Connecticut Law Tribune
ALM Properties, Inc.
Page printed from: Connecticut Law Tribune

Back to Article

Select 'Print' in your browser menu to print this document.

FTC Updates COPPA for the Age of Social Media, Mobile Apps

Catherine Dunn

Corporate Counsel

2012-12-21 16:50:37.0


Just a week after the Federal Trade Commission released a harsh report on the state of mobile app privacy protections for children, the agency on Wednesday issued stricter rules under the Children’s Online Privacy Protection Act (COPPA).

The revisions update the 1998 law for the era of mobile technology, social media, and online data collection—creating new liability for the operators of websites and services that are directed to children under the age of 13.

The definition of “personally identifiable information”—which triggers parental consent requirements—is now broader, and operators are responsible for how third parties collect user data on their sites. The new rules come into effect July 1, 2013.

“The world of COPPA compliance has just gotten considerably bigger,” says Jim Halpert, a partner at DLA Piper who helped draft the 1998 law.

“The major thing the FTC was concerned about was different forms of tracking children online that didn’t involve collecting their names and addresses,” says Halpert.

Rather, the agency focused on the collection of information that can be used in behavioral advertising, or to track children across different websites, Halpert explains. Under the new definition, personally identifiable information includes photos, videos, geolocation, IP addresses, and device identifiers—and it can’t be collected without parental consent.

“Behavioral advertising is now out for those sites,” says Halpert. “They can no longer do behavioral advertising without verifiable parental consent.”

Another significant change makes operators liable for COPPA compliance of third parties on their sites. “A website operator is going to be held strictly liable for any service provider that is plugging into [its] site,” says Reed Smith partner John Feldman, who specializes in advertising regulation and consumer protection law.

In-house counsel should examine their company’s relationships with third parties, Feldman says, “because of the strict liability and the responsibility you have for the actions of others.”

He adds: “Your contracts are going to have to be carefully worded, and your due diligence is going to have to be done to understand what is collected.”

The regulations also warn companies against holding onto children’s data for longer than is necessary—which Linda Goldstein, a partner at Manatt, Phelps & Phillips, can see becoming an enforcement priority down the line.

“The FTC will undoubtedly take a hard look at their data-retention policies if they’re collecting data from kids” under 13, says Goldstein, who chairs the firm’s advertising, marketing, and media division.

The big picture for companies in this space is that “they need to take a look at what they’re collecting,” Goldstein says. “They need to take a much closer look at who they’re passing it on to, and they need to take a look at their data-retention policies.”

According to Halpert, the FTC enforces COPPA frequently, and there is some stigma attached to running afoul of those rules. “This is something that should be a compliance priority for companies,” Halpert says.

See also: “Too Many Apps are Collecting Kids' Data, Says FTC,” CorpCounsel, December 2012.