The FTC adopted final amendments to the Children’s Online Privacy Protection Rule on December 19, 2012, just over two years ago. The amendments strengthened kids’ privacy in several ways. Just a few examples: adding photos, videos, kids’ voices, and persistent identifiers to the list of “personal information” that can’t be collected without parental notice and consent; ensuring that kid-directed apps and websites aren’t letting third parties collect personal information from kids through plug-ins without parental notice and consent; beefing up data security protections; and increasing the FTC’s oversight of self-regulatory safe harbor programs.
So what’s happened since the amended Rule took effect on July 1, 2013? A lot.
Safe Harbors and Verifiable Parental Consent Methods. All told, Commission-approved Safe Harbors have over 140 members with more than 1100 sites and apps. In the past 18 months, we’ve reviewed existing Safe Harbors to see how they’ve incorporated changes to COPPA and answered their questions to help them guide their members. We’ve also reviewed applications for two new Safe Harbor programs and four proposed verifiable parental consent methods. For each application, we’ve reviewed public comments and provided a written determination. Through this process, the Commission approved two new safe harbors, KidSafe and iKeepSafe, and a new verifiable parental consent method involving knowledge-based authentication. One application is pending.
Guidance. Companies asked for more guidance on implementing the amendments to COPPA and we followed through in four ways:
- FAQs. A few months before the new Rule’s effective date, we revised our COPPA FAQs to answer the questions businesses were asking about changes to COPPA. Now that the FAQs address more than 100 topics, we've given them a fresh look to make it easier for you to find exactly what you’re looking for. We’ve also expanded the FAQs to address issues like push notifications, actual knowledge, the use of plug-ins, and verifiable parental consent.
- COPPA Hotline. CoppaHotLine@ftc.gov serves as a “bat phone” for companies with questions about COPPA. We've answered more than 1000 substantive questions since the Rule’s effective date. The guidance we've offered covers nearly every aspect of COPPA: privacy policies, direct notice, age screening, support for internal operations – the works.
- Business education. Companies asked for nuts-and-bolts guidance and we responded with The Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business. Although the publication addresses the 2013 COPPA amendments, it goes back to the beginning and offers start-from-scratch advice for companies that are new to COPPA. We also produced a video, Protecting Children’s Privacy under COPPA, focusing specifically on changes in the amended Rule.
- Speeches and webinars. Industry members, advocates, and parents have questions about COPPA, which is why we’ve taken our show on the road. We may have met you at one of the more than 30 COPPA-centric events we’ve attended across the country or perhaps you watched a webinar where FTC staffers explained the ins and outs of COPPA compliance.
Law enforcement. The focus on education and outreach hasn’t changed the FTC’s long-standing emphasis on enforcement. The Commission settled two cases in 2014 that demonstrates the importance of COPPA compliance in the mobile space. Actions against TinyCo and Yelp demonstrate our commitment to challenging COPPA violations both by services directed to children and by general audience services with actual knowledge that they’re collecting personal information from children. Further evidence of that commitment: a December 22, 2014, staff warning letter to a China-based developer of child-directed apps that may be collecting geolocation information.
But to get a complete picture of the FTC’s efforts to ensure COPPA compliance, it’s important to consider the numerous non-public inquiries we’ve undertaken to determine if websites and apps are honoring their legal obligations. We learned that where there’s smoke, there isn’t always fire. For example, in the course of our behind-the-scenes efforts, we’ve come across audio apps that actually obscure the voices they collect, photo apps where the pictures remain on the device and don’t transmit through the app, apps using persistent identifiers for support for internal operations, and sites that get parental consent. But even when an inquiry doesn’t end with law enforcement, we think our investigations encourage COPPA compliance.
The Commission’s Safe Harbors have been busy monitoring their members as well. Safe Harbor annual reports reveal that from July 2013 to July 2014, Safe Harbors identified dozens of COPPA issues and required their members to correct them.
All of these aspects of the FTC’s COPPA program – Safe Harbors, guidance, and law enforcement – work together to help protect children’s privacy. We’ve done a lot since the Commission adopted the amended Rule two years ago, but an anniversary isn’t an end. We’re committed to continued cooperation with Safe Harbors, additional guidance to help businesses, and rigorous law enforcement.
That’s a recap of what we’ve been up to. What’s it all mean for your company?
- If you haven’t given COPPA much consideration since the revised Rule took effect in 2013, it may be time for a compliance check-up. As recent law enforcement actions demonstrate, changes to your website or modifications to the functionality of your apps could have unintended COPPA consequences.
- How can you get your COPPA questions answered? Our Six-Step Compliance Plan is the best place to start. Experienced COPPA hands can consult the FAQs for in-depth advice. And subscribing to the Business Blog is easy way to stay current.
- Have you considered if Safe Harbor membership is appropriate for your business? Of course, there’s no one-size-fits-all approach to COPPA, but many companies have found that Safe Harbor membership helps to streamline compliance.