A stringent new and amended privacy rule that takes effect July 1 is causing loads of compliance headaches for companies that collect personal information from young children online.

Last month, the Federal Trade Commission sent educational letters to more than 90 companies, warning that they may be subject to the Children's Online Privacy Protection Act (COPPA). The letters come on the heels of final revisions the FTC made to the COPPA rule in December 2012.

Under the rule, companies whose apps collect, store or transmit this information, as well as other personal information previously covered by the rule—such as a child's name or address—must get parents' consent before collecting the information. In addition, companies must also ensure that any third party receiving the information can keep it secure and confidential. Companies could face civil penalties up to $16,000 per violation. 

As Compliance Week previously reported, the revised COPPA rule expands the definition of “personal information” to include photos, videos and audio recordings of children, as well as “persistent identifiers” that can recognize users over time and across different Websites and online services. Persistent identifiers can range from online user names to “cookies” or IP addresses.

Jerry Cerasale, senior vice president of government affairs for the Direct Marketing Association, says "it's very important that every company take a look at the new rule," even if they assume it doesn't apply to them. “The last thing a company wants to have is its brand tarnished for not protecting children,” he says.

The FTC sent letters to companies both in the United States and abroad whose online services—including mobile applications—appear to collect personal information from children under the age of 13, as defined by the revised rule.  The letters do not reflect an official evaluation of the companies' practices by the FTC, but are designed to help companies come into compliance with the law.

For the companies that fall under the scope of COPPA, “the task can be very large,” says Cerasale. “For many companies, it's a matter of taking time to change what they're doing.”

Adding to the compliance challenges is that lots of confusion and uncertainty still surrounds COPPA One gray area, for example, is how to handle sites that are not directed to children but that children still visit frequently, says Cerasele. One popular example is a gaming Website like Angry Birds, or even sports Websites, he says.

Another question is how the law will apply to devices that are used by multiple members of a family, for example. “How do you treat that? That's still up in the air,” says Cerasele. “There is a lot of angst out there with exactly how that's going to play out.”

Many companies may find that it makes the most sense to screen the ages of the users, and just prohibit children under the age of 13 from entering certain sites until they have COPPA figured out, “so they feel as though they've covered themselves from liability,” says Cerasele. “Those are issues companies are working through right now,” he says. “I think that's going to take time, and many may not be ready by July 1.”