FTC Expands COPPA Rules on Children’s Personal Information

Websites will no longer be able to collect geolocation information or display photos or videos of children under 13 without parental consent under new rules adopted by the Federal Trade Commission (FTC).

The new rules amended the original rules adopted in 2000, which implemented the Children’s Online Privacy Protection Act (COPPA).  The amendments expand the definition of personal information to include geolocation information and photos, videos, and audio files that contain a child’s image or voice.  In addition, the rule covers persistent identifiers that can be used to recognize a user over time and across different websites or online services.

“As the Privacy Rights Clearinghouse stated, ‘[a]s facial recognition advances, photos and videos have the potential to be analyzed and used to target and potentially identify individuals.’  Given these risks, the Commission continues to believe it is entirely appropriate to require operators who offer young children the opportunity to upload photos, videos, or audio files containing children’s images or voices to obtain parental consent beforehand.  Therefore, the Commission adopts modifications of the definition of personal information regarding photos, videos, and audio files as proposed in the 2011 NPRM, without qualification,”  the FTC found.

“[T]he Internet of 2012 is vastly different from the Internet of more than a decade ago, when we first issued the COPPA Rule,” FTC Chair Jon Leibowitz stated in a press release.  “Since then, we have seen the rise of smartphones, tablets, social networks, and more than a million apps.  And while these advances have enriched our lives, enhanced educational opportunities, and grown our economy, they also exacerbate the privacy risks of children.”

COPPA requires that websites or online services directed to children under 13, or having knowledge that they are collecting personal information from children under 13, obtain parental consent before collecting, using, or disclosing such information.

The amended rules close a loophole that allowed child-directed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent.

The new rules prohibit operators, without parental consent, from using or disclosing information collected to contact a specific person, including through behavioral advertising, to amass a profile on that person, or for any other purpose.  Website operators also must take reasonable steps to make sure that third parties are capable of maintaining the confidentiality, security, and integrity of children’s personal information before they release such information to the parties.

The new rules take effect on July 1, 2013.