For parental review, websites must provide both a method for parents to review the
information that has been collected and a method for a parent to contact the website
operator to prohibit any further use or maintenance of the child’s personal information.
Thus, parents of children who have personal profiles or online blogs can have access to
their children’s online profile and can have parts or the whole profile deleted or modified
at any time.
Further, COPPA considers data security as an upmost priority, with Section 312.8
emphasizing the importance of websites establishing and maintaining external security
measures.1 Adequate external security measures for COPPA compliance include firewalls,
information deletion, limits on employee access to data, and careful screening of third
parties to whom such information is disclosed.
Finally, COPPA prohibits websites that are focused on children from conditioning
participation in a game or the offering of a prize of another activity by requiring disclosure
of more personal information than necessary to participate. Thus in practice, websites may
not require children to answer invasive questions, such as “What cars do your parents
drive?” or “What’s your social security number?” in exchange for the child’s ability to
participate in an online game or contest.
In December of 2012, in response to growing changes in technology, the FTC
issued the first major amendments to COPPA since its passing in 1998. These amendments
were intended “to clarify the scope of the Rule and strengthen its protections for children’s
personal information.” Generally, these new amendments clarify ambiguities from the old
Act and add changes to the Act’s requirements. Further, the amendments streamline what
information to be quickly communicated to parents.
Specifically, the amendment modifies many definitions under the Act. For
example, the defined term “Operator” now includes any “operator of a child directed site
or service where it allows outside services to collect personal information from its visitors.”
This new definition closed a loophole that allowed kid directed apps and websites to permit
third parties to collect information.
In addition, “website or online service directed to children” was redefined to (1)
include “plug-ins or ad networks that have actual knowledge that they are collecting
personal information through a child-directed Web site or online service” and (2) “allow a
subset of child-directed sites and services (those that target children but not as their primary
audience) to ‘age screen’ their users and require such properties to meet COPPA’s notice
and consent obligations only for those users who self-identify as younger than age 13.”
Because of this expanded definition, more websites must now comply with COPPA.
Moreover, “personal information” was re-defined to include “geological
information as well as photos, videos, and audio files of a child’s image or voice.”
Therefore, websites are further prohibited from gaining physical information of children,
closing a significant loophole of the original legislation.
Additionally, the 2012 amendments contain stronger provisions to keep a child’s
information secured. Operators are now mandated to keep children’s personal information
for only “as long as is reasonably necessary” and once they dispose of it they must take
“reasonable measures to protect against unauthorized access.” Operators are further
1 §312.8 of COPPA states, “The operator must establish and maintain reasonable procedures to protect the
confidentiality, security, and integrity of personal information collected from children.”