At the International Association of Privacy Professionals' annual privacy conference last week, FTC senior attorney Mamie Kresses discussed the new liability concerns for operators of websites and services due to the recent revisions to the FTC's COPPA Rule. (COPPA, the Children's Online Privacy Protection Act, and the COPPA Rule, require, among other things, that operators of websites and services that are directed to children under 13, or that knowingly collect personal information from children under 13, obtain parental consent. We summarized these revisions in a client alert.)
The revised definition of "operator" includes (1) an operator of a child-directed site or service that allows outside services, such as plug-ins and advertising networks, to collect personal information from visits, and (2) a plug-in or ad network when it has actual knowledge that it is collecting personal information through a child-directed website or service. According to Kresses, a child-directed website or service could face enforcement actions if it failed to prevent third parties that are on the site or service from collecting data without parental consent. Kresses also stated that an operator of a website or service could still be liable for a COPPA Rule violation even if it has a service agreement in place prohibiting third parties from collecting information from children under 13. Kresses suggested that companies be selective about what third-party content appears on their sites.
The COPPA Rule revisions also expanded the definition of personal information to include geolocation information, photos, videos, audio files, and persistent identifiers such as Internet Protocol addresses and mobile device IDs that are not used for supporting internal operations like contextual advertising and frequency capping. Kresses responded to questions about how companies should handle information that, prior to the Rule revision, was not considered "personal information." She stated that if a company collected information prior to the revisions, and that information now falls within the definition of personal information, that the company cannot use that information after July 1st without first obtaining parental consent. She acknowledged that many companies collected this information without obtaining parental consent and that it could be very difficult to obtain consent at this point. She also indicated that if a company cannot use information it collected, it should delete the information.
The revised Rule takes effect July 1, 2013. Kresses said that the FTC will issue more guidance on how to comply with the revised Rule soon.
This client alert is a publication of Loeb & Loeb LLP and is intended to provide information on recent legal developments. This client alert does not create or continue an attorney client relationship nor should it be construed as legal advice or an opinion on specific situations.
Circular 230 Disclosure: To assure compliance with Treasury Department rules governing tax practice, we inform you that any advice (including in any attachment) (1) was not written and is not intended to be used, and cannot be used, for the purpose of avoiding any federal tax penalty that may be imposed on the taxpayer, and (2) may not be used in connection with promoting, marketing or recommending to another person any transaction or matter addressed herein.