The Federal Trade Commission has officially updated Children’s Online Privacy Protection Act (COPPA) with new restrictions that go into effect today. The changes include a ban on collecting location data from site owners and app developers with properties aimed at children.
Since 2000, COPPA has required website operators whose sites are directed at users younger than thirteen to get parental consent before collecting personal information such as email addresses, home addresses or phone numbers for advertising purposes. The law also applies to sites and apps that are geared toward general audiences that have “actual knowledge” (e.g., a user’s date of birth) that they are collecting information from children under 13.
Under the revised rule, the definition of “personal information” now includes photos, location data, videos and audio recordings of children, as well as persistent identifiers like cookies and mobile device ID numbers. In addition, site owners and app developers are liable for the practices of third-party vendors such as ad networks, plug-ins and audience metrics.
As companies try to make sure that they are compliant with COPPA, the biggest challenge is determining whether the law applies to them, observed David Kahan, SVP of legal affairs and chief privacy officer for the ad network Jumptap.
Publishers also should not assume that ad networks will make that decision for them. “As an ad network, we’re not in the business of determining whether an app is primarily directed at children or not,” Kahan added. “Our default assumption is that we’re allowed to use the person’s persistent identifier from the traffic that comes in. If the site doesn’t tell us that it’s primarily directed at children, we have no way of knowing that and … if that happens we would be innocent but the app developer would not necessarily be viewed the same way.”
Small and medium-sized publishers in particular may struggle to comply with the COPPA updates, noted Alison Pepper, senior director of public policy at the Interactive Advertising Bureau (IAB).
“It’s a little harder for long-tail publishers to find out what’s going on and make sure they won’t be held liable,” Pepper said. “The strict liability standards for publishers is something that requires a lot of due diligence and a lot of internal auditing.”
The IAB, along with several other organizations, had petitioned the FTC to extend the deadline for companies to comply with the COPPA updates, which the FTC ultimately rejected.
Despite the FTC’s efforts to educate companies about the changes, it is impossible to expect all publishers to be ready for the updates, Pepper added. “To the FTC’s credit, they’ve put out a lot of guidance over the past few months to address questions that have come up about COPPA,” she said. “But there are always going to be areas of ambiguity that will need to be resolved.”