The COPPA Rule requires website and online service operators to give notice to parents and obtain verifiable parental consent before collecting children’s “personal information” online. 16 CFR §§ 312.4, 312.5. The definition of “personal information” encompasses some obvious pieces of data – name and address, for example – and some less-obvious ones, such as screen names, geolocation data, and “persistent identifiers.” A “persistent identifier” is a piece of information “that can be used to recognize a user over time and across different web sites or online services,” such as “a cookie, an internet protocol (IP) address, a processor or device serial number, or unique device identifier.”
Until very recently, persistent identifiers alone have not formed the basis of FTC complaints under the COPPA Rule. In December 2015, however, the FTC announced settlements with two app developers – LAI Systems and Retro Dreamer – based on complaints alleging the collection of persistent identifiers without obtaining verifiable parental consent. The app developers both developed games available for download on online app stores, such as those run by Apple and Google. While the two complaints focus heavily upon establishing that the apps in question were directed towards children – as the FTC must do in order to show that the COPPA Rule applies, per 16 CFR § 312.12 – they provide little detail about exactly what “persistent identifiers” were collected or how. Both complaints simply allege that the app developers allowed third-party advertising networks to collect persistent identifiers “in order to serve targeted advertising on the app based on users’ activity over time and across sites.”
The FTC, as it detailed in a blog post accompanying announcement of the settlements, now plainly views persistent identifiers as fair game under the COPPA Rule. It is important for app developers and similar firms to review their policies regarding cookies, IP addresses, and similar information, if there is a chance that such information is being collected from children. As we have written before, even a website or service that does not think of itself as marketing to children may be subject to the COPPA Rule, if that website or service has “actual knowledge” that it collects personal information from users under age 13.