The Federal Trade Commission, in advance of new and amended privacy rules that go into effect on July 1, has issued a list of Frequently Asked Questions.

The guidance deals with changes to the Children's Online Privacy Protection Act (COPPA), which is intended  to give parents control over what information is collected from their young children online, specifically those under the age of 13. The FTC issued an amended rule on Dec. 19, 2012 to address technologies that didn't exist when COPPA went into effect in April 2000, including: “cookies” and other “persistent identifiers,” mobile and geolocation tracking, facial recognition software, and behavioral advertising.

Operators covered by the rule must post a clear and comprehensive online privacy policy describing their information collection practices and provide direct notice to parents and obtain verifiable parental consent before collecting personal information online from children.

Highlights of the 92 questions and answers in the FAQ include:

What should I do about information I collected from children prior to the effective date that was not considered personal under the original rule but now is considered personal information?

If you have collected geolocation information and have not obtained parental consent, you must do so immediately.

If you have collected photos or videos containing a child's image or audio files with a child's voice from a child prior to the effective date of the amended rule, you do not need to obtain parental consent.  However, as a best practice, staff recommends that entities either discontinue the use or disclosure of such information after the effective date of the amended rule or, if possible, obtain parental consent. 

Does COPPA apply to information about children collected from parents or other adults?

COPPA only applies to personal information collected online from children, including personal information about themselves, their parents, friends, or other persons. 

What are the penalties?

A court can hold operators who violate the rule liable for civil penalties of up to $16,000 per violation. 

Can the states or federal government agencies enforce COPPA?

COPPA gives states and certain federal agencies authority to enforce compliance with respect to entities over which they have jurisdiction. In addition, federal agencies are responsible for handling COPPA compliance for the specific industries they regulate.

Do online services developed and run abroad have to comply with the rule?

Foreign-based Web sites and online services must comply with COPPA if they are directed to children in the United States, or if they knowingly collect personal information from children in the U.S.  U.S.-based sites and services that collect information from foreign children also are subject to COPPA.

Does the amended rule prohibit adults, such as parents, grandparents, teachers, or coaches from uploading photos of children?

COPPA only covers information collected online from children. It does not cover information collected from adults that may pertain to children. COPPA is not triggered by an adult uploading photos of children on a general audience site or in the non-child directed portion of a mixed-audience Web site.

However, operators of Web sites or online services that are primarily directed to children must assume that the person uploading a photo is a child and they must design their systems either to: give notice and obtain prior parental consent, remove any child images and metadata prior to posting, or create a special area for posting by adults, if that is the intention.

What types of information can I collect to obtain parental consent? 

The rule permits you to collect the parent's “online contact information,” defined as an email address, an IM user identifier, a VOIP identifier, a video chat user identifier, or other substantially similar identifier.  A mobile phone number is not online contact information and therefore cannot be collected from the child as part of the consent initiation process. 

Do I have to keep all information I have ever collected online from a child in case a parent may want to see it in the future?

No. If a parent seeks to review his child's personal information after the operator has deleted it, the operator may simply reply that it no longer has any information concerning that child.” 

The additional guidance comes as a variety industry groups ramped up opposition to the changes. In a letter sent to the FTC, the Toy Industry Association and a variety of trade groups urged it to extend the effective date of the amendments to Jan. 1, 2014, calling compliance with the updated rules a “monumental task.”

The Direct Marketing Association, U.S. Chamber of Commerce, Association of National Advertisers, Motion Picture Association of America, National Association of Broadcasters, and National Retail Federation, and others, similarly urged “a modest delay” of the amendments to “allow the business community to ‘get it right' the first time, and fully implement strategies for compliance with the COPPA Rule to guide their businesses for years to come.”