Final Amended COPPA Rule effective July 1, 2013
description
Transcript of Final Amended COPPA Rule effective July 1, 2013
![Page 1: Final Amended COPPA Rule effective July 1, 2013](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814616550346895db3214f/html5/thumbnails/1.jpg)
Final Amended COPPA Ruleeffective July 1, 2013
![Page 2: Final Amended COPPA Rule effective July 1, 2013](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814616550346895db3214f/html5/thumbnails/2.jpg)
Disclaimer
The views expressed in this presentation are my own and are not necessarily those of the Commission or any individual Commissioner.
![Page 3: Final Amended COPPA Rule effective July 1, 2013](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814616550346895db3214f/html5/thumbnails/3.jpg)
COPPA Enforcement
Agency has filed 21 federal court actions, and has obtained over $8.4 million in civil penalties;
FTC is authorized to seek up to $16,000/violation in penalties;
Deletion of personal information collected without parental consent;
Employee education and written acknowledgement;
Written compliance report to FTC; and
Consumer education.
![Page 4: Final Amended COPPA Rule effective July 1, 2013](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814616550346895db3214f/html5/thumbnails/4.jpg)
July 2013 Changes
Definitions
Online and Direct Notices
Parental Consent Mechanisms
Confidentiality and Security of Children’s PI
Data Retention and Deletion
New Voluntary Processes for FTC Approval
Safe Harbor Programs
![Page 5: Final Amended COPPA Rule effective July 1, 2013](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814616550346895db3214f/html5/thumbnails/5.jpg)
“Operator” Personal information is collected or maintained on behalf
of an operator when:
• it’s collected or maintained by the operator’s agent or service provider; or
• the operator benefits by allowing another person to collect PI directly from its users.
Applies to 1st party child-directed sites/services that embed 3rd party content
![Page 6: Final Amended COPPA Rule effective July 1, 2013](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814616550346895db3214f/html5/thumbnails/6.jpg)
Who must comply?
Operators of a commercial website or online service directed to
children (CDS) that collect, maintain, or provide the opportunity
to disclose personal information (PI).
Operators of general audience site or service with actual
knowledge that they collect kids’ PI.
Operators of a CDS that allow another person to collect PI
directly from its users
A cite or service with actual knowledge it’s collecting PI from
users of a CDS.
6
![Page 7: Final Amended COPPA Rule effective July 1, 2013](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814616550346895db3214f/html5/thumbnails/7.jpg)
“Website/Online Service Directed to Children”
Reorganized definition sets out criteria for site/service directed to children upfront
Adds provision that a service collecting PI directly from users of child-directed site/service is covered where it has actual knowledge of such collection;
• Applies to 3rd party services embedded on child-directed sites/services
Adds provision allowing child-directed site/service, which doesn’t target children as its primary audience, to age-screen to provide COPPA protections only to users under 13
![Page 8: Final Amended COPPA Rule effective July 1, 2013](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814616550346895db3214f/html5/thumbnails/8.jpg)
“Personal Information”
Updates to the Definition of PI:Persistent identifiers (e.g., cookie strings, user IDs, IP addresses, processor or device serial numbers, unique device identifiers) used to recognize a user over time and across different websites or online services;
Geolocation information sufficient to identify street name and name of city/town;
Screen/user names where they function in the same manner as online contact information; and
Photos, videos, or audio files containing a child’s image or voice.
![Page 9: Final Amended COPPA Rule effective July 1, 2013](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814616550346895db3214f/html5/thumbnails/9.jpg)
“Support for Internal Operations”
Includes use of persistent identifiers to:
• Maintain/analyze functioning site/service
• Perform network communications
• Authenticate users/personalize content on site/service
• Serve contextual advertising, cap frequency of ads
• Protect security/integrity of site/service
• Ensure legal/regulatory compliance
Excludes use of persistent identifiers for behaviorally targeting or amassing a profile on a child or for any other purpose
![Page 10: Final Amended COPPA Rule effective July 1, 2013](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814616550346895db3214f/html5/thumbnails/10.jpg)
“Support for Internal Operations” (cont’d)
Persistent identifiers may be collected without VPC if used to support internal ops of EITHER the child-directed site OR the third-party plug-in;
Analytics does fall into support for internal ops, BUT you should ensure analytics company is not using for impermissible purpose (e.g., behavioral advertising);
“Personalization” is for user-driven preferences not behavioral advertising.
