Silicon Valley Apps for Kids: COPPA
BASICS
Laura D. Berger
April 22, 2013
The views expressed herein are those of the speaker, and do not
represent the views of the Commission or any individual Commissioner.
1
Agenda
• FTC privacy law basics.
• Intro to FTC business education materials.
• Discussion of the Children’s Online
Privacy Protection Act, including existing
requirements and 2013 changes, which
will take effect on July 1, 2013.
2
FTC Jurisdiction
• FTC Act (Section 5) prohibits unfair or
deceptive acts and practices in or affecting
commerce
• FTC also enforces 45 other statutes and
more than 30 trade regulation rules

Privacy standards the FTC enforces include
Children’s Online Privacy Protection Act
(“COPPA”), as well as other laws, such as the
Gramm-Leach-Bliley Act and the Fair Credit
Reporting Act.
3
FTC Act (Section 5)
 Deception  a material representation or
omission that is likely to mislead consumers
acting reasonably under the circumstances
 Unfairness  practices that cause or are
likely to cause substantial injury to consumers
that are not outweighed by countervailing
benefits to consumers or competition and are
not reasonably avoidable by consumers.
 Note: Section 5 and COPPA violations often are alleged in tandem –
e.g., if you say you don’t collect information from kids under 13, but
you do.
4
FTC Advice for App Developers
5
• Tell the truth about what your app can do.
• Disclose key information clearly and
conspicuously.
• Build privacy considerations in from the start.
• Be transparent about your data practices.
• Offer easy to find and easy to use choices.
• Honor your privacy promises.
• Protect kids’ privacy.
• Collect sensitive information only with
consent.
• Keep user data secure.
6
Children’s Online Privacy
Protection Act (COPPA)
• COPPA is the only child-specific federal privacy law in the US.
• Goals are to:
– Permit parents to make informed choices about when and how
children’s personal information is collected, used, and disclosed
online; and
– Enable parents to monitor their children’s interactions and
help protect them from the risks of inappropriate online
disclosures.
• Among other things, operators of commercial websites and
online services must provide NOTICE and obtain parents’
CONSENT before collecting personal information from children
under age 13.
7
Overview of Changes to Rule
•
•
•
•
•
•
•
Definitions
Online and Direct Notices
Parental Consent Mechanisms
Confidentiality and Security of Children’s PI
Data Retention and Deletion
Safe Harbor Programs
New Voluntary Processes for FTC Approval
8
COPPA Enforcement
• FTC actively enforces COPPA.
• Agency has filed 21 federal court actions,
and has obtained over $8.4 million in civil
penalties.
9
Federal Court Orders
• FTC is authorized to seek up to
$16,000/violation in penalties, and may also
seek:
• Deletion of personal information collected
without parental consent;
• Employee education and written
acknowledgement;
• Written compliance report to FTC; and
• Consumer education.
10
Who must comply under current
Rule?
• Operators of commercial websites and online
services directed to children that collect,
maintain, or provide the opportunity to disclose
personal information or “PI.”
• Operators of general audience sites and
services (including teen/tween sites) with actual
knowledge that they collect kids’ PI.
• Entities on whose behalf operators collect the
information
11
Additional Operators as of July 1, 2013
• An operator of a child-directed site or service that
allows another person to collect PI directly from its
users, either: (1) as an agent or service provider,
OR (2) for the operator’s “benefit”, which applies
to child-directed sites/services that embed 3rd
party content collecting PII. (Under the Rule, the
Operator benefits from this collection, even if the
Operator does not access the PI itself).
• A site/service that has actual knowledge it is
collecting PII directly from users of a child-directed
site/service. (See revised def’n of “Website/Online
Service Directed to Children.”)
12
“Directed to Children”

Many factors: subject matter, visual content, age of models,
language, graphics, activities, or incentives; whether ads
promoting or appearing on the site or service are directed to
children; evidence re intended audience; empirical evidence
about audience composition.
• 2013 Changes: Sets forth criteria up front and – Adds music and celebrities appealing to children.
– Adds that a service collecting PI directly from users of a childdirected site is covered when it has “actual knowledge” it’s
collecting on a such a site.
– Allows a child-directed site/service that does not target U13
children as its primary audience to age-screen to provide
COPPA protections only to U13 children.
13
“Directed to Children”: Mobile Apps
14
General Audience Site/Service
• Must have actual knowledge that it has collected
PII from a child.
• “Actual knowledge” can come from asking a
child’s age, grade, birthday, other age-identifiers.
May also come from notification from a
concerned parent or other individual.
15
Personal information
2013 Definition:
• First and Last Name
•
• Physical address (including •
street name and city/town)
• E-mail address
• Social Security Number
• Telephone number
• A screen name revealing email
•
• A persistent identifier
combined with personal
information or “PI”
• Any information tied to PI •
Underlined items remain the same
Three items are virtually the same
• Online contact info is very
similar to email address.
• Geolocation info (sufficient to
identify street name and
city/town) – Commission
already said this was covered
under old rule.
