Wednesday, June 19, 2013


Despite there is still quite a lot of things to clarify regarding COPPA, and that each case and each company has to investigate how this regulation is affecting to them, let's give a summary here of what COPPA is, what is the scope and how is different from previous regulations.


The Children's Online Privacy Protection Act (COPPA) is a law created to protect the privacy of children under 13. The Act was passed by the U.S. Congress in 1998 and took effect in April 2000. COPPA is managed by the Federal Trade Commission (FTC). New COPPA regulations are taking effect from 1st of July 2013.

New COPPA regulations

The most significant provisions in the COPPA Rule required operators of websites or online services to give notice to parents and get their verifiable consent before collecting, using or disclosing personal information from children when either
(a) the website or online service is directed to children who are younger than 13 years of age
(b) when operators of websites or online services have actual knowledge that they are collecting personal information from children younger than 13.

The COPPA Rule also prohibits conditioning children’s participation in online activities on the collection of more personal information than is reasonably necessary for them to participate, and contains a “safe harbor” provision that allows industry groups or others to seek FTC approval of self-regulatory guidelines.

To whom is affecting

COPPA Rule applies if the operator collects information from anyone who has indicated their age to be 12 or younger. Of course, such sites can also avoid COPPA (if they are not otherwise deemed to be directed to kids) by bouncing anyone who has indicated themselves to be 12 or younger.

But COPPA Rule has expanded the definition of operators under the Rule to include "sites or services that target children only as a secondary audience or to a lesser degree". There remains some potential for confusion because of the new definition, which discusses sites "directed to children" but that do not target children as their "primary audience."

Personal information

Before the amendments to the COPPA Rule, "Personal Information" included:
  • a first and last name 
  • a physical address 
  • an email or instant messaging address 
  • a telephone number 
  • a Social Security number 
  • a persistent identifier or a combination of information that allows contacting or information concerning a child or his parents that the operator collects online and combines with a persistent identifier 

Now, "Personal Information" also includes:
  • photos
  • videos
  • audio files that contain the child’s image or voice 
  • geolocation information 
  • persistent identifiers: used to "recognize a user over time and across different websites or online services"
The new definition of “persistent identifiers” includes anything that can be used to track individual users “over time and across different websites.” IP addresses, geolocation data, device identifiers, and cookies could all fall within this definition.

Identifiers are considered personal information only to the extent they are not used to support the internal operations of the site or service. The FTC’s intention is that sites using tracking tools to follow children across websites for behavioral advertising purposes will fall under the COPPA Rule because of that activity; sites using the same tools to track users, including children, for the purpose of effectively providing their own services — including offering advertising content based on the user’s activity within the site — will not.

Child-directed sites or services that use third party “plug-ins” or ad networks to collect personal information are now considered operators and strictly liable for COPPA violations.

Contextual vs Behavioral advertising

The practical difference between whether tracking activity will or will not fall under COPPA is the difference between what has become known as "contextual advertising" as compared with "behavioral advertising." Contextual advertising, deemed not the collection of personal information under COPPA, provides ad content to users based on the site visited (e.g., if you are on a car enthusiast site, you will be presented with advertisements for sports cars). Behavioral advertising, deemed to qualify as the collection of personal information under COPPA, provides ad content based on the tracking of a user’s Internet browsing activity (e.g., if you run a search for mortgage interest rates, you might be presented with ads for mortgage or home refinancing offers when you visit unrelated sites the next day). The FTC makes clear in its comments in the Federal Register that it is specifically addressing behavioral advertising with the amendments

“Plug ins” and ad networks are now subject to COPPA liability if they have actual knowledge they are collecting information from a child-directed site without parental consent Previously, plug-ins and ad networks were not clearly subject to direct liability.