Compliance Matters

New Online Privacy Protection Rules Take Effect in July

The Federal Trade Commission adopted final amendments to the agency’s Children’s Online Privacy Protection Act

March 1, 2013

The Federal Trade Commission adopted final amendments to the agency’s Children’s Online Privacy Protection Act (COPPA) rule late last year. The changes go into effect on July 1, 2013.

The COPPA Rule applies to operators of commercial websites and online services directed to children under age 13 that collect, use, or disclose personal information from children. It also applies to operators of general audience websites or online services with actual knowledge they’re collecting, using, or disclosing personal information from children under age 13.
 
These website operators must give notice to parents and obtain their verifiable consent before collecting, using, or disclosing children’s personal information, and they must keep the information secure.
 
The rule prohibits website operators from collecting any more personal information from children than is reasonably necessary for them to participate in the website activities. The rule also contains a safe harbor provision that allows industry groups to submit programs to the FTC for approval.
 
The amended COPPA rule contains the following changes:
  • Modified definitions of “operator,” “personal information,” and “website or online service directed to children.”
     
  • Revised parental notice provisions to ensure operators’ privacy policies and the direct notices they must give parents before collecting children’s personal information are concise and timely.
     
  • New parental consent mechanisms operators can use to obtain verifiable parental consent, for example: electronic scans of signed parental consent forms; video-conferencing; use of government-issued identification; and alternative payment systems, such as debit cards and electronic payment systems, provided they meet certain criteria.
     
  • Additional confidentiality and security requirements to ensure children’s personal information is released only to service providers and third parties capable of maintaining the confidentiality, security, and integrity of such information, and who assure they will do so.

    The rule also requires operators to retain children’s personal information for only as long as is reasonably necessary, and to protect against unauthorized access or use while the operators dispose of the information.
     
  • Strengthened oversight of the approved “safe harbor programs,” requiring groups to audit their members and report annually to the FTC the aggregated results of those audits.
More information is available in CUNA’s e-Guide to Federal Laws and Regulations at cuna.org.
 
ATM Law Ends Duplicate Notice Requirements
 
President Obama signed H.R. 4367 (Public Law 112-216) into law on Dec. 20, 2012, eliminating the federal requirement to have a physical surcharge fee notice posted on the outside of ATMs.
 
The requirement to provide the notice either on-screen or on paper before the consumer commits to paying the fee remains in effect.
 
The law amends the Electronic Fund Transfer Act (EFTA), but there is still work to be done. The Consumer Financial Protection Bureau (CFPB) still needs to amend Regulation E to conform to the new law.
 
But the passage of H.R. 4367 will halt the tide of frivolous lawsuits that have plagued ATM operators during the past several years. Plaintiffs would remove fee notices (e.g., sticker or sign) and then sue ATM operators for violating the EFTA and Reg E.
 
Please note the legislation only eliminates the physical notice requirement under federal law. Some states laws, however, may still contain such a requirement.
 
CUNA urges credit unions to check with their state leagues before removing the notices from their ATMs. More information is available in CUNA’s e-Guide to Federal Laws and Regulations at cuna.org