Wednesday, June 26, 2013

New COPPA Rules Take Effect on July 1, 2013

Only four more days are left until the new rules promulgated under the Children’s Online Privacy Protection Act (COPPA) go into effect. I have previously blogged about the amended rules here. The FTC passed the rules in December 2012, making July 1st the effective date. The new rules make it more difficult to collect and share personally identifiable information from children under the age of 13. They require obtaining prior parental consent and expand the definition of what is children's personal information to include photos, videos, recording of a child's voice, geolocation, persistent identifiers, screen name or user name. Mobile apps in particular will come under the FTC scrutiny. In December 2012, the FTC issued its second report on privacy disclosures and practices in mobile apps, where it warned apps developers that it was launching multiple investigations into the mobile app marketplace regarding potential COPPA violations. I discussed the report in greater detail in my previous blog.

So, what should kids' apps developers do to comply with the new COPPA rules? 

1. Educate yourself. Developers should start by reading the FTC Q&A. Also, read this letter sent by the FTC to certain apps developers in May of this year regarding the use of persistent identifiers in the apps and this letter regarding the use of photos, videos and sound recordings of children. Last but not least, read Scott Weiner's notes from the webinar on COPPA compliance which are a great resource for learning about the new rules.

2. Understand the new expanded definition of "personal information". Note in particular that as of July 1, the definition of "personal information" will include persistent identifiers, such as cookies, IP addresses and mobile device IDs, that can recognize users over time and across different websites or online services, as well as kids' videos, photographs and voice recordings.

3. Adopt a privacy policy and make it easily seen and accessible to parents on the app’s store page so that parents can access it prior to purchasing the app.

4. Determine whether the COPPA rules apply to you. This depends on whether you collect children's personal information that you share with third parties. If in doubt, assume that the rules apply.

5. Give notice and get verifiable parental consent before collecting personal information on your applications that you share with third parties. The good news is that no consent is needed if you collect personal information for internal purposes such as maintaining or analyzing the functioning of the application, performing network communications, authenticating users of the app, serving contextual advertising, or conducting other specific activities defined as “support for internal operations”.

6. Take reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential.

7. Learn, understand and implement the new data retention and deletion requirements.

Although time is running out, thankfully there are multiple resources available to the apps developers to help them comply with the new COPPA rules. Remember: if your app is not in compliance by July 1st, it does not mean that you have to pull the app from the market. Simply stop collecting and sharing any children's personal information until you are 100% certain that you are in full compliance with the rule.

This article is not a legal advice, and was written for general informational purposes only. If you have questions or comments about the article or are interested in learning more about this topic, feel free to contact its author, Arina Shulga. Ms. Shulga is the founder of Shulga Law Firm, P.C., a New York-based boutique law firm specializing in advising individual and corporate clients on aspects of business, corporate, securities, and intellectual property law.

No comments:

Post a Comment