In July, the Federal Trade Commission (FTC) announced changes to update and streamline its Children’s Online Privacy Protection Act (COPPA) Frequently Asked Questions (FAQs). The COPPA FAQs supplement the COPPA Rule by providing plain-language guidance and examples of COPPA compliance. Although the Commission stated that the revisions “don’t raise new policy issues,” companies collecting or managing data from children under 13 should be aware of several significant changes and clarifications to the FAQs. The revised FAQs:
- Clarify the application of COPPA in schools by providing more detail about the circumstances in which companies may obtain consent from schools;
- Address operators’ obligations under other federal education laws to clarify the application of COPPA;
- Incorporate the holding of the 2019 YouTube settlement by describing the “directed to children” standard and the responsibilities of “mixed audience” sites and services;
- Incorporate the Commission’s 2017 non-enforcement policy for specific uses of voice recordings of children;
- Introduce other changes regarding obtaining parental consent, wireless network information, the definition of internal operations, and more.
The changes to the FAQs, discussed in detail below, do not impact the Commission’s ongoing review of the COPPA Rule, for which The Future of Privacy Forum (FPF) provided comments in 2019.
COPPA and Schools
The Commission made two significant changes to the “COPPA and Schools” portion of the FAQs: one regarding consent under COPPA and the other relating to other federal education laws.
Consent in the School Environment
The requirements for collecting verifiable parental consent (VPC) have long been a challenge for companies that partner with schools or provide educational services intended for classroom use. The Commission’s updates to the FAQs clarify that companies contracting with schools must not state in their “Terms of Service or anywhere else” that schools are responsible for complying with COPPA because it is “the responsibility of the Operator [to comply] with the Rule.” The FAQs further clarify that companies must provide schools with “the same type of direct notice regarding its practices as to the collection, use, or disclosure of personal information from children as it would otherwise provide to the parent.” This change indicates that while the actual notice provided to schools can differ from that given to parents, it must be direct and must convey the same information as notice provided to parents.
Federal Student Privacy Laws
The updated FAQs provide more detailed descriptions of operators’ and schools’ obligations under applicable laws, including the Family Educational Rights and Privacy Act (FERPA), the Individuals with Disabilities Education Act (IDEA), and the Protection of Pupil Rights Amendment (PPRA). The previous FAQs did not mention IDEA and included only PPRA and FERPA as additional legal considerations.
The Commission also updated language throughout the section on COPPA in schools to refer to operators’ and schools’ obligations under federal education laws. One notable addition is the following: “The school’s agreement with a third party operator must also be reviewed under the school official exception or other applicable exception under FERPA.” This language indicates that COPPA alone does not provide a basis for collecting student data; operators may obtain COPPA-required consent from schools and teachers only in the context of agreements subject to FERPA.
Response to the 2019 YouTube Settlement
The FAQs now include the Commission’s interpretations of COPPA that were dispositive in the landmark settlement with YouTube. The YouTube complaint alleged that YouTube maintained numerous child-directed channels and used persistent identifiers to serve targeted advertising on these channels. The settlement findings noted that the collection and use of persistent identifiers for targeted advertising from viewers of such channels violated COPPA because YouTube had actual knowledge that many of its channels were clearly child-directed, but did not obtain parental consent to collect, use, and disclose children’s personal information. In light of this, the updated FAQs include guidance for determining whether sites are directed to children, as well as guidance for mixed audience websites.
Directed to Children
The updated FAQs 1) address when COPPA deems content creators to be operators subject to the law; and 2) include four specific factors to help operators determine whether videos posted on their websites are directed to children. These four new factors specific to video build on the 10 factors listed by the Commission for determining whether sites are directed to children. This update largely incorporates a standalone blog that the Commission published to help content creators analyze whether their content is directed to children. The FAQs urge content creators to consider whether their content is directed to children because, in light of the YouTube Settlement, content creators may be considered operators (and thus subject to COPPA) if their sites collect personal information such as persistent identifiers from children.
