§2.Amendments to Children’s Online Privacy Protection Act of 1998
This section revises definitions in the Children’s Online Privacy Protection Act of 1998 (COPPA) as follows: (1) expands the definition of "operator" to include any person operating a website, online service, online application, or mobile application for commercial purposes who collects or maintains personal information from children or teens, allows another person to collect such information directly from users, or allows users to publicly disclose it (deeming the operator to have collected it in the latter cases), and excludes tax-exempt 501(c)(3) organizations; (2) amends the definition of "disclosure" to cover release of personal information from a child or teen for any purpose (except to non-operators supporting internal operations, excluding child- or teen-specific targeted advertising), expands coverage to online and mobile applications, inserts "teen," and replaces "actual knowledge" with "knowledge" of a user's age; and (3) expands the definition of "personal information" to include persistent identifiers (e.g., customer number in cookies, IP address, device serial number, unique device identifier, excluding those solely for internal operations), photographs/videos/audio files containing a child’s or teen’s image or voice, geolocation information, biometrics (e.g., fingerprints, voice prints, DNA, gait), and information linked or reasonably linkable to a child, teen, or parent; provides an exclusion for audio files containing a child’s or teen’s voice used solely as a written-word replacement under specified conditions (e.g., clear notice, immediate deletion after use); and defines "support for the internal operations" of a website, service, application, or mobile application to include activities such as maintaining function, authenticating users, serving contextual (non-targeted) ads, and legal compliance.