The Children’s Online Privacy Protection Act (COPPA) requires parental consent before websites can collect and use personal information from kids 12-and-under. While these are worthy goals, recent regulatory changes by the Federal Trade Commission have resulted in caution, commotion, unintended consequences, and even, in some cases, panic on the part of site operators. Why the fuss? The FTC’s updates to COPPA’s rules effectively expand the reach of the law and broaden the type of personal information that must be protected. Child-oriented businesses are now taking a harder look at how they implement their privacy and data sharing policies to comply with COPPA. However, even though the rules may have some chilling effects, once understood, the new regulations can actually provide unique opportunities for businesses.
From COPPA 1.0 to 2.0
Enacted by Congress in 1998, the original COPPA law (COPPA 1.0) gave the Federal Trade Commission (FTC) rule-making and enforcement powers. At the time, Congress was responding to parental concerns over the new powers of digital brands to market to pre-teens: online companies were collecting personal information from children, tracking their online behaviors and ultimately tailoring more personalized campaigns to them.
To keep pace with technology and evolving business practices, the FTC has over the years been tweaking the COPPA regulations. Of course, this is what regulators do for a living.
Think about how different the world is from 1998. At that time, the only person most people knew with a cell phone was Saved by the Bell’s Zach Morris, and computers were, well, large electronic objects found mostly in family living rooms. The changes in hardware technology over the last 15 years were beyond even Zach’s dreams, and have spawned a new socially connected, “always on” generation.
How about this for a data point? 75% of kids under 8 have daily access to the internet through mobile devices.
All of these factors finally forced FTC’s hand when in September of 2011 they began looking to make a major update to the original COPPA rules to reflect new online realities. This past July, the FTC officially signed off on these rules—let’s call them COPPA 2.0.
Though many of the details in COPPA 2.0 are expansions of the original law, there are a few updates that will have major ramifications for website operators. The two I’ll focus on are the expanded COPPA exposure for new types of social sites, and some consequences of the expanded definition of personally identifiable information (PII).
I’ll get to the nitty-gritty details of PII and what it means for online data security in the next post. For now, I’ll take up the somewhat confusing matter of who falls under the 2.0 regulations. As befitting federal rules, it’s complicated.
Is your business affected?
As you look to understand COPPA 2.0, the first thing that your business needs to do is understand whether you’re covered by the regulations. There are three main factors that you must ask yourself to determine whether the rules apply:
1. Does your business have actual knowledge that your website is collecting information from children under 13?
Regardless of whether your site is considered ‘general audience’ or not, if you have knowledge that even one child under 13 has attempted to register, you are now subject to COPPA.
2. Is your site considered “kids interest”?
Do you have kid celebrities, cartoons, or other visual images or signals that would indicate that the primary demographic of your site is kids? Though this has been a tough definition to write into the regulations—the possibilities are endless—the FTC has taken the implicit stand that ‘you know it when you see it’. Since this definition is especially nebulous, you’ll need to think long and hard about your content, products and experiences, as the definitions can even expand to encompass animated online and mobile games.
3. Are you a third-party service (ad network, plugin, data tracking) and are you are collecting information from a site that is directed to kids under 13?
This third point is one of the newest and most important updates in COPPA 2.0. As any software developer will tell you, the Internet is extremely modular and supports web APIs and plugins for adding features and services to existing products. Like a child’s Lego building blocks, ad serving networks (both behavioral and contextual), data tracking, and social plugins can be connected together to create new digital experiences for kids’ sites.
COPPA 2.0 essentially says that if you operate one of these third-party services, and are plugged into a site that has even one instance of a known 12-and-under user, your whole network is now subject to COPPA compliance. And this applies even to sites that are focused on general audiences—you interface with a site that has a child user, you have, so to speak, COPPA cooties. This point has been one of the most contested, as it has greatly expanded the reach of COPPA.
Who’s really liable?
It is also extremely important to understand that if you are the primary operator of a kids-directed site, you are singularly responsible for managing the COPPA compliance of any plugins to your product. For example, if you have a kid’s game, but rely on an outside data tracking provider and ad network, the children are still effectively under your care while they are using your products.
Therefore, you must ensure that these third-parties are COPPA compliant and not improperly tracking and storing PII. Bottom line: even if your site is locked down and meets COPPA 2.0 requirements, you can be held liable and penalized by the FTC for having just one non-compliant plugin!
COPPA 2.0 has unquestionably raised the bar on data privacy protections for children, and in process has created some controversies. In my opinion, another way to view COPPA 2.0 is not so much as a burden but as a chance to make security and privacy an important element of the overall experience. I’ll expand on this idea in Part II.
Originally posted on the Varonis Blog on Jan 8, 2014 by Dan