COPPA-ing with New Website Collection Rules

August 1, 2013

The Children Online Privacy Protection Act (COPPA) has been in effect since 2000, but recent changes to the rules implementing COPPA by the Federal Trade Commission (FTC) take into account changes in online data collection methods over the past decade.

By way of background, COPPA focuses on the collection of personal information from children under 13 years of age, and includes both commercial websites or online services that are directed to children under 13, or are general in nature, but which the operator has actual knowledge that it collects, uses or discloses personal information from children under 13.

If the website or online service falls within these parameters, then it must draft and post an online privacy policy regarding what information is collected; incorporate a parental consent function in order for the site to commence collecting information; obtain consent from the parent to collect the personal information, and give the parent the option of prohibiting third-party disclosure; provide parents the ability to access to the collected personal information; provide parents the opportunity to prevent future collection of personal information; provide parents the opportunity to request deletion of their child's personal information; and adopt reasonable procedures to secure and protect the collected personal information.

The new rules expand the scope of liability of websites and online services, both for the site's practices, and those to whom they grant permission to advertise. In addition, the new rules modify the parental consent process. With respect to the operator's liability, the FTC expanded its list of factors that it would use when determining whether a website is "directed" to children under the age of 13 to include following three criteria: it knowingly targets children under the age of 13 as its primary audience; based on the overall content of the website or online service, it is likely to attract children under the age of 13 as its primary audience; or based on the overall content of the website or online service, it is likely to attract an audience that includes a disproportionately large percentage of children under the age of 13 as compared to the percentage of such children in the general population.

If the site does not collect personal information from any visitor prior to requesting age information and/or prevents the collection, use, or disclosure of personal information from visitors who identify themselves as under age 13 without first obtaining verifiable parental consent, then the new rules will not apply.

The new rules not only apply to the content the operator posts to its website, but also includes the plug-ins and advertising network that runs on the website as well. As a result, even if the website does not collect personal information, the rules will apply if a plug-in or ad network has actual knowledge that it is collecting personal information through a child-directed website or service.

Also expand is the definition of the types of personal information that will trigger liability. Now, the collection of geo-location information (sufficient to identify street name and name of a city or town), and photographs, videos or audio files which contains a child's image or voice are included, as well as persistent identifiers such as IP address or User IDs that automatically recognize a returning visitor.

In the event that a website does collect personal information from children under the age of 13, then it must obtain verifiable consent from the child's parent. If the personal information will be used for more than just internal purposes, then it will not be sufficient only to send the parent an email confirming their consent. Instead, there must be a second step whereby the parent confirms its consent. The FTC has provided a laundry list of examples, such as: signing and returning a consent form; use of a credit card which provides notification after each transaction; or requiring the parent to call a toll-free number or participate in a video chat.

If an operator believes that there is a chance that children under the age of 13 will visit its site, and the operator collects personal information, or permits other parties to collect personal information, it is strongly suggested that they consider conducting a comprehensive review of their procedures to ensure continued compliance. The fines issued at by the FTC start at $16,000 per violation, and in light of the expanded definition of "directed to children", an operator might find itself in hot water faster than saying "Psy."

FCC Dateline

FCC map

August: Stations in California continue running License Renewal Post-Filing Announcements August 16, Sept. 1 and 16. Stations in Alaska, American Samoa, Guam, Hawaii, Mariana Islands, Oregon, Saipan, and Washington commence running License Renewal Pre-Filing Announcements Aug. 16, Sept. 1 and 16.

Petro is of counsel at Drinker Biddle & Reath, LLP. Email:

Receive regular news and technology updates. Sign up for our free newsletter here.