FTC introduces changes to Children's Online Privacy Protection Act, parental permission now required to collect information

Guest Contributor

Updated Wed, Dec 19, 2012, 1:03 PM·9 min read

The Children's Online Privacy Protection Act (or COPPA) was first introduced back in 1998, but you don't have to look very far to realize the internet has changed quite a bit since then. Today, the FTC is attempting to address some of those changes by introducing the first major revision to the act. Among the biggest changes is that operators of websites or online services will now have to seek permission directly from parents in order to collect information from anyone under the age of 13 when they have "actual knowledge that they are collecting personal information through a child-directed website or online service."

In another change related to that, the FTC has also clarified that "personal information" now includes geolocation data in addition to photos and videos, and it says it has closed a loophole that allowed apps and websites to collection information through plug-ins. The agency will not, however, hold companies like Apple and Google liable for apps from other companies which attempt to collection information from children, and it will permit "contextual advertising" to children without the need for parental consent. You can find the FTC's full announcement of the changes after the break.

Show full PR text

FTC Strengthens Kids' Privacy, Gives Parents Greater Control Over Their Information By Amending Children's Online Privacy Protection Rule
Rule Being Modified to Keep Up with Changing Technology
The Federal Trade Commission adopted final amendments to the Children's Online Privacy Protection Rule that strengthen kids' privacy protections and give parents greater control over the personal information that websites and online services may collect from children under 13.

The FTC initiated a review in 2010 to ensure that the COPPA Rule keeps up with evolving technology and changes in the way children use and access the Internet, including the increased use of mobile devices and social networking. The updates to the COPPA Rule reflect careful consideration of the entire record of the rulemaking, which included a public roundtable and several rounds of public comments sought by the agency.

"The Commission takes seriously its mandate to protect children's online privacy in this ever-changing technological landscape," said FTC Chairman Jon Leibowitz. "I am confident that the amendments to the COPPA Rule strike the right balance between protecting innovation that will provide rich and engaging content for children, and ensuring that parents are informed and involved in their children's online activities."

The final amendments:

modify the list of "personal information" that cannot be collected without parental notice and consent, clarifying that this category includes geolocation information, photographs, and videos;
offer companies a streamlined, voluntary and transparent approval process for new ways of getting parental consent;
close a loophole that allowed kid-directed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent;
extend coverage in some of those cases so that the third parties doing the additional collection also have to comply with COPPA;
extend the COPPA Rule to cover persistent identifiers that can recognize users over time and across different websites or online services, such as IP addresses and mobile device IDs;
strengthen data security protections by requiring that covered website operators and online service providers take reasonable steps to release children's personal information only to companies that are capable of keeping it secure and confidential;
require that covered website operators adopt reasonable procedures for data retention and deletion; and
strengthen the FTC's oversight of self-regulatory safe harbor programs.
The COPPA Rule was mandated when Congress passed the Children's Online Privacy Protection Act of 1998. It requires that operators of websites or online services that are either directed to children under 13 or have actual knowledge that they are collecting personal information from children under 13 give notice to parents and get their verifiable consent before collecting, using, or disclosing such personal information, and keep secure the information they collect from children. It also prohibits them from conditioning children's participation in activities on the collection of more personal information than is reasonably necessary for them to participate. The Rule contains a "safe harbor" provision that allows industry groups or others to seek FTC approval of self-regulatory guidelines.

Definitions

The Final Rule includes these modified definitions:

The definition of an operator has been updated to make clear that the Rule covers a child-directed site or service that integrates outside services, such as plug-ins or advertising networks, that collect personal information from its visitors. This definition does not extend liability to platforms, such as Google Play or the App Store, when such platforms merely offer the public access to child-directed apps.
The definition of a website or online service directed to children is expanded to include plug-ins or ad networks that have actual knowledge that they are collecting personal information through a child-directed website or online service. In addition, in contrast to sites and services whose primary target audience is children, and who must presume all users are children, sites and services that target children only as a secondary audience or to a lesser degree may differentiate among users, and will be required to provide notice and obtain parental consent only for those users who identify themselves as being younger than 13.
The definition of personal information now also includes geolocation information, as well as photos, videos, and audio files that contain a child's image or voice.
The definition of personal information requiring parental notice and consent before collection now includes "persistent identifiers" that can be used to recognize users over time and across different websites or online services. However, no parental notice and consent is required when an operator collects a persistent identifier for the sole purpose of supporting the website or online service's internal operations, such as contextual advertising, frequency capping, legal compliance, site analysis, and network communications. Without parental consent, such information may never be used or disclosed to contact a specific individual, including through behavioral advertising, to amass a profile on a specific individual, or for any other purpose. The final amended Rule also adds a process allowing industry to seek formal approval to add permitted activities to the definition of support for internal operations.
The definition of collection of personal information has been changed so that operators may allow children to participate in interactive communities without parental consent, so long as the operators take reasonable measures to delete all or virtually all children's personal information before it is made public.
Parental Notice
The amended Final Rule revises the parental notice provisions to help ensure that operators' privacy policies, and the direct notices they must give parents before collecting children's personal information, are concise and timely.

