You likely have never heard of it, but the Children's Online Privacy Protection Act (COPPA) is one of the most important online privacy safeguards your children have. The law was originally passed in 1998, and became effective in 2000. It mandates very strict privacy safeguards on any Internet site that collects information on persons younger than 13, and generally aims to protect children's privacy online.
The COPPA restrictions are so strong that many website simply won't deal with them, so they disallow underage children from using their site or services — Facebook would be an example of this.
Noting the Internet today is a very different from the Internet that existed a decade ago, in 2010 the FTC began to pursue revisions to COPPA. To show how difficult it is to get things done in the federal government, when it announced the updating, the FTC received more than 350 petitions suggesting possible changes.
It has taken almost three years to work through the process, but now the FTC has posted the final revisions that will take effect on July 1. The document of changes runs a mere 169 pages.
The changes modify definitions including the broadening of terms like "operator," "website," and "personal information." The latter will now include photos, videos, or audio files that contain a child's image or voice as well as geo-location information, which can track a user across different websites and online services. Most importantly, the update extends child's privacy protections to apps, games and website plug-ins for the first time.
The Agency says the changes will help protect young people "even as online technologies, and children's uses of such technologies, evolve."
In its initial proposed final rule, the FTC proposed that websites be required to simply delete all personal information from users under 13. That raised a firestorm of protest with the industry complaining that sites might inadvertently come into possession of covered information, and how to deal with the situation where a user has lied about their age.
So the rule has been modified to a requirement that sites take "reasonable measures" to delete the information a child has entered, and also to delete them from its records. It also changed the definition of personal information to exclude things such as birth dates that might be required to play a game online or "participate in an online activity."
"Child-directed sites or services whose primary target audience is children must continue to presume all users are children and to provide COPPA protections accordingly," the commission wrote.