The FAQs provide deeper insight into how operators may determine whether their websites or services are directed to children, a mixed audience, or a general audience. The FAQs distinguish these three categories by clarifying that “the ‘mixed audience’ category is a subset of the ‘directed to children’ category, and a general audience site does not become ‘mixed audience’ just because some children use the site or service.” The Commission clarified that when operators’ sites or services target children under 13 but they are not the primary audience, operators can take advantage of the mixed audience exception.
If operators serve a mixed audience, they can establish age screens to ensure that they do not collect personal information from users under age 13 or to ensure they collect verifiable parental consent for those users. The FAQs also add details about how operators may appropriately establish age screens in the context of a mixed audience site or app. The Commission clarified that knowledge-based questions alone, such as a difficult math problem, are insufficient to screen children but that knowledge-based problems can be used “in addition to asking the age of the user.” The Commission also restated its longstanding position that companies must establish methods to prevent children from back-buttoning to enter a new age at an age gate, using technical means such as cookies.
IOT Devices and the Non-Enforcement Policy Regarding Voice Recordings
The updated FAQs include Internet of Things (IOT) devices—specifically, connected toys, smart speakers, and voice assistants—as commercial services subject to COPPA. The new FAQ F.6 incorporates the Commission’s 2017 Enforcement Policy Statement Regarding the Applicability of the COPPA Rule to the Collection and Use of Voice Recordings, which aligns with FPF’s 2016 recommendations regarding connected toys and voice recordings. The FAQs now state that the FTC will not enforce the prior parental consent requirement when operators 1) collect an audio file of a child’s voice for the purpose of fulfilling a request or conducting an internet search; and 2) maintain that file only “for the brief time necessary for that purpose.”
This policy applies as long as operators provide clear notice of their data collection, use, and deletion policies; do not request personal information via voice; use the audio file solely to fulfill the user’s request; and delete the file upon request fulfillment. In addition to this new section, the FAQs clarify that COPPA applies to connected toys, IOT devices, smart speakers, and voice recordings of children.
The Commission made several other notable changes to the FAQs, including adding new methods for obtaining verifiable parental consent; clarifying that wireless network information is subject to COPPA; adding examples of “internal operations;” and removing guidance regarding the transition from the old COPPA rule.
New methods for obtaining parental consent
The FAQs highlight two new methods of obtaining parental consent. Operators may require “a parent to answer a series of knowledge-based challenge questions that would be difficult for someone other than the parent to answer.” Or, operators may compare and verify a parent’s photo identification with a photo submitted by the parent through facial recognition technology, as long as the FTC pre-approves the mechanism deployed for either option.
Wireless network information is subject to COPPA
The FAQs add the Commission’s finding that wireless network identifiers used to infer the precise location of a child is personal information covered by COPPA and, thus, requires notice and parental consent prior to collection, per the 2016 InMobi settlement.
Further examples of internal operations
The FAQs update the Commission’s definition of activities that support internal operations to include “activities necessary for the site or service to maintain or analyze its functioning,” specifically listing “intellectual property protection, payment and delivery functions, spam protection, optimization, statistical reporting, and debugging,” as such activities. The FAQs further remind operators that behavioral advertising and amassing profiles are not internal operations, consistent with settlements dating back to 2015.
Removing guidance relating to the transition from the old COPPA Rule
Throughout the FAQs, the Commission has removed language that distinguished the “old” and “new” COPPA rules. The Commission said that because the current regulations have been in place for seven years, it removed language regarding the transition between the two rules.
- Complying with COPPA: Frequently Asked Questions
- Previous Complying with COPPA: Frequently Asked Questions
- Tidying up: Decluttering the COPPA FAQs
- Who is a “school official” under FERPA?
- FTC Reaches Landmark Settlement Regarding Kids’ Privacy, Clarifies Platforms’ and Video Creators’ COPPA Obligations for Child-Directed Content
- MythBusters: COPPA Edition
- YouTube channel owners: Is your content directed to children?
- Federal Trade Commission Enforcement Policy Statement Regarding the Applicability of the Children’s Online Privacy Protection Act Rule to the Collection and Use of Voice Recordings
This blog was authored by Anisha Reddy, Casey Waughn, and Tyler Park.