functioning of an app).”

The letters also provided “musts” for app developers covered by COPPA, such as providing notice and obtaining parental consent for personal information collected on apps from third parties, taking “reasonable steps” when releasing children's personal information, and meeting new data retention and data deletion requirements.

“As with all our enforcement activities, the Commission will exercise its prosecutorial discretion in enforcing the COPPA Rule, particularly with respect to small businesses that have attempted to comply with the Rule in good faith in the early months after the Rule becomes effective,” the FTC said in the letters.


The FTC's letter to domestic companies that may be collecting images or sounds of children is available at http://www.ftc.gov/os/2013/05/130515coppadomesticimagesletter.pdf.

The FTC's letter to domestic companies that may be collecting persistent identifiers from children is available at http://www.ftc.gov/os/2013/05/130515coppadomesticidentifiersletter.pdf.

The FTC's letter to foreign companies that may be collecting images or sounds of children is available at http://www.ftc.gov/os/2013/05/130515coppaforeignimagesoundletter.pdf.

The FTC's letter to foreign companies that may be collecting persistent identifiers from children is available at http://www.ftc.gov/os/2013/05/130515coppaforeignindentifiersletter.pdf.