The FTC broadly expanded the regulations surrounding the Children’s Online Privacy Protection Act of 1998 when the Agency revised the COPPA Rule in late 2012. Online businesses were given until July 1, 2013 to adjust to the new rules, but many failed to keep up with the changes. One aspect of the new Rule proving problematic concerns the collection of geolocation data.
Geolocation data refers to data pinpointing the real world location of a device such as a GPS unit, smartphone, or computer and by extension – a person. This data is becoming more important to businesses as the Internet and digital world evolves. Because this information was traditionally used only with GPS units, many digital platforms now use it to return customized results to users. For example, a smartphone app delivering hotel listings to users will use geolocation data to identify the location of the user and then provide a list of hotels within a few miles of the individual.
What COPPA compliance obligations do businesses have if they collect user geolocation data? An obligation to comply exists only if the service, site or app is directed at children under 13, or the business has actual knowledge kids under 13 are using the platform. If we return to our hotel app example, the app does not need to be COPPA compliant since it is directed at adults unless it becomes apparent kids under 13 are using the app for some strange reason.
Assuming COPPA comes into play, the pivotal question is then what geolocation data is collected? Not all geolocation information triggers compliance obligations. The FTC asserts that compliance is necessary only if the geolocation data is sufficient to allow a person to identify the street name and city or town the child is in. Geolocation data that is less precise does not trigger a COPPA obligation although it is important to realize the specificity of geolocation data can vary under certain circumstances. Given this, legal counsel should always be retained to analyze the geolocation data collection process specific to each website, app, or another program.
Is COPPA designed to protect kids from child predators? A close reading of the law suggests the drafters of the law were more focused on giving parents control over the dissemination of the private information of their children to marketing companies. The same cannot be said for this new geolocation interpretation.
By including geolocation data in the definition of the newly expanded COPPA Rule, the FTC has arguably focused less on marketing issues and more on protecting kids from the lowest of the low in society. Normally, such governmental overreach would result in companies filing lawsuits since the FTC only has the right to clarify the application of COPPA to the real world, not expand upon the law. To date, no company has challenged this provision. It isn’t hard to see why.
Have questions about COPPA? Confused by the regulations? Contact us today for the answers.
Richard A. Chapo, Esq.