Most advertisers, ad networks, and agencies are familiar with the Children’s Online Privacy Protection Act, or “COPPA” (pronounced cop-uh). COPPA has been in effect since 2000 and generally requires parental consent before websites or online services can knowingly collect personal information from users under the age of 13.
COPPA has been in the news often recently. There have been several unpleasant outcomes for companies, like Path, that violated COPPA, and the FTC has made clear that COPPA enforcement continues to be a top priority. For the most part, though, the online advertising industry has escaped largely unscathed.
On July 1, 2013, however, COPPA will see its biggest changes in over a decade. The FTC has issued expansive new rules that broaden COPPA’s scope and update its parental notice requirements. The new rules specifically take aim at “plug ins” and ad networks. Consequently, it’s time for online advertisers and publishers to review their privacy policies and practices.
So what should you do? We’ll get to that. But first, here’s the current rule (emphasis added by me):
“It shall be unlawful for any operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting or maintaining personal information from a child, to collect personal information from a child in a manner that violates the regulations…”
There are a couple of key points here. First, under the current rule an “operator” is any commercial website or online service that collects personal information from its users or visitors. Web sites that integrate with ad networks and plug-ins do not clearly fall within this definition.
Secondly, under the current rule, IP addresses and geolocation data are not considered personal information. And cookies or device IDs are only personal information when combined with other identifiable information.
What is changing?
The new COPPA rules introduce several changes, including:
Expanded liability for “plug-ins” and ad networks: “Plug ins” and ad networks are now subject to COPPA liability if they have actual knowledge they are collecting information from a child-directed site without parental consent
Previously, plug-ins and ad networks were not clearly subject to direct liability.
The key exception? “Actual knowledge” is determined on a case-by-case basis, but is likely only established if a key member of the advertising company knows they are collecting information from children without parental consent.
Expansion of the term “persistent identifiers” and “personal information”: The new definition of “persistent identifiers” includes anything that can be used to track individual users “over time and across different websites.” IP addresses, geolocation data, device identifiers, and cookies could all fall within this definition.
Previously, persistent identifiers like cookies were only considered personal information when they were combined with other identifying information.
The key exception? The parental notice and consent requirements don’t kick in if the identifier is used solely to support the “internal operations” of the site or service, which includes delivery of contextual ads, frequency capping, anti-fraud measures, compliance efforts, and authenticating users or personalizing content. And companies can still respond to a specific request from a child as long as the personal data is deleted once the request has been fulfilled.
Expanded liability for operators of child-directed sites: Child-directed sites or services that use third party “plug-ins” or ad networks to collect personal information are now considered operators and strictly liable for COPPA violations.
Previously, web sites may have been able to work around the collection rules by using a third party service.
The key exception? Third party services can still be used to support “internal operations” (see above).
Cookieless tracking is now explicitly covered: The definition of “collects or collections” now includes all forms of passive tracking, irrespective of the technology used.
Previously, only cookie tracking was specifically included in the definition.
The key exception? This doesn’t really change the current rule; it just clarifies its scope.
What does this mean for advertisers?
If your company (1) isn’t serving ads on sites directed at children and (2) doesn’t have “actual” knowledge that it is collecting information from children, then these changes shouldn’t have much of an impact on your business.
If, however, your company (1) serves ads on sites directed at children, or (2) is aware that it is collecting information about children, you will likely need to reevaluate your privacy practices.
What can advertisers do?
There is a lot you can do and still remain COPPA compliant. First and foremost, look at the exceptions I’ve outlined above. Here are a few things to keep in mind.
- Contextual advertising is still okay! Behavioral advertising that tracks particular users over time is not allowed without parental consent, but contextual advertising based on content is still legal.
- The use of persistent identifiers is fine so long as they are used solely for internal operations (including the delivery of contextual ads). Just don’t track kids across different web sites without parental consent.
- You can still collect information from children if you give parents notice and receive their consent. In fact, the amendments actually offer new ways to streamline the process, including (a) electronic scans of signed parental consent forms, (b) videoconferencing, (c) use of government-issued ID, and (d) alternative payment systems.
- Bottom line: The FTC does not want to put you out of business. The new rules are loaded with meaningful exceptions. When you really dig deep, you’ll find these rules aren’t vastly different than the current COPPA regulations. Even still, it’s a great opportunity to review your current practices to ensure compliance and add value to your company.
Disclaimer: This should not be construed as legal advice. This article may contain inaccuracies and should not be relied on. If you have questions about your potential liability under COPPA you should contact your lawyer.
cc image via aperturismo