The Federal Trade Commission (FTC) has issued a rulemaking notice proposing to update its rules implementing the Children’s Online Privacy Protection Act (COPPA) to reflect changes in technology and online practices, primarily, the popularity of social networking and the use of smartphones to access the Internet and provide location information. COPPA is intended to provide notice to parents and secure verifiable parental consent prior to the collection of personal information from children under the age of 13. As part of this rulemaking, the FTC considered broadening the scope of COPPA to include teenagers, but ultimately decided to retain its applicability to children under the age of 13 only.
The rule modifications proposed by the FTC cover five different areas: 1) definitions, including what children’s “personal information” the rule covers, and what it means to “collect” it; 2) parental notice; 3) new parental consent mechanisms; 4) confidentiality and security requirements; and 5) “safe harbor” determinations for how self-regulatory programs can be deemed “in compliance” with COPPA. The primary proposals in each of these areas are summarized below. Comments on any of the proposals summarized above must be submitted to the FTC online or via hard copy by Nov. 28, 2011.
COPPA requires operators of websites or online services directed to children under 13, or those that have actual knowledge that they are collecting personal information from children under 13, to obtain verifiable consent from parents before collecting, using, or disclosing such information from children. The FTC’s Rule implementing COPPA and FTC commentary adopting and interpreting it establish criteria for determining whether websites/services are directed to children under 13, what falls within the scope of children’s “personal information,” how to provide notice and obtain verifiable parental consent, and other related matters. The new rulemaking bears on these and a variety of other facets of the Rule, including the following:
Perhaps the most significant changes proposed to the definitions are those regarding the definition of “personal information.” Under the current rule, screen names are considered “personal information” only when coupled with an individual’s email address. Under the proposed rule, screen names would be considered “personal information” without more, unless used solely for internal operations. The FTC is also proposing to greatly expand the definition of a “persistent identifier” that can be used to identify an individual. The current rule includes only cookies that are coupled with individually identifiable information. The proposed rule would include cookies (without more), IP addresses and even unique device identifiers, other than those collected solely for the purpose of internal operations. It would also include any “identifier that links the activities of a child across different websites or online services.” Thus, any information that identifies a particular personal computer or handheld device would be included within the definition of “personal information,” implicating the notice and consent provisions of COPPA when linked to children under the age of 13.
The FTC also proposes to include all photographs, as well as video and audio files that contain a child’s image or voice within the definition of “personal information.” The current rule applies only to photos that contain contact information, and does not address video or audio files. The new FTC rule would also include “geolocation data.” While not a specific proposal, the FTC asks commenters whether a combination of items, such as birth date, gender and zip code or even “zip+4” zip codes alone might be sufficient to identify a particular individual or address so as to warrant inclusion within the definition of “personal information.”
The FTC also proposes amending the definition of “collects or collecting” personal information so that it reaches not only sites that specifically “request” such information, but also those that “prompt” or “encourage” children to disclose such information about themselves. It also includes all means of passive tracking of children online. However, the FTC is also proposing to relax its current provision that exempts online operators who delete 100% of all such information collected. The proposed exemption would now include those who take “reasonable” measures to delete “all or virtually all” of the personal information collected from children. Another proposed exemption would include personal information collected solely for the purpose of supporting the internal operations of the website or online service.
The FTC declined to adopt a specific standard such as a demographics percentage to identify a “website or online service directed to children” but rather proposes to keep its current rule that uses a totality-of- circumstances approach.
The FTC proposes that parental notice be “prominent and clearly labeled” and that it be posted on the website’s home page as well as each location where personal information is collected from children. As for notice content, the FTC proposes requiring website operators to provide their contact information, including name, address, telephone number and email address. For each form of direct notice provided to parents, the FTC proposes that operators provide the following: the items of personal information the operator has already obtained from the child (generally, contact information only); the purpose of the notice; actions that the parent must or can take; and the operator’s use of the information collected. Each notice must also contain a hyperlink to the operator’s information practices.
Parental consent mechanisms
Critical to the operation of COPPA is the mechanism by which website and online operators receive “verifiable parental consent.” The FTC considered a number of new proposals for obtaining consent such as text messaging, online payment services (e.g. PayPal), parental consent features in game consoles and electronic signatures, but rejected all of those options as unreliable. However, the FTC did approve the use of electronically scanned versions of signed parental consent forms as well as video verification. Also approved is the use of a government issued identification such as a driver’s license or social security number, so long as the information is verified by checking it against a database and deleted following verification.
Among the methods for consent contained in the current rule is a method called “email plus,” used when personal information is collected from children for internal purposes only. Email plus consists of an email address plus one other piece of information, such as an address or telephone number. In this proceeding, the FTC proposes deletion of “email plus” as a measure that has outlived its usefulness as a reliable means of consent. In its place, the FTC proposes a process by which interested parties can propose a new form of consent that will be published for comment in the Federal Register on a case-by-case basis. Also, any operator participating in the FTC’s safe harbor program described below can use any parental consent mechanism approved for use in that program.
Finally, the FTC proposes one new exception to the need to obtain parental consent in order to allow operators to obtain parental contact information from children solely for the purpose of notifying the parent of a child’s participation in a service that does not otherwise collect, use or disclose children’s personal information. Existing exceptions maintained in the proposed rules allow communication with children to initiate the parental consent process, to respond to the child, and to protect the child’s safety or the website’s integrity.
Confidentiality and security requirements
COPPA requires that operators “establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.” The FTC proposes extending that provision to require operators to “take reasonable measures to ensure that” any third party to whom children’s personal information is provided also has such reasonable procedures in place. As a corollary to this provision, the FTC proposes a new rule requiring operators to retain children’s personal information “for only as long as is reasonably necessary to fulfill the purpose for which the information was collected,” and to delete information no longer needed, taking “reasonable measures to protect against unauthorized access to, or use of” the deleted information.
COPPA established a “safe harbor” program allowing participants in FTC-approved self-regulatory programs to be deemed “in compliance” with COPPA. TRUSTe and CARU (Children’s Advertising Review Unit) are examples of organizations that operate FTC-approved safe harbor programs. The FTC proposes several changes to strengthen the reliability and accountability of safe harbor programs.
Specifically, it proposes (a) that safe harbor programs conduct an annual, comprehensive review of their members’ information practices; (b) that new safe harbor program applicants explain their business model and technological capabilities and mechanisms for assessing operators’ fitness for membership in their safe harbor program; and (c) that safe harbor programs conduct an independent audit of their programs every 18 months and submit the results of that audit to the FTC along with any disciplinary actions taken against member operators within that 18 month time period. To the extent new rules require existing safe harbor programs to modify their guidelines, such modifications must be made within 60 days after publication of the final rule to avoid potential revocation of their safe harbor status.
Comments on any of the proposals summarized above must be submitted to the FTC online or via hard copy by Nov. 28, 2011. The online comment form can be found at https://ftcpublic.commentworks.com/ftc/2011copparulereview/.