Proposed Revisions to COPPA add Photos and other Protections, Comments Sought

On September 15, 2011 the FTC issued proposed revisions to the Children’s Online Privacy Protection Rule (“COPPA”), which establishes the requirements to protect the personal data of children younger than 13 on web sites. The rules specify that parents must consent to the collection of a child’s personal information.

The FTC provides the following summary:

The primary goal of COPPA and the Rule is to place parents in control over what information is collected from their young children online. The Rule was designed to protect children under age 13 while accounting for the dynamic nature of the Internet. The Rule applies to operators of commercial websites and online services directed to children under 13 that collect, use, or disclose personal information from children, and operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13.
Operators covered by the Rule must:

  1. Post a clear and comprehensive privacy policy on their website describing their information practices for children’s personal information;
  2. Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information from children;
  3. Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties;
  4. Provide parents access to their child’s personal information to review and/or have the information deleted;
  5. Give parents the opportunity to prevent further use or online collection of a child’s personal information;
  6. Maintain the confidentiality, security, and integrity of information they collect from children.

In addition, the Rule prohibits operators from conditioning a child’s participation in an online activity on the child’s providing more information than is reasonably necessary to participate in that activity.

Even a brief review of the COPPA FAQ shows how varied the use of personal information is for websites. Responding to emails falls within an exception to COPPA – but only if the email is not kept by the website, for example.

At the same time, a Sept. 13, 2011 EU report finds that while “Member States and industry are increasingly making efforts to implement EU Recommendations dating from 1998 and 2006 … the measures taken have been insufficient overall.” Facebook, in particular, has come under criticism for its lack of protection for minors 13 or older and for its limited efforts to exclude minors 13 or under. Facebook has no mechanism to comply with COPPA and instead officially does not offer its services to the Tween and pre-teen set, requiring those minors merely to submit a different year of birth to utilize the site.

The proposal retain the under 13 cut-off for COPPA but expand the personal information covered to include audio files, photographs and video that contain images or sound of the minor as well as geolocation information. Some privacy advocates wanted the rules to include zipcode information, gender and date of birth data, but the proposals did not extend that far.

Filling the gap between COPPA and a system that looks away when the child provides the wrong date of birth may be the most important next step.

The FTC is seeking comments on the proposed revisions, which are due on or before November 28, 2011.