FTC proposes update to children’s online privacy rules

The Federal Trade Commission (FTC) has proposed an updated set of online privacy rules to address the use of new technologies — including mobile technologies – by children under the age of 13.  The original rules, issued in 2000 to implement requirements of the Children’s Online Privacy Protection Act (COPPA), require operators of commercial websites and online services directed to children under age 13 to:

  • post a privacy policy describing how the site handles children’s personal information;
  • provide direct notice to parents and obtain verifiable parental consent before collecting children’s personal information;
  • give parents the option to allow the operator to collect and use a child’s information, but not disclose it to third parties;
  • give parents access to their child’s personal information for review and/or deletion;
  • give parents the opportunity to prevent further use of the information; and
  • maintain the confidentiality, security, and integrity of information collected from children.

Changes proposed in the new rule include:

  • an expanded definition of “personal information” that includes substantially all information that can be used for online profiling or directed behavioral advertising – including geo-location information, instant messaging user IDs, voice over IP (VOIP) identifiers, video chat user IDs, and tracking cookies;
  • a requirement that key information be presented to parents in a succinct “just-in-time” notice, and not just in a privacy policy;
  • new methods to obtain verifiable parental consent, including electronic scans of signed parental consent forms, video-conferencing, and use of government-issued identification checked against a database, provided that the parent’s identification is deleted promptly after verification is done;
  • a requirement that website operators ensure that service providers or others to whom they disclose a child’s personal information implement reasonable procedures to protect it, retain the information for only as long as is reasonably necessary, and properly delete the information; and
  • a requirement that self-regulatory “safe harbor programs” audit their members at least annually and report the results of those audits to the FTC.

The FTC will accept comments on the proposed rules through November 28, 2011.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s