Skip to main content

On the Seventh Day of Privacy, the FTC Gave to Me....

Significant compliance obligations with children’s privacy rules! 

Written by Julia Siripurapu, CIPP/US

Last December, the FTC gave to us the long awaited (or maybe not so much by covered entities!) final amendments to the 14-year old Children’s Online Privacy Protection Act (COPPA) Rule (the “COPPA Rule,” and as amended, the “Amended COPPA Rule”). Published in the Federal Register on January 17th of this year and effective as of July 1st, the Amended COPPA Rule puts in place additional children’s privacy protections and imposes significant compliance obligations on websites and online services (including mobile applications) that collect personal information (including by passively tracking personal information through persistent identifiers and not just active collection) from children under 13. The Amended COPPA Rule also extends to plug-ins and online advertising services with “actual knowledge” that they are collecting personal information from children under 13.

Since July 1, the FTC has been busy educating businesses and consumers on the Amended COPPA Rule and reviewing applications and public comments on verifiable parental consent methods submitted under the Voluntary Commission Approval Process provision of the Amended COPPA Rule and a safe harbor program submitted under the “safe harbor” provision of the Amended COPPA Rule. As of this date, the Commission has not approved the applications submitted this year.

Looking Forward to 2014

If you are covered by COPPA, one your top resolutions for 2014 should be to make sure that your compliance house is in order.  In 2013 the FTC was busy making children’s privacy rules and reviewing applications submitted under the Amended COPPA Rule and we expect that in 2014 the Commission will be busy monitoring compliance and enforcing these rules.    Penalties for violations of the Amended COPPA Rule can be steep and go up to $16,000 per violation. Stay tuned for news on FTC children’s privacy enforcement actions!

In 2014, we will also be monitoring the “Do Not Track Kids Act of 2013”  (S. 1700 and H.R. 3481, the “Bill”) introduced in the House and Senate on November 14th by Sens. Ed Markey (D-Massachusetts) and Mark Kirk (R-Illinois) and Reps. Joe Barton (R-Texas) and Bobby Rush (D-Illinois). Senator Markey and Representative Barton introduced a similar bill in 2011, the “Do Not Track Kids Act Of 2011” (H.R. 1895), which did not pass.

The Bill has been endorsed by the American Academy of Pediatrics as well as by child advocacy and privacy groups such as the Center for Digital Democracy, Center for Science in the Public Interest, Communication Workers of America, Consumer Watchdog, and Consumer Union.

In a nutshell, the Bill (1) restricts the collection, use, and disclosure of personal information from children under 13 (“children”) and from minors over the age of 12 and under the age of 16 (“minors”) by websites, online applications, mobile applications, and online services, (2) prohibits behavioral advertising to children and minors, and (3) requires covered entities to establish a mechanism that permits the deletion of personal information of children and minors when requested. The Bill would also expand COPPA’s coverage and the FTC’s enforcement authority to telecommunication carriers and broadband Internet access services (as defined in the FCC’s Net Neutrality Order).

Last but not least, as mentioned in our prior blog post on privacy developments in California, we will be tracking preparations for California’s S.B. 568, which addresses the collection and deletion of information posted online by minors under the age of 18 and will be effective January 1, 2015.

Subscribe To Viewpoints

Author

Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.