![Page 11: Final Amended COPPA Rule effective July 1, 2013](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814616550346895db3214f/html5/thumbnails/11.jpg)
“Collects or Collection”
Modifies part (b) of definition to:
Replace the “100% deletion standard” with a “reasonable measures” standard.
Let operators provide interactive communities for children without parental consent as long as they take reasonable measures to delete all or virtually all children’s PI before it’s made public.
![Page 12: Final Amended COPPA Rule effective July 1, 2013](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814616550346895db3214f/html5/thumbnails/12.jpg)
Notices Improves the “direct notice” to:
• Ensure that key information is presented to parents in a succinct “just-in-time” notice;
• Provide a clear roadmap for operators as to content of direct notice depending upon its collection and use practices.
Streamlines the privacy policy by requiring a simple statement of:
• The information the operator collects from children, including whether the website/online service enables a child to make PI publicly available;
• How the operator uses such information; and
• The operator’s disclosure practices for such information.
![Page 13: Final Amended COPPA Rule effective July 1, 2013](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814616550346895db3214f/html5/thumbnails/13.jpg)
Mobile phone and direct notice The collection of a mobile phone number
from a child is not permitted without first obtaining verifiable parental consent.
Once you have collected a parent’s online contact information, you may request a mobile phone number for further contact with the parent.
![Page 14: Final Amended COPPA Rule effective July 1, 2013](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814616550346895db3214f/html5/thumbnails/14.jpg)
Parental Consent
New approved VPC methods in Rule:
• Electronic scans of signed parental consent forms,
• Video-conferencing;
• Use of government-issued identification checked against a database, provided that the parent’s ID is deleted promptly after verification;
• Use of debit card or other online payment system, if it provides notification of each transaction;
• Retains “email plus” for internal uses of PI.
![Page 15: Final Amended COPPA Rule effective July 1, 2013](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814616550346895db3214f/html5/thumbnails/15.jpg)
Exceptions to Parental Consent
Adds 3 new exceptions:
• Where site/service collects parent’s online contact information (but no other PI from child) to keep parent informed of a child’s activities;
• Where site/service collects persistent identifier (but no other PI from child) for sole purpose of providing “support for internal operations”;
• Where plug-in collects persistent identifier on a child-directed site/service (but no other PI) from a 13+ previously registered user who affirmatively interacts with it.
![Page 16: Final Amended COPPA Rule effective July 1, 2013](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814616550346895db3214f/html5/thumbnails/16.jpg)
Data Security
Strengthens the Rule’s confidentiality, security, and integrity provision by:
• Adding a requirement that operators take reasonable steps to release children’s PI only to parties capable of maintaining its security.
Adds a data retention and deletion provision to:
• Retain children’s PI for only as long as is reasonably necessary to fulfill the purpose for which it was collected; and
• Properly delete PI by taking reasonable measures to protect against unauthorized access to or use in connection with its deletion.
![Page 17: Final Amended COPPA Rule effective July 1, 2013](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814616550346895db3214f/html5/thumbnails/17.jpg)
Voluntary Approval Processes Parental consent methods: Request for Commission
approval of new mechanisms
Support for internal operations of the website or online service: Request for Commission approval to add new activities to the definition of support for internal operations
All requests published for public comment
Commission determination within 120 days of request
Safe Harbor approval of parental consent methods: Operators participating in FTC-
approved safe harbor can use a method permitted by that program.
![Page 18: Final Amended COPPA Rule effective July 1, 2013](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814616550346895db3214f/html5/thumbnails/18.jpg)
Safe Harbor Programs
Strengthens COPPA safe harbors by requiring them to:
Detail their business models and technological capabilities and mechanisms to assess and insure members’ COPPA compliance;
Audit members at least annually;
Report to the Commission (July 1, 2014 and annually thereafter) on the aggregated results of internal audits.
![Page 19: Final Amended COPPA Rule effective July 1, 2013](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814616550346895db3214f/html5/thumbnails/19.jpg)
A few key issues
The FAQs and other guidance
Mixed Audience Sites/Services
Third Party Content
Actual Knowledge
Push Notices
Schools
Safe Harbors, VPC, and Internal OPs
![Page 20: Final Amended COPPA Rule effective July 1, 2013](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814616550346895db3214f/html5/thumbnails/20.jpg)
FAQs and Other Guidance FTC staff publish COPPA FAQs.
