Today, the FTC is making a much-anticipated series of changes to how apps and websites can collect information from children under 13. The agency has implemented a revised version of the Children's Online Privacy Protection Act (COPPA) rule, expanding what counts as personal information and requiring third-party advertisers to also comply with rules. Under the original version of COPPA, sites aimed at children or those that collect information from children under 13 were required to get parental consent (through a signed form, credit card verification, or other method) before gathering a child's name, home address, or similar data.
Now, the list of what counts as "personal information" has been expanded to include geolocation markers, IP addresses, pictures or audio of the child, and persistent cookies that can track users across sites. The rules also now apply to companies that make plug-ins or advertising networks, which often collect information but aren't thought of as discrete sites that fall under the rules.
New COPPA rules apply to advertisers and cookies as well as more traditional data collection
These changes have proven controversial for sites that depend on advertising. Earlier this year, the Interactive Advertising Bureau asked the FTC to extend the deadline and clarify the rules. The FTC put out a series of guidelines meant to mollify them, but the rule is still likely to be unpalatable to kid-focused advertisers who will need to comply with what's essentially an across-the-board "do not track" order. The IAB and others have hinted that developers will end up paywalling their services and curtailing advertising as a result of the rules.
The FTC, however, is also putting in place a safe harbor provision that's meant the industry regulate itself. The idea is that by creating their own frameworks — which will still abide by the larger COPPA rules — companies can earn a reprieve from formal FTC investigation as long as they provide regular reports and enforce their own rules. In the wider regulatory environment, COPPA violations have earned companies like Path hundreds of thousands of dollars in fines, as the FTC puts its weight behind increasing privacy protections for children and adults alike.