1. The information gathered from children under 13 needs to be scrutinized.
2. The methods employed for data collection need to be reviewed.
3. The purposes of usage of the collected data need to be evaluated.
4. The necessity of the information for the company’s website, mobile app, or online service activities should be considered.
5. The effectiveness of mechanisms for notifying parents and obtaining verifiable consent should be assessed.
6. Adequate procedures for parents to review and delete their children’s information should be made available.
7. Robust data security, retention, and deletion practices should be implemented. – The Proposed Rule clarifies that mixed audience sites are prohibited from gathering, utilizing, or revealing user information without verified parental consent, unless they employ reasonable means to determine if a user is a child.
– The target audience of an online service will be determined by looking at marketing materials, representations to consumers or third parties, reviews by users or third parties, and the age of users on similar websites or services. The FTC was already using these materials to determine if a website or online service is directed to children.
– Companies must obtain separate verifiable parental consent for disclosures of a child’s personal information for targeted advertising to third parties under the Proposed Rule. Parents would have the option to refuse the disclosure of the child’s personal information to a third party. 1. Knowledge-based authentication is now considered a valid method for obtaining verifiable parental consent under COPPA, as long as the questions are difficult enough that a child under 12 cannot reasonably answer them.
2. Instead of directly notifying parents, the proposed rule expands COPPA’s direct notice requirement to include notifying a child’s school, if applicable. This is mainly for educational technology service providers who rely on schools to obtain consent from parents for collecting students’ personal information.
3. During the pandemic, the FTC informally adopted an exception regarding parental consent for educational technology. This exception allows operators to obtain consent from schools instead of parents under specific circumstances, with certain requirements and limitations in place. 1. The operator must have a written agreement with the school that limits the use and disclosure of personal information to authorized education purposes only.
2. The FTC has expanded the definition of “personal information” to include geolocation information, photos, videos, audio files containing a child’s image or voice, and biometric identifiers.
3. The Proposed Rule seeks to define a “School” as any institution providing elementary or secondary education.
4. The Proposed Rule would add the term “School-Authorized Education Purpose” for any school-authorized use related to a child’s education.
5. Companies with robust security programs are unlikely to discern a significant difference in the security requirements outlined in the Proposed Rule.
6. Operators must establish a written children’s personal information security program and perform annual assessments to identify and control risks to the confidentiality and security of the information. – The operator must have a written children’s data retention policy that outlines the purposes for collecting children’s personal information and sets a timeframe for deleting such information.
– The internal operations exception under COPPA has been narrowed, requiring operators to provide public notice and guarantee that persistent identifiers are only used for internal website operations.
– If operators expect to contact children more than once, they must use the “multiple contact” exception, and are prohibited from using online contact information and persistent identifiers to send push notifications to children to encourage them to use their service more.
– The public has 60 days to submit comments on the proposed changes to the COPPA Rule after the notice is published in the Federal Register. 1. Children’s Online Privacy Protection Rule was established in 2013.
2. The rule is found in 16 CFR 312.2.
3. Rule 16 CFR 312.2 is also referred to as “Id.”
4. COPPA FAQs, FAQ H.5 provides further information.
5. Section 312.5(a)(1) outlines certain requirements.
6. Section 312.5(a)(2) also outlines specific requirements.
7. Rule 16 CFR 312.5(b)(1) provides additional guidelines.
8. Section 312.5(b) contains more details on the requirements.
9. Section 312.5(b)(2)(vi)(2) outlines specific exceptions.
10. Section 312.4(b) provides further regulations.
11. Section 312.5(c)(5) includes specific provisions.
12. Rule 16 CFR 312.2 contains more guidelines.
13. Rule 16 CFR 312.2 is also referred to as “Id.”
14. Rule 16 CFR 312.2 is also referred to as “Id.”
15. Section 312.8(b) outlines additional provisions.
16. Section 312.10 contains further regulations.
17. Section 312.4(d)(3) provides specific guidelines.
18. Section 312.5(c)(7) includes additional provisions.
19. Section 312.5(c)(4) also includes specific requirements.
https://ktslaw.com/en/insights/alert/2024/1/complying%20with%20the%20childrens%20online%20privacy%20protection%20rule
Leave a Reply