Parental Consent Mechanisms
The amendments add several new methods that operators can use to obtain verifiable parental consent: electronic scans of signed parental consent forms; video-conferencing; use of government-issued identification; and alternative payment systems, such as debit cards and electronic payment systems, provided they meet certain criteria.

The FTC considered numerous comments on the "sliding-scale mechanism of parental consent," otherwise known as "email plus." Under this method, operators that collect children's personal information for internal use only may obtain verifiable parental consent with an e-mail from the parent, as long as the operator confirms consent by sending a delayed e-mail confirmation to the parent, or calling or sending a letter to the parent. After considering the comments on "email plus," the FTC concluded that it remains a valued and cost-effective consent mechanism for certain operators. The Final Rule retains email plus as an acceptable consent method for operators that collect personal information only for internal use.

To encourage the development of new consent methods, the Commission establishes a voluntary 120-day notice and comment process so parties can seek approval of a particular consent method. Operators participating in a Commission-approved safe-harbor program may use any consent method approved by the program.

Confidentiality and Security Requirements

The amended Final Rule requires operators to take reasonable steps to make sure that children's personal information is released only to service providers and third parties that are capable of maintaining the confidentiality, security, and integrity of such information, and who assure that they will do so. The Rule also requires operators to retain children's personal information for only as long as is reasonably necessary, and to protect against unauthorized access or use while the information is being disposed of.

Safe Harbors

The FTC seeks to strengthen its oversight of the approved self-regulatory "safe harbor programs" by requiring them to audit their members and report annually to the Commission the aggregated results of those audits.

The Commission vote to issue the amended Final Rule was 3-1-1, with Commissioner J. Thomas Rosch abstaining. Commissioner Maureen Ohlhausen voted no and issued a dissenting statement on the ground that she believes a core provision of the amendments exceeds the scope of the authority granted by Congress in COPPA. She stated that, regardless of policy justifications, she cannot support extending COPPA's statutory definition of "operator" to impose obligations on websites or online services that do not collect personal information from children or have access to or control of such information collected by a third-party.

The final amended Rule will be published in a notice in the Federal Register. The amendments to the Final Rule will go into effect on July 1, 2013.

The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC's online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 2,000 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC's website provides free information on a variety of consumer topics. Like the FTC on Facebook, follow us on Twitter, and subscribe to press releases for the latest FTC news and resources.

