This post is being provided for informational purposes only. Nothing in this post shall be construed as creating a representation, legal advice, warranty or commitment, contractual or otherwise, by Eloqua or any affiliate of Eloqua, to you or any other person or entity. It also does not guarantee that your email, websites, and/or any other aspect of your business is in compliance with state, federal, or International laws. Eloqua makes no representation, warranty or commitment that any message you send to end users will be delivered. This post is not a substitute for, should not be used in place of, and should not be considered, legal advice. It is recommended that you contact your general or legal counsel.

For those who don't know, the Children's Online Privacy Protection Act of 1998 (COPPA) is a United States federal law that applies to the online collection of personal information by persons or entities under U.S. jurisdiction from children under 13 years of age. It details what a website operator must include in a privacy policy, when and how to seek verifiable consent from a parent or guardian, and what responsibilities an operator has to protect children's privacy and safety online including restrictions on the marketing to those under 13. While children under 13 can legally give out personal information with their parents' permission, many websites altogether disallow underage children from using their services due to the amount of paperwork involved.


The Federal Trade Commission (FTC) has the authority to issue regulations and enforce COPPA. The Act applies to websites and online services operated for commercial purposes that are either directed to children under 13 or have actual knowledge that children under 13 are providing information online. Most recognized non-profit organizations are exempt from most of the requirements of COPPA.


On Wednesday December 19, 2012, the FTC announced its update to the COPPA Rule during a press conference with Senators Jay Rockefeller (D-WV) and Mark Pryor (D-AR) on Capitol Hill.


One of the biggest items for you to consider if you are collecting information from children is the how the Final Rule makes first party operators liable for third-party data collection activities that benefit the first party.  Third parties will also be liable if they have actual knowledge that they are collecting personal information on a site or service that is directed to children.


Below is a summary of key elements from the announced amendments.


  • First Party Liability:  The Final Rule articulates new standards for when first party operators may be liable under COPPA for the activities of other entities that collect data on a first party’s site or service.  Specifically, operators may be responsible under COPPA for (1) agents or service providers or (2) when “the operator benefits by allowing another person to collect personal information directly from users[.]”  The Commission intends this language to impose a strict liability standard for first-party operators that allow third-party online services to collect personal information through their properties.  Such liability is not intended to apply to platforms (such as mobile app market providers) that merely offer public access to content provided by another.
  • Third Party Liability:  Third parties that collect personal information through another operator’s website or online service will be subject to COPPA only if the third party has actual knowledge that the site or service is “directed to children,”
  • “Directed to Children” - New Factors:  The Final Rule retains the longstanding multi-factor analysis for determining whether a site or service is “directed to children,” with the addition of (1) music (as an element of audio content) and (2) presence of child celebrities or celebrities who appeal to children as factors in that analysis.
  • “Directed to Children” - Proposed Audience Standards: The Final Rule abandons the proposed “primary audience” and “disproportionately large” child audience standards for defining when a site or service is “directed to children.”  However, as discussed below, the “primary audience” standard will determine whether a site or service can take advantage of the age-screening safe harbor established in the Final Rule.
  • Age Screening Safe Harbor:  Sites and services that fit the definition of “directed to children” but do not target children as their primary audience can be deemed not “directed to children” if they choose to age screen all users and then provide notice and obtain parental consent only with respect to those users who indicate they are children under 13.



Definition of “Personal Information”


  • Persistent Identifiers: Personal information will include any “persistent identifier that can be used to recognize a user over time and across different websites or online services.”  The Commission’s commentary states that the term “different” means sites or services that are unrelated or where an affiliate relationship is “not clear to the user.”  Operators are not required to meet COPPA’s notice and consent requirements if such persistent identifiers are used to support internal operations, but the Final Rule moves this exception from the “persistent identifiers” definition to a stand-alone exception.  The Commission intends this as a technical rather than substantive change.
  • Online Contact Information:  “online contact information” is defined as “an email address or any other substantially similar identifier that permits direct contact with a person online” including certain examples.  This definition is an element of personal information under the Final Rule, and also defines the scope of COPPA’s application to screen or user names as described below.
  • Screen or User Names:  Screen or user names will be considered “personal information” if they function in the same manner as online contact information.  The commentary states that this is intended to cover “direct, private, user-to-user contact” and does not cover content personalization, filtered chat, public display, operator-to-user communication, or the use of screen or user names to allow children to log in across devices or related properties.
  • Photo, Audio and Video Files:  Photo, audio, and video files will be considered personal information if they contain a child’s image or voice.
  • Geolocation Information:  Geolocation information will be considered personal information if it is sufficient to identify both street name and city/town name.
  • ZIP Code Data:  The Final Rule does not expand personal information to cover either (1) ZIP code + 4 or (2) date of birth combined with gender and ZIP code.


Definition of “Support for Internal Operations”:  The Final Rule adopts a slightly broader definition of “support for the internal operations” of a site or service. Specifically, the Commission has added frequency capping of advertising and legal and regulatory compliance to the exhaustive list of purposes recognized as “support for internal operations.”  The Commission has also established a voluntary process for parties to request Commission approval of additional activities to be added to this definition.


Parental Notice:  The Final Rule maintains that operators provide certain information to parents in the direct notice, rather than providing a link to a privacy policy.  Like the existing COPPA Rule, the Final Rule permits multiple operators to designate a single operator as parents’ point of contact in a privacy policy.


“Email Plus” and Other Parental Consent Methods:  The Final Rule retains the “email plus” method for obtaining parental consent when children’ personal information is used for internal purposes only.  New examples of permissible consent methods have been added, namely: electronic scans of signed forms, video verification methods, checking a parent’s government identification against a database, and certain online payment systems. The Final Rule does not adopt a specific provision regarding the use of common consent platforms.  As proposed, the Final Rule establishes a voluntary Commission approval mechanism for new parental consent methods. 


Definition of “Collection”:  The Final Rule expands the definition of “collection” to include “prompting” or “encouraging” the submission of information, and to provide that any “passive tracking” constitutes collection.  The Final Rule also eliminates the existing “100% deletion” standard for filtering user-generated postings in favor of a “reasonable measures” standard.


Data Retention and Deletion:  The Final Rule will require operators to retain children’s personal information only as long as reasonably necessary to fulfill the purpose of collection, and then to take reasonable measures to delete the information.


Service Provider and Third Party Oversight:  Operators will have new obligations under the Final Rule to “take reasonable steps” to release children’s personal information only to third parties (including service providers) that are (1) capable of maintaining its confidentiality, integrity and security and (2) provide assurances to that effect.


For more information, please contact your account manager who will get you in touch with Eloqua's privacy office to schedule an appointment or post your thoughts here and we will answer them ASAP.






Dennis Dayman, CIPP, CIPP/IT

Chief Privacy and Security Officer


Twitter: ddayman

Twitter: deliverability