Since amendments, we have updated and added new FAQs to provide guidance regarding the new rule.
Not a static document; we will continue to adding new FAQs as we receive questions.
COPPA Hot Line.
Outreach.
![Page 21: Final Amended COPPA Rule effective July 1, 2013](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814616550346895db3214f/html5/thumbnails/21.jpg)
Mixed Audience Sites
Allows child-directed site/service that doesn’t target children as its primary audience to age-screen and provide COPPA protections only to users under 13.
• What kinds of sites are mixed audience?
• Can I block kids from my mixed audience site?
• How do I know whether I am a mixed audience site?
![Page 22: Final Amended COPPA Rule effective July 1, 2013](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814616550346895db3214f/html5/thumbnails/22.jpg)
Mixed Audience cont’d
Sites with parents corners are not mixed audience sites – children are still the primary audience.
May continue to treat parents corner as general audience so long as it is not enticing to children.
![Page 23: Final Amended COPPA Rule effective July 1, 2013](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814616550346895db3214f/html5/thumbnails/23.jpg)
Third Party Plug-ins
Do I have to provide notice and get consent if I put third party plug-ins on my site?
Generally, first party is responsible for all collection through site including where done by a third party.
• First party operator gets benefit from having plug-in on site.
• Fills a gap.
![Page 24: Final Amended COPPA Rule effective July 1, 2013](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814616550346895db3214f/html5/thumbnails/24.jpg)
Exceptions to Third Party Collection Rule Section 312.5(c)(7)
• Persistent ID for internal ops
Section 312.5(c)(8)
• Persistent ID with previous interaction
Only apply to notice and consent requirements.
![Page 25: Final Amended COPPA Rule effective July 1, 2013](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814616550346895db3214f/html5/thumbnails/25.jpg)
Actual Knowledge
How does a third party plug-in obtain actual knowledge that it is collecting personal information from users of child-directed sites?
• Where child-directed content provider directly tells the plug-in.
• Where representative recognizes child directed nature of content.
List of URLs from consumer group will not provide actual knowledge or duty to investigate.
![Page 26: Final Amended COPPA Rule effective July 1, 2013](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814616550346895db3214f/html5/thumbnails/26.jpg)
Actual Knowledge
Who from my company can get actual knowledge?
Use of a first party “child-directed site” signal.
![Page 27: Final Amended COPPA Rule effective July 1, 2013](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814616550346895db3214f/html5/thumbnails/27.jpg)
Push notifications
How does COPPA treat push notifications?
• Information you collect for push notification is online contact information and requires consent.
• BUT, you may rely on multiple contact exception (provide notice and opt out).
• Cannot combine with other personal information.
![Page 28: Final Amended COPPA Rule effective July 1, 2013](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814616550346895db3214f/html5/thumbnails/28.jpg)
Schools
Can operators get consent from schools instead of parents to collect personal information from students?
• Teacher, school, district?
Yes if for the use and benefit of the school and no other commercial purpose.
• Best practice is go through school or district.
![Page 29: Final Amended COPPA Rule effective July 1, 2013](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814616550346895db3214f/html5/thumbnails/29.jpg)
Safe Harbors and other Approval Processes Amendments strengthen Safe Harbor
program by requiring them to:• Detail their business models and technological
capabilities and mechanisms to assess and insure members’ COPPA compliance;
• Audit members at least annually; and
• Report to the Commission (July 1, 2014 and annually thereafter) on the aggregated results of internal audits.
![Page 30: Final Amended COPPA Rule effective July 1, 2013](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814616550346895db3214f/html5/thumbnails/30.jpg)
VPC and Internal OPs
Request approval of new VPC method.
• Analysis of how proposed method will meet standard.
Request approval of additional activities to include within definition of internal ops.
• Analysis of potential effect on children’s privacy.
![Page 31: Final Amended COPPA Rule effective July 1, 2013](https://reader036.fdocuments.us/reader036/viewer/2022062518/56814616550346895db3214f/html5/thumbnails/31.jpg)
Questions?
FAQs available at http://business.ftc.gov/documents/0493-Complying-with-COPPA-Frequently-Asked-Questions
Email at [email protected]
General website at www.FTC.gov