ADOTAS – On September 15, 2011, the Federal Trade Commission released proposed revisions to the Children’s Online Privacy Protection Act (COPPA), which regulates the collection of personal information online from children under the age of thirteen.
This proposed rule arises from an “FTC COPPA Rule Review” through which the FTC solicited comments about every aspect of COPPA, including whether technological advances such as social media and mobile commerce necessitated revisions. The FTC has now proposed prominent modifications to COPPA that will have a significant effect on the operation of websites, online services and mobile applications that collect personal information from children.
In the preamble to the proposed rule, the FTC states that “[t]he Commission remains deeply committed to helping to create a safer, more secure online experience for children and takes seriously the challenge to ensure that COPPA continues to meet its originally stated goals, even as online technologies, and children’s uses of such technologies, evolve.”
The first major revision to COPPA will certainly create a better online experience for children, however, the changes may also create regulatory compliance hurdles for companies that will be forced to make significant changes to their current information practices.
The FTC is proposing amendments in five areas: (1) definitions; (2) requirements in the parental notice; (3) parental consent; (4) confidentiality and security; and (5) safe harbor provisions.
First, the FTC has clarified that COPPA applies not only to websites, but also to technologies that can be considered “online services.” This includes mobile apps that permit children to play network-connected games, engage in social networking activities, and some text messages.
The definition of “personal information” has also been expanded and will almost certainly impact companies’ behavioral advertising activities. The new definition includes Internet Protocol addresses, customer numbers held in cookies, device identifiers, the linking of information across websites and geo-location information.
Next, the notices that operators must provide to parents about their information collection practices must be streamlined and clarified. Fourth, changes to the existing parental consent mechanism are required, including the removal of the “email plus” verification method and adding several new methods.
In addition, enhanced security provisions and requiring operators to ensure that third-party service providers to whom an operator discloses a child’s personal information have reasonable privacy and security procedures in place. Lastly, changing the existing COPPA Safe Harbor program to require that “safe harbor programs” exercise more oversight.
The Growing Realm of ‘Personal Information’
One of the most significant proposed changes to COPPA is to the definition of “personal information.” The definition of “personal information” is important as COPPA only applies to operators whose websites or online service are directed to children or who have actual knowledge that they are collecting personal information from a child under the age of thirteen.
The proposed definition of “personal information” adds or changes the following categories of information:
- Online contact information – the FTC proposes to include not only a child’s email address but also “any other substantially similar identifier that permits direct contact with a person online,” such as an instant messenger name, a video chat name or a VOIP identifier.
- Screen names or user names – however, the FTC would not consider screen or user names that are only used to support internal operations to be “personal information.
- Persistent identifiers, including Internet Protocol addresses, customer numbers held in cookies, processor or device serial numbers, or unique device identifiers — however, the FTC would not consider these persistent identifiers that are only used to support internal operations to be “personal information.” This is a significant change from the current COPPA Rule, which requires that a persistent identifier be associated with individually identifiable information to be considered
- Identifiers that link activities of a child across different websites or online services – this category is “intended to serve as a catch-all category covering the online gathering of information about a child over time for the purposes of either profiling or delivering behavioral advertising to that child.”
- Photographs, videos, or audio files that contain a child’s image or voice – the FTC proposes this change from the current standard which includes photographs only when they are combined with “other information such that the combination permits physical or online contacting.”
- Geo-location information sufficient to identify a street name and name of a city or town.
The foregoing proposed changes will significantly expand the scope of COPPA to operators that were not previously subject to the Rule. For example, the requirement that persistent identifiers only be used for internal operations or be considered “personal information” will force any operator having services directed to children or having knowledge that it is collecting information from children under 13 that wishes to provide targeted advertising to children to receive parental consent, even where such advertising is not based on what has been traditionally considered personally identifying information.
The proposal also brings geo-location data into the definition of “personal information,” which will similarly require mobile apps or operators offering mobile apps to comply with the COPPA Rule. This proposed change will likely have the most significant effect on businesses as it would not only subject a wider array of entities to COPPA, but also may make it more difficult for a website or online service to determine whether it is subject to the COPPA Rule, at all.
Parental Consent Required
In the proposed rule, the FTC attempts to streamline the process by which operators are required to provide parents with notice of their privacy practices and the FTC tries to make the process easier for both operators and parents to understand. This change comports with the FTC’s recent efforts to encourage businesses to provide consumers with more easily understandable notice and choice about information practices.
- Contact information for each operator (the current rule allows multiple operators to select one operator to have their contact information listed).
- What information is collected from children, and whether the website allows children to make this information publicly available.
- How the operator uses the collected information.
- The operator’s disclosure practices for collected information.
- The fact that parents can review and delete or refuse the further collection of a child’s personal information, and the procedures for doing so.
Currently, COPPA requires operators to send parents a direct notice, which informs the parent of a website’s information practices. The proposed rule revises these provisions and includes specific information that an operator must address in different circumstances, including:
- When affirmative parental consent is needed for the collection, use or disclosure of a child’s personal information.
- When a child’s online activities do not involve the collection, use, or disclosure of personal information.
- When an operator intends to communicate with a child multiple times.
- When an operator collects a child’s personal information in order to protect a child’s safety.
The FTC proposes removing one of the most popular parental consent mechanism under the current Rule – email plus. Currently, operators who collect personal information and do not disclose this information to external parties can utilize this consent mechanism by sending a parent an email and then using another step – such as another email at a later date– to confirm the consent.
However, in the proposed rule, the FTC suggests that this consent mechanism is prone to abuse (such as when a child simply provides his or her own email address) and has inhibited the development of better, more reliable parental consent mechanisms. Therefore, the FTC has proposed the elimination of the email plus method of parental consent.
The FTC has also proposed new methods of parental consent, including allowing parents to send electronic scans of signed consent forms, using video-conferencing to signal consent, and providing government-issued ID numbers that the operator can check against a database. If an operator collects government-issued ID numbers, the FTC proposes that this information must be promptly deleted after the verification is complete.
Almost every experienced Internet attorney will tell you that the changes proposed by the FTC to the parental consent process could have a major impact on operators. Many websites currently rely on email plus to obtain consent from parents when the website will only be using the personal information collected from a child for internal purposes. The email plus method is often preferred as it is the easiest parental verification method.
The FTC proposal would require all operators to implement more complicated parental verification methods. This change could mean that all of the operators currently using email plus will have to overhaul their parental verification practices. While these proposed provisions may ultimately make compliance with the notice provisions easier for covered operators, these changes could require operators to expend valuable resources to adjust current practices and regulatory requirements.
Clearly, the FTC has been enforcing the COPPA Rule much more broadly than it has in the past. Any media that is targeted at children under the age of 13 will have to analyze whether it can be considered an “online service” and take appropriate steps to comply with COPPA if necessary.
Special thanks from the editor to Gail Gardner of Growmap.