Marketing On-Line to Children Just Got Stricter

The Children's Online Privacy Protection Act of 1998 (COPPA) sets out rules and regulations as to what information can be collected from children. COPPA applies to the online collection of personal information by persons or entities under U.S. jurisdiction from children under the age of 13 or if the site operates a general audience web site and has actual knowledge that it is collecting personal information from children. COPPA specifies what a website operator must include in a privacy policy, when and how to seek verifiable consent from a parent or guardian, and what responsibilities an operator has to protect children's privacy and safety online, including restrictions on marketing to children. To determine whether a web site is directed to children, the FTC considers several factors, including:

• The subject matter

• Visual or audio content;

• The age of models on the site;

• Language;

• Whether the advertising on the site is directed to children;

• Information regarding the age of the actual or intended audience; and

• Whether a site uses animated characters or other child-oriented features.

To determine whether an entity is an 'operator' with respect to information collected on a site, the FTC will consider:

• Who owns and controls the information;

• Who pays for the collection and maintenance of the information;

• What the pre-existing contractual relationships are in connection with the information; and

• What role the website plays in collecting or maintaining the information.

In December 2012, the FTC recommended several changes to COPPA which take effective July 1, 2013. These amendments include:

• Covering data collection by plug-ins, software downloads, or advertising networks integrated into websites (this closed a loophole for third parties);

• Requiring parental consent to include persistent identifiers (e.g., IP addresses, mobile devices) used for behavioral advertising and other tracking across web sites;

• Allowing persistent identifiers to be used without parental consent if the use is limited to supporting their own operations and not as a marketing tool;

• Treating geo-location information and any photo, video or audio file that includes a child's image or voice as personal information;

• Allowing child-directed sites and services to differentiate among users by age-screening, and to provide notice and obtain parental consent only for those self-identifying as under 13;

• Streamlining the notice requirements to ensure information about data collection and use practices is presented to parents in a succinct 'just-in-time' notice;

• Requiring 'reasonable steps' to ensure any release of a child's personal information is made only to service providers and third parties capable of maintaining its confidentiality, security, and integrity; and

• Regulating data retention and deletion.

Penalties are steep for violators - up to $16,000 per violation. There has been some indication that small companies who make a good faith effort to comply may be given a grace period; however that remains to be seen.    

The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.