This week the FTC announced their first significant update to the Children's Online Privacy Protection Rule since 1998, having been in talks to do so since 2010. This set of changes was outlined by FTC Chairman Jon Leibowitz who made it clear that the amount of time spent on these amendments should effectively underline their importance. A follow-up letter after the initial announcement was made created a list of easy-to-understand language surrounding the most significant changes and updates to the COPPA Rule.
The updates to the COPPA Rule included careful consideration and such transparency that both a public roundtable and several rounds of public comments sought by the agency were made apparent throughout the process. The core of this COPPA Rule centers around a requirement for websites and online services of all kinds to give notice to parents of children 13 or younger of any and all collection of personal information that they're doing on a regular basis. From there, the following was listed in the Changes column:
The final amendments:
• modify the list of “personal information” that cannot be collected without parental notice and consent, clarifying that this category includes geolocation information, photographs, and videos;
• offer companies a streamlined, voluntary and transparent approval process for new ways of getting parental consent;
• close a loophole that allowed kid-directed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent;
• extend coverage in some of those cases so that the third parties doing the additional collection also have to comply with COPPA;
• extend the COPPA Rule to cover persistent identifiers that can recognize users over time and across different websites or online services, such as IP addresses and mobile device IDs;
• strengthen data security protections by requiring that covered website operators and online service providers take reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential;
• require that covered website operators adopt reasonable procedures for data retention and deletion; and
• strengthen the FTC’s oversight of self-regulatory safe harbor programs.
The main rule also makes clear that any personal information collected from persons ages 13 and under must be kept entirely secure. If a website wishes to collect, use, or disclose any personal information from a person 13 years or younger they must get parental consent. The rule also notes that websites may not require a person under 13 to submit more personal information than is reasonably necessary to participate in said website, and that a "safe harbor" provision will be kept in the rule for industry groups "or others" to seek out FTC approval of any and all self-regulatory guidelines - just incase!
This update also included several modified definitions for terms such as Operator, Website, Online Service, Personal Information, and Collection. Personal Information will now be including geological information, photos, videos, and audio files that contain a child's image or voice.
At the moment, the only way a website can receive official consent from a parent for their child is through a double email system called "email plus", aka the "sliding-scale mechanism of parental consent". This system works only for operators collecting information for internal use, the FTC also noting that they're at this moment encouraging the development of new consent methods to make things easier on burgeoning websites of all kinds.