The biggest change is in what constitutes personal information. In the past, you only needed a parent’s permission to collect emails and addresses for kids under 13. Now, photos, audio and video uploads are also included in the rule as well as geo-location information.
That means if you run a website where kids upload photos or videos of themselves for fun or for a contest, you must get verifiable permission from a parent. You can do this in a number of ways:
- Providing a consent form to be signed by the parent and returned via U.S. mail, fax, or electronic scan (the “print-and-send” method);
- Requiring the parent, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder;
- Having the parent call a toll-free telephone number staffed by trained personnel, or have the parent connect to trained personnel via video-conference; or
- Verifying a parent’s identity by checking a form of government-issued identification against databases of such information, provided that you promptly delete the parent’s identification after completing the verification.
Prior to the update, many websites used the “email plus” method of getting parental consent. This is when you send an message to the parent’s email address then follow up with a confirming email or a phone call to verify that the child didn’t fake the return message. This method is now only an option if you’re collecting information that will remain inside company walls.
As you can imagine, these new rules are going to complicate matters for many site owners and experts fear it will cause app developers and others to stop creating programs for kids.
If you don’t operate a website aimed at kids, you aren’t necessarily in the clear. The definition of what’s covered by the rules is a little nonsensical.
Who is covered by COPPA?
The Rule applies to operators of commercial Web sites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children.
It also applies to operators of general audience Web sites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13.
The Rule also applies to Web sites or online services that have actual knowledge that they are collecting personal information directly from users of another Web site or online service directed to children.
So, basically if you run a game site for grown-ups and kids sign up anyway then the rules apply. As for that last paragraph. . . I have no idea what that means.
If you’re confused, you’re not alone. Knowing this the FTC has prepared several documents to help you sort it all out.
They also made a video which includes images of kids under 13 but I’m sure they got verifiable permission from everyone’s parents.