• Screen/user names (that
function as online contact info)
Persistent Identifiers (e.g., IP
address, UDID, information stored
in a cookie, processor or device
serial numbers)
Photos, Videos, or audio files
containing a child’s image or voice
16
“Collects or Collection”
• Requesting, prompting, or encouraging that
children submit personal information online, even
when optional.
• Enabling children to make the information public,
e.g., in a chat room or profile.
• Passive tracking linked to personal information.
• 2013 Changes to definition:
– replace the “100% deletion standard” with a
“reasonable measures” standard:
• This enables operators to provide interactive communities for
children, without parental consent, so long as they take
reasonable measures to delete all or virtually all of a child’s
PI before it is made public.
17
What must Operators do under COPPA?
• Post a privacy policy and links to the policy
wherever personal information is collected.
• Give parents direct notice of information
practices.
• With certain exceptions, obtain verifiable
parental consent before collecting information.
And . . .
18
…Operators also must:
• Provide parents access and opportunity to delete child’s
personal information and opt-out of future collection.
• Limit collection of personal information.
• Establish and maintain reasonable procedures to protect
the confidentiality, security, and integrity of personal
information.
• 2013: Operators must (1) “take reasonable steps to
release [children’s PI] only to parties capable of
maintaining its security”; (2) retain PI only as long as
reasonably necessary to fulfill the purpose; (3) properly
delete PI by taking reasonable measures to protect
against unauthorized access to or use in connection with
deletion.
19
Notices (Revised)
• Improves the “direct notice” to:
• Ensure that key information is presented to parents in a
succinct “just-in-time” notice;
• Provide a clear roadmap for operators as to content of direct
notice depending upon its collection and use practices.
• Streamlines the privacy policy by requiring a simple
statement of:
• Who is collecting information – all operators at the
site/service
• What information collected and how used;
• That parent has control of the information.
Parental Consent
• Must be reasonably calculated, in light of available
technology, to ensure that person providing
CONSENT is the child’s parent (or legal guardian).
• The Rule provides a non-exhaustive list of approved
methods to satisfy this requirement.
• Can use another method, follow a safe harbor, or
seek Commission approval of additional methods.
Verifiable Parental Consent:
2013 Changes
• Add new methods:
– electronic scans of signed consent forms,
– video-conferencing, or
– use of government issued ID checked against a database and
deleted promptly thereafter,
– use of a debit card or other online payment system, if it provides
notification of each monetary transaction.
• Retains “Email Plus”
• Adds 2 new approval procedures:
– Commission approval – voluntary 120 day notice and
comment
– Safe Harbor approval – use of any method permitted by an
approved program.
22
New Exceptions to Consent
• (1) Where site/service collects parent’s online
contact info (but no other PI from child) to
keep the parent informed of a child’s
activities;
• (2) Where site/service collects persistent
identifier (but no other PI) for sole purpose of
providing “support for internal operations.”
• (3) Where a plug-in collects persistent
identifier on a child-directed site/service (but
no other PI) from a 13+ previously registered
user.
23
“Support for Internal Operations”
• Using persistent identifiers for these purposes does not
require notice and consent:
–
–
–
–
–
–
–
Maintain/analyze functioning of site/service
Perform network communications
Authenticate users/personalize content on site/service
Serve contextual ads, cap frequency of ads
Protect the integrity of the site/service
Ensure legal/regulatory compliance
Does not permit use for behavioral targeting or any
other purposes.
– Can seek Commission approval to add to the list.
(Will publish for comment and determine within 120
days).
24
Data Security: Review of Changes
Strengthens the Rule’s confidentiality, security, and
integrity provision by:
• Adding a requirement that operators take reasonable
steps to release children’s PI only to parties capable of
maintaining its security.
Adds a data retention and deletion provision to:
• Retain children’s PI for only as long as is reasonably
necessary to fulfill the purpose for which it was collected;
and,
• Properly delete PI by taking reasonable measures to
protect against unauthorized access to or use in
connection with its deletion.
Review: Voluntary Approval
Processes
• Parental consent methods: Request for Commission
approval of new mechanisms
• Support for internal operations of the website or
online service: Request for Commission approval to add
new activities to the definition of support for internal
operations
• All requests published for public comment
• Commission determination within 120 days of request
Self-Regulatory
Safe Harbor Programs under COPPA
• There are 5 approved safe harbors:
–
–
–
–
–
Aristotle, Inc. www.aristotle.com/integrity
CARU www.caru.org
ESRB www.esrb.org
Privo, Inc. www.privo.com
TRUSTe www.truste.com
• An operator participating in and complying with
an FTC-approved safe harbor will be deemed to
be in compliance with the Rule.
27
Review: Other Changes
• Strengthens COPPA Safe Harbors
• Improves the “direct notice” to parents to:
– Ensure that key info is presented in a
succinct, “just-in-time” notice;
– Provide a clear roadmap for operators as to
content of direct notice depending on its
collection and use practices.
• Streamlines the privacy policy
28
FTC Resources for businesses
29
• Questions?
30