Engadget
Ryan Gosling and Miller/Lord’s Project Hail Mary could be the sci-fi event of 2026
Amazon MGM just set a March 20, 2026 release date for Project Hail Mary, an adaptation of the Andy Weir novel. The film stars Ryan Gosling and is directed by Phil Lord and Christopher Miller.
12m ago
Engadget
Some of our favorite Anker power banks are up to 30 percent off, plus the rest of this week's best tech deals
Engadget's weekly deals roundup includes sales on Sonos, Apple, iRobot, Google Nest and more.
2h ago
Engadget
Automate your vacuuming and mopping with $400 off the Roomba Combo J9+
If you’re looking to automate more of your home cleaning setup, iRobot’s flagship Roomba Combo J9+ is on sale for $400 off. The vacuum-mop hybrid robot, which only arrived last fall, has a redesigned dock that automatically empties debris and refills the device’s mopping liquid.
5h ago
Engadget
Tesla is recalling Cybertrucks because their accelerator pedals could get stuck
Tesla has issued a recall for around 3,878 Cybertruck vehicles, a National Highway Traffic Safety Administration notice has revealed.
5h ago
Engadget
Engadget Podcast: PlayStation 5 Pro rumors and a look back at the Playdate
This week, Engadget Senior Editor Jessica Conditt joins Cherlynn and Devindra to chat about the PS5 Pro, as well as her piece on the PlayDate two years after its release.
6h ago
Engadget
The Morning After: The bill to ban TikTok is barreling ahead.
The biggest news stories this morning include US vs China in the form of TikTok vs WhatsApp, and did you know Taylor Swift has a new album out?
7h ago
Engadget
Fallout has already scored a green light for a second season
Amazon has renewed the hit show for a second season.
7h ago
Engadget
Baldur's Gate 3 developer confirms it won't make the sequel
The developer behind the popular, award-winning and slightly bawdy Baldur's Gate 3 may not be doing a sequel, but it does have other irons in the fire.
9h ago
Engadget
The best PS5 games for 2024: Top PlayStation titles to play right now
Here are the best games you can get for the PlayStation 5 right now, as chosen by Engadget editors.
7 months ago
Engadget
The 6 best Mint alternatives to replace the budgeting app that shut down
Intuit has shut down the popular budgeting app Mint. Engadget tested a bunch of popular alternatives. Here are our favorites.
4 months ago
Engadget
Apple says it was ordered to remove WhatsApp and Threads from China App Store
China's Cyberspace Administration ordered Apple to pull Threads and WhatsApp from its App Store in the country, the company said.
12h ago
Engadget
Surprise: Taylor Swift is joining Threads at the exact same time as her new album drop
Taylor's Threads account, and her first post, are going live around midnight.
14h ago
Engadget
The bill that could ban TikTok is barreling ahead
The bill that could lead to a ban of TikTok in the United States appears to be much closer to becoming law.
19h ago
Engadget
Netflix is done telling us how many people use Netflix
Although subscriber metrics are an important signal to Wall Street that show how quickly a company is growing, Netflix isn't the first company to do this.
20h ago
Engadget
Blizzard takes aim at Overwatch 2 console cheaters
Blizzard is targeting Overwatch 2 cheaters who use a keyboard and mouse on consoles to gain an advantage over controller users.
21h ago
Engadget
It took 20 years for Children of the Sun to become an overnight success
Though it feels like Children of the Sun popped into existence over the span of two months, it took Rother a lifetime to get here.
22h ago
Engadget
Quicken Simplifi subscriptions are half off through April 21
Quicken Simplifi subscriptions are half off through April 21. This brings the price down to $2 per month, which is billed annually at $24.
23h ago
Engadget
Meta gives the Quest 2 its second permanent price cut in four months
Meta has given the base Quest 2 a permanent price cut for the second time this year. A headset with 128GB of storage is now $199.
23h ago
Engadget
The HD Chromecast with Google TV is on sale for only $20
If you watch movies and TV on a 1080p screen, the Chromecast with Google TV (HD) provides a rock-solid streaming experience on the cheap. Today, Amazon has it for $10 off, letting you pick up the HDR10-capable streaming stick for only $20.
1d ago
Engadget
Razer's Kishi Ultra gaming controller works with damn near everything, including some foldables
Razer just released the Kishi Ultra mobile gaming controller. It works with some foldable phones, in addition to Android devices, iPhones and iPads.
1d ago

FTC introduces changes to Children's Online Privacy Protection Act, parental permission now required to collect information

Latest Stories

Ryan Gosling and Miller/Lord’s Project Hail Mary could be the sci-fi event of 2026

Some of our favorite Anker power banks are up to 30 percent off, plus the rest of this week's best tech deals

Automate your vacuuming and mopping with $400 off the Roomba Combo J9+

Tesla is recalling Cybertrucks because their accelerator pedals could get stuck

Engadget Podcast: PlayStation 5 Pro rumors and a look back at the Playdate

The Morning After: The bill to ban TikTok is barreling ahead.

Fallout has already scored a green light for a second season

Baldur's Gate 3 developer confirms it won't make the sequel

The best PS5 games for 2024: Top PlayStation titles to play right now

The 6 best Mint alternatives to replace the budgeting app that shut down

Apple says it was ordered to remove WhatsApp and Threads from China App Store

Surprise: Taylor Swift is joining Threads at the exact same time as her new album drop

The bill that could ban TikTok is barreling ahead

Netflix is done telling us how many people use Netflix

Blizzard takes aim at Overwatch 2 console cheaters

It took 20 years for Children of the Sun to become an overnight success

Quicken Simplifi subscriptions are half off through April 21

Meta gives the Quest 2 its second permanent price cut in four months

The HD Chromecast with Google TV is on sale for only $20

Razer's Kishi Ultra gaming controller works with damn near everything, including some foldables

About

Sections

Contribute

Buying Guides