Editing Children's Online Privacy Protection Act (section)

==Compliance==
In December 2012, the [[Federal Trade Commission]] issued revisions effective July 1, 2013, which created additional parental notice and consent requirements, amended definitions, and added other obligations for organizations that (1) operate a website or online service that is "directed to children" under 12 and that collects "personal information" from users or (2) knowingly collects personal information from people under 13 through a website or online service.<ref name="PercivalNew13">{{cite web |url=http://www.natlawreview.com/article/new-children-s-online-privacy-protection-act-coppa-rule-now-effect |title=New Children's Online Privacy Protection Act (COPPA) Rule Now In Effect |author1=Percival IV, L.C. |author2=Johnson, E. |work=[[The National Law Review]] |publisher=Ifrah PLLC |date=1 July 2013 |access-date=22 June 2016}}</ref> After July 1, 2013, operators must:<ref name="LaroseGuide13">{{cite web |url=http://www.natlawreview.com/article/guide-to-compliance-amended-children-s-online-privacy-protection-act-coppa-rule |title=Guide to Compliance with the Amended Children's Online Privacy Protection Act (COPPA) Rule |author1=Larose, C.J. |author2=Siripurapu, J.M. |work=[[The National Law Review]] |publisher=Ifrah PLLC |date=28 June 2013 |access-date=22 June 2016}}</ref>

* Post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from persons under age 13;
* Make reasonable efforts (taking into account available technology) to provide direct notice to parents of the operator's practices with regard to the collection, use, or disclosure of personal information from persons under 13, including notice of any material change to such practices to which the parents have previously consented;
* Obtain verifiable parental consent, with limited exceptions, prior to any collection, use, and/or disclosure of personal information from persons under age 13;
* Provide a reasonable means for a parent to review the personal information collected from their child and to refuse to permit its further use or maintenance;
* Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of the personal information collected from children under age 13, including by taking reasonable steps to disclose/release such personal information only to parties capable of maintaining its confidentiality and security; and
* Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use.
* Operators are prohibited from conditioning a child's participation in an online activity on the child providing more information than is reasonably necessary to participate in that activity.<ref name="LaroseAmended13">{{cite web |url=http://www.natlawreview.com/article/amended-children-s-online-privacy-protection-act-coppa-rule-compliance-deadline-appr |title=Amended Children's Online Privacy Protection Act (COPPA) Rule Compliance Deadline Approaching |author=Larose, C.J. |work=[[The National Law Review]] |publisher=Ifrah PLLC |date=29 June 2013 |access-date=22 June 2016}}</ref>

According to a notice issued by the [[Federal Trade Commission]], an operator has actual knowledge of a user's age if the site or service asks for—and receives—information from the user that allows it to determine the person's age.<ref name="FTCChild13">{{cite web |url=http://business.ftc.gov/documents/alt046-childrens-online-privacy-protection-rule-not-just-kids-sites |title=Children's Online Privacy Protection Rule: Not Just for Kids' Sites |work=FTC Business Center |publisher=Federal Trade Commission |date=April 2013 |access-date=7 July 2013}}</ref> An example, cited by the FTC, includes an operator who asks for a date of birth on a site's registration page has actual knowledge as defined by COPPA if a user responds with a year that suggests they are under 13. Another example cited by the FTC is that an operator may have actual knowledge based on answers to "age identifying" questions like "What grade are you in?" or "What type of school do you go to? (a) elementary; (b) middle; (c) high school; (d) college."

A small fee was charged by [[Microsoft]] under COPPA as a way to verify parental consent. The fee was donated to the [[National Center for Missing and Exploited Children]].<ref>{{Cite web |url=https://support.microsoft.com/en-us/help/10502/microsoft-account-why-charge-to-create-child-account |title=Why does Microsoft charge me when I create an account for my child? |website=support.microsoft.com |access-date=2017-03-26}}</ref> Google, however, charges a small fee as a way to verify one's date of birth.

In the changes effective July 1, 2013, the definition of an operator was updated to make clear that COPPA covers a child-directed site or service that integrates outside services, such as plug-ins or advertising networks, that collect personal information from its visitors.<ref name="FTCStrength12">{{cite web |url=https://www.ftc.gov/news-events/press-releases/2012/12/ftc-strengthens-kids-privacy-gives-parents-greater-control-over |title=FTC Strengthens Kids' Privacy, Gives Parents Greater Control Over Their Information By Amending Childrens Online Privacy Protection Rule |work=FTC Press Releases |publisher=Federal Trade Commission |date=19 December 2012 |access-date=22 June 2016}}</ref> The definition of a website or online service directed to children is expanded to include plug-ins or ad networks that have actual knowledge that they are collecting personal information through a child-directed website or online service. Websites and services that target children as a secondary audience may differentiate among users, and are required to provide notice and obtain parental consent only for those users who identify themselves as being younger than 13.<ref name="PercivalNew13"/> The definition of personal information requiring parental notice and consent before collection now includes "persistent identifiers" that can be used to recognize users over time and across different websites or online services. However, no parental notice and consent are required when an operator collects a persistent identifier for the sole purpose of supporting the website or online service's internal operations.<ref name="FTCStrength12"/> The definition of personal information after July 1, 2013, also includes geolocation information, as well as photos, videos, and audio files that contain a child's image or voice.<ref name="LaroseGuide13" />

On November 19, 2015, the FTC announced it had approved an additional method for obtaining verifiable parental consent: "face match to verified photo identification" (FMVPI). The two-step process allows a parent to submit a government-sanctioned ID for authentication, then submit an impromptu photo via mobile device or web camera, which is then compared to the photo on the ID.<ref name="FTCGrants15">{{cite web |url=https://www.ftc.gov/news-events/press-releases/2015/11/ftc-grants-approval-new-coppa-verifiable-parental-consent-method |title=FTC Grants Approval for New COPPA Verifiable Parental Consent Method |work=FTC Press Releases |publisher=Federal Trade Commission |date=19 November 2015 |access-date=22 June 2016}}</ref>