Federal Trade Commission (FTC) Chairman Jon Leibowitz and Senate Commerce Committee Chairman John D. (Jay) Rockefeller IV announced the FTC’s long-awaited amended COPPA Rule at a press conference earlier today.

In prior blog postings, we have noted that this seems to be the year of the mobile application. The FTC’s new COPPA rule continues with this theme. Although the COPPA rule extends beyond mobile apps, among other provisions, the FTC made clear that its COPPA rule indeed applies to mobile app providers, erasing any argument or doubt that these entities are somehow excluded from COPPA’s reach. The new Rule makes clear that mobile app providers must provide notice and obtain parental consent prior to collecting any personal information (PI) from children. However, the FTC noted that the Rule does not apply to operators of online app stores, such as Apple’s App Store or Google Play, which it says “merely offer the public access to child-directed apps.”

The new Rule takes effect July 31, 2013. Highlights of the Rule changes include:

  • Revisions to clarify that third-party plugins must comply with COPPA when they collect any PI on a website if the third-party has actual knowledge of the child-directed nature of the site from which they collect PI or if they if they have actual knowledge that a user is under the age of 13.  Also extends liability to website operators and mobile apps for the collection of PI by third-party plug ins and ad networks through the operator’s site or app.  According to Chairman Leibowitz, these changes closed a loophole that allowed plug-ins to collect information on a website that the website operator itself would not be able to collect. The Rule also requires websites that target children as a secondary audience to obtain parental consent prior to collecting data if a user self-identifies his or herself as being under the age of 13.
  • Adds a new data retention and deletion requirement. Data retention should only be for “as long as is reasonably necessary.”
  • Adds a requirement that operators only disclose PI to third parties or service providers who have provided assurances – i.e., contractually – that they will maintain the confidentiality, security and integrity of the PI.
  • Expands the list of personal information (PI) to clarify that the term includes persistent identifiers such as IP address and mobile device identifiers, as well as geolocation info (where it is sufficient to identify street name and name of a city or town even without also identifying a house number), photographs and video files because of the metadata that can be used by those that would cause harm to children.
  • Expands the parental consent mechanisms that are expressly recognized (now includes videoconference consent), provides for a streamlined approval process for new consent, and retains the email plus verification method for collection of PI solely for internal uses.

In addition, no notice or parental consent will be required if a website collects persistent identifiers (and no other PI) “for the sole purpose of supporting the website or online service’s internal operations, such as contextual advertising, frequency capping, legal compliance, site analysis, and network communications.” This carve out permits operators to serve contextual ads on their site and apps, without notice and prior parental consent.