Anyone who owns or operates a website is probably already familiar with COPPA, the Children's Online Privacy Protection Act, and, consequently, COPPA's regulations. This law, passed in 1998, requires that the operators of websites used by children under the age of 13 take precautionary measures to ensure the privacy of those children. After 15 years of existence, the Federal Trade Commission (FTC) recently announced new COPPA compliance rules that will go into effect beginning July 1, 2013.
If a website was not previously subjected to COPPA under the old rules, its managers will need to take another look at their site to determine whether the new rules bring it into scope.
These rule changes may affect websites in two ways. First, if a website was not subject to COPPA under the old rules, its owners and administrators should take another look to determine whether the new rules pull it into scope. Second, if a website was already subject to COPPA, it may have new compliance obligations. In this tip, we'll take a look at both of these scenarios.
Which websites are subject to COPPA?
The prior version of COPPA defined its scope in a rather straightforward manner. According to the Code of Federal Regulations, COPPA applied to "any operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting or maintaining personal information from a child."
Under the new regulations, this definition is clarified in a way that may bring sites that previously thought they were exempt under the COPPA umbrella. The new definition includes websites that fall into at least one of three categories:
- Websites that collect age information from users and allow the registration of users under the age of 13; this regulation existed in the original COPPA.
- Websites that contain content that appeals to children. This language also existed under the old rule, but it has been expanded to include three new categories of content
- Musical content
- Content about child celebrities
- Content about celebrities who appeal to children
- Websites where a third party (such as an advertising network or plug-in network) collects information from children on behalf of the website operator. Basically, this means that COPPA can't be avoided by outsourcing data collection, even if data is never seen.
There is a safe harbor available to websites that are in a gray area here. If a website does collect age information from users and refuses registrations from users who identify as being under the age of 13, it is not subject to COPPA.
COPPA's privacy requirements
From the editor: COPPA and privacy laws in the news
Data privacy complaints filed against Amazon, eBay
Sony Music settles online child privacy case for $1 million
Those subject to COPPA must continue to meet earlier obligations by including a privacy notice on the site, obtaining parental consent, allowing parental access to information, and maintaining the confidentiality, integrity and security of any personal information collected from children.
The new COPPA regulations introduce several new requirements and clarifications to existing requirements that COPPA-governed websites must follow. Some issues of note include:
- The regulations now cover several new categories of information, including IP addresses, mobile device IDs, geolocation information, photographs and videos.
- Website operators must take reasonable steps to ensure that they only release personal information about children to firms that are able to maintain the security of that information.
- Operators must only retain personal information for "as long as is reasonably necessary to fulfill the purpose for which the information was collected" and must delete the information in a secure manner when it is no longer needed.
- The list of approved methods of obtaining parental consent is now expanded to include videoconferencing and validating a parent's government-issued identification.
The bottom line
Those who own or operate a website that fits under the revised COPPA scope must be sure to assess their compliance obligations under the new rules. Many will need to review and update their privacy controls for the first time. The requirements of COPPA affect different audiences than other privacy regulations (such as HIPAA and GLBA) and require new controls that specifically address the privacy of children. As SpongeBob Square Pants recently learned, the FTC is serious about enforcing these child privacy regulations. While it may not be widely known today, COPPA is an important compliance mandate that enterprise compliance managers should begin work on immediately.
About the author
Mike Chapple, Ph. D., CISA, CISSP, is an IT security manager with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity.com, and serves as its resident expert on enterprise compliance, frameworks and standards for its Ask the Experts panel. He is a technical editor for Information Securitymagazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.