July 28, 2014

New Children’s Online Privacy Protection Act (COPPA) Rule Now In Effect

In December 2012, the Federal Trade Commission (FTC) issued revisions to the Children’s Online Privacy Protection Act Rule (COPPA Rule or Rule). The COPPA Rule creates extensive parental notice and consent requirements, among other obligations, for organizations that (1) operate a website or online service that is “directed to children” under 13 and that collects “personal information” from users or (2) knowingly collect personal information from children under 13 through a website or online service. The new Rule takes effect today (July 1, 2013).

The FTC made significant changes that affect how the Rule functions in the definitions section, rather than in the operational sections. This tail-wags-the-dog approach means that organizations may be required to devote additional resources to understanding and complying with the Rule. Significant changes to the COPPA Rule include the following:

  • There are more scenarios under which operators will be subject to the COPPA Rule. (1) Previously, operators of plug-ins and ad networks were viewed by most as not subject to the Rule unless they had actual knowledge that they were collecting personal information from a child. The new Rule provides that these operators will also be subject to the COPPA Rule when they have actual knowledge that they are collecting personal information directly from users of a child-directed website or online service. (2) An operator of a website or online service that is not directed to children will be subject to the COPPA Rule if the operator allows another party to collect personal information from a user through the site and the operator has actual knowledge that the user is a child. (3) Operators of websites or online services directed to children are subject to the COPPA Rule if their service providers or agents collect personal information through the website or online service. (4) An operator of a child-directed site is also subject to the Rule if other parties who are not service providers or agents collect personal information through the site and the operator “benefits by allowing” the collection of information.

  • The definition of personal information was expanded to include, among other things, geolocation information, screen names or users names that function as “online contact information,” and persistent identifiers that “can be used to recognize a user over time and across different websites or online services.” IP addresses, device serial numbers, unique device identifiers, and cookies or cookie IDs, in some circumstances, are all forms of persistent identifiers under the new Rule. Video and audio files containing a child’s image or voice are also considered to be personal information, according to the new Rule.

  • The revisions to the Rule provide a new compliance mechanism for operators of websites and online services that are directed to children but do not target children as their primary audience. These operators may elect to age-screen all users and provide parental notice and obtain parental consent only for users that self-identify as under 13 years old.  Alternatively, these operators could age-screen all users and prevent the website from collecting personal information from users under 13. Practically speaking, exercising the latter option will require operators to block children from using the website or online service. In order to utilize this new compliance mechanism, according to the COPPA Rule, an operator may not collect any personal information until the operator exercises one of these two age-screening options.

  • An operator of a website or online service is not required to comply with the parental consent requirements if the only type of personal information collected is a persistent identifier and that identifier is used solely for “support for internal operations” of the website or online service. The FTC expanded the definition of support for internal operations to include, among other things, contextual advertising (but not behavioral advertising), frequency capping of advertising, and legal or regulatory compliance. The new Rule also creates a process through which an organization may file a written request with the FTC to include additional activities within the definition of support for internal operations.

  • There are new confidentiality and information security requirements, including a requirement that operators of websites and online services obtain certain assurances from third parties with whom they share access to children’s information.

  • The new Rule also provides new methods of obtaining parental consent, including electronic scans of signed consent forms and videoconferencing. A process was created that would allow operators of websites and online services to seek FTC approval of methods of parental consent that are not explicitly endorsed by the Rule.

As we explained in a recent client alert, the FTC has been proactive in seeking out websites and online services that do not comply with the new Rule, and state agencies are also taking a more active role in monitoring organizations for COPPA compliance. Organizations that have not already examined the new COPPA Rule to determine how they are impacted by the changes, including whether they are now covered by the Rule, should do so as soon as possible.

© 2014 Poyner Spruill LLP. All rights reserved.

About the Author


​Lynn's practice focuses on privacy, information security, and records management including compliance and risk associated with these areas. He assists in responding to security breaches, developing and implementing records management programs, and drafting privacy notices, contracts, policies, and procedures.

Prior to joining Poyner Spruill, Lynn served as a law clerk to both Judge Sanford L. Steelman, Jr. and Judge Robert N. Hunter, Jr. at the Court of Appeals of North Carolina. 


About the Author

Elizabeth Johnson, Privacy, Information Security Attorney, Poyner Spruill, law

Elizabeth’s practice focuses on privacy, information security, and records management. Her comprehensive, practical approach to privacy law is reflected by the diversity of her clients, which hail from a variety of industries including health care, financial services, insurance, retail, telecom, utility, technology, consumer goods and client services. Elizabeth has also worked with organizations of various size and scope, ranging from Fortune 100 companies with international reach to local charities.  She was listed among the top privacy professionals in Computerworld’s...


Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review - National Law Forum LLC 4700 Gilbert Ave. Suite 47 #230 Western Springs, IL 60558  Telephone  (708) 357-3317 If you would ike to contact us via email please click here.