July 29, 2013

Resources for Learning about COPPA's (Children's Online Privacy Protection Act) New Rules

Discussing COPPA (Children's Online Privacy Protection Act) and how the new rules affect your school?

Here are some resources to examine:

1. A transcribed video from the Federal Trade Commission (FTC) explaining the new changes.
2. QuickList of links from the FTC's website.
3. Google's official page about COPPA, for GAFE (Google Apps for Education) schools.

Protecting Children's Privacy under COPPA, July 2, 2013

Transcript of the video:

CRISTINA:
When it comes to information that companies collect online from kids under 13, parents should be in control.  That’s the thinking behind the Children’s Online Privacy Protection Act and the COPPA Rule.  The Rule has been in place for years, but the Federal Trade Commission, the nation’s consumer protection agency, has revised COPPA to keep pace with technology.

If your company has been complying with COPPA, the basics still apply. You still have to give notice to parents and get their verifiable consent before you collect, use, or disclose personal information from children under 13.  You still have to keep kids’ information secure.  And the revised COPPA Rule retains safe harbor provisions so that groups can submit programs for FTC approval.  But five key changes to COPPA take effect July 1, 2013.  Here’s what your business needs to know.

PEDER:
I’m Peder Magee, an attorney with the FTC.  So what’s new about COPPA?  The first important change is that the FTC has revised some definitions to expand who’s covered by COPPA – and the kinds of information that require companies to comply with the Rule.

The Rule has always applied if you operate a website, an online service, or an app directed to children under 13.  It also applies if you have a site, a service, or an app directed to a general audience, and you have actual knowledge that you’re collecting personal information online from kids in that under-13 age group.
Revisions to the Rule make it clear that COPPA also covers an operator of a child-directed site or service where it allows outside services — like plug-ins or advertising networks — to collect personal information from visitors.  In addition, if a plug-in or ad network has actual knowledge that it’s collecting personal information through a child-directed site or service, the plug-in or ad network is covered by COPPA, too.
The upshot:  The Rule applies to companies that may be new to COPPA compliance.

The FTC also has revised the definition of the types of information COPPA covers.  The Rule has always applied if companies collect certain kinds of personal information from kids under 13 – like their first and last name, a home address, a phone number, an email address, online contact information, or a screen or user name that functions as online contact information.

But the FTC has clarified that definition.  The COPPA Rule covers geolocation information that  can identify a street name and the  city or town.  And we’ve expanded the Rule to include photos, videos, and audio files that contain a kid’s image or voice as well.

Something else covered under the revised COPPA Rule:  persistent identifiers that can be used to recognize a user over time and across different sites or online services.  But there’s a notable exception here:  COPPA’s parental notice and consent requirements don’t apply if the identifier is used just to support your site’s internal operations.  Take a look at  the Rule for more about  the meaning of “internal operations”  in this context.

Another change to COPPA relates to what operators need to tell parents.  It’s still the law that you have to notify parents directly and get their verifiable consent before collecting personal information online from their kids.  But now you need to put certain key pieces of information up front within the notice you send.  You’ll want to read the Rule for the specifics, but the big picture is that it’s not enough just to give parents a link to something on your site and expect them to figure things out for themselves.  This change will make it easier for parents to get the important details they need, when they need them.  The Rule also streamlines what you have to  include in your online privacy policy about your information practices.

The third change involves new ways to get the parental consent COPPA requires.  In addition to the methods already in the Rule – including FTC-approved safe harbor programs – COPPA now gives businesses more ways to get  a parent’s OK.  For example, electronic scans of signed consent forms, videoconferencing, the use of government-issued IDs, and alternative payment systems (assuming they meet the same stringent criteria as credit cards).  The sliding scale mechanism of parental consent — often called “email plus” — is still an acceptable method for operators that collect personal information just for their own internal use.  Technology changes quickly, so to encourage innovation in this area, the revised Rule sets up a voluntary process for businesses to get FTC approval for other methods of parental consent.

The fourth change strengthens provisions for keeping kids' information confidential and secure.  Under the revised Rule, operators must take reasonable steps to make sure that before releasing information to service providers or other third parties, those companies are capable of maintaining the confidentiality, security, and integrity of the information.  It’s not enough if they just talk the talk.  You also need to get assurances they’ll follow through.  Under COPPA,  you can retain kids’ personal information only as long as  it’s reasonably necessary.  And when you dispose of it, you have to take reasonable steps to protect against unauthorized access.

The fifth change to COPPA deals with additional monitoring of self-regulatory safe harbors.  The new Rule strengthens the FTC's oversight of safe harbor programs.  It requires them to audit members and report the combined results of those audits to the FTC every year.

CRISTINA:
That’s just a brief recap of changes to COPPA.  For compliance resources, visit the  Children’s Privacy page on the FTC Business Center at business dot ftc dot gov.  For more how-to guidance, read the Children’s Online Privacy Protection Rule: What Your Business Needs to Know and Complying with COPPA:  Frequently Asked Questions.  Have a question that’s not answered there?  Send us an email at CoppaHotLine at ftc dot gov.

Check out:

From the FTC

Revised Children's Online Privacy Protection Rule Goes Into Effect Today (July 1, 2013)

The actual COPPA rule

Frequently Asked Questions

Guide for Parents: Protecting Your Child's Privacy Online

COPPA and Schools

Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business

From Google

Complying with the Children's Online Privacy Act (COPPA) for Google Apps for Education (GAFE) schools, from Google.


◊ ◊ ◊ ◊ ◊

Got any other resources to include? Please include them in the comments below.


(◕‿◕ )