The Federal Trade Commission has released the long-anticipated final amendments to its rule enforcing the Children's Online Privacy Protection Act (COPPA), which governs the online collection and use of personal information from children under age 13. The FTC initiated a review of the COPPA Rule in 2010 and proposed amendments in September 2011 (read our September 2011 alert on those proposed changes). As a result of overwhelming commentary on those revisions, the FTC proposed another set of amendments Aug. 1, 2012, and a further round of public comment. According to the FTC's Dec. 20, 2012, statement announcing the final amendments to the COPPA Rule, the changes reflect "careful consideration of the entire record of the rulemaking, which included a public roundtable and several rounds of public comments sought by the agency."
The final amendments makes a number of significant changes to the Rule, including enlarging the category of information deemed "personal information," the collection and use of which requires parental notice and consent; clarifying that both operators and third-party service providers of "plug-ins" to kid-directed apps and websites must comply with COPPA; revising parental notice and verifiable consent requirements; imposing more stringent data security requirements; and enlarging the FTC's oversight of self-regulatory programs. The new rules go into effect July 1, 2013.
The final amendments modify the definition of "personal information," the collection of which requires parental notice and consent, to include geolocation information, photographs, videos and audio files that contain a child's image or voice, screen or user names in cases in which these identifiers function as online contact information (defined as an e-mail or other identifier that permits direct online contact with a user), and "persistent identifiers" (a user number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier), that can be used to identify users over time and across different websites or online services. The Rule does not require parental notice and consent when an operator collects a persistent identifier only to support the website or online service's internal operations (including contextual advertising, frequency capping, legal compliance, site analysis, and network communications). Absent parental notice and consent, persistent identifiers cannot be used or disclosed for other purposes, such as contacting an individual (including through behavioral advertising) or creating a profile on an individual. The final Rule does provide for a process by which industry can seek FTC approval to add additional activities to the definition of support for internal operations for which the Rule permits collection and use of persistent identifiers without parental notice or consent.
In addition, the final amendments revise the definition of "collection of personal information" so operators would not be deemed to collect information and therefore could allow children to participate in interactive communities without parental notice and consent, as long as the operators take reasonable measures to delete all or virtually all children's personal information before it is made public. This revision is a change from the "100 percent standard" under the existing rule, which required operators to delete all individually identifiable information from postings by children before they are made public, and delete this information from its records. The change is aimed, at least in part, at allowing operators to employ automated filtering programs without the risk of running afoul of the 100 percent standard.
Operators and Third-party Service Providers
The final amendments revise the definition of "operator" to state that "Personal information is collected or maintained on behalf of an operator when: (a) it is collected or maintained by an agent or service provider of the operator; or (b) the operator benefits by allowing another person to collect personal information directly from users of such operator's website or online service." As a result, an operator of a child-directed website, online service, or app that allows or integrates the services of third parties that collect personal information from its visitors (such as "plug-ins" or advertising networks) would be considered a covered "operator" under the Rule and therefore required to comply with parental and consent requirements. In its rulemaking, the FTC explained, however, that the revised definition does not extend liability to platforms, such as Google Play or the App Store, when they only offer the access to other parties' child-directed apps.
Concurrently, the final amended Rule includes a revised definition of "website or online service directed to children" to extend the parental notice and consent requirements to those third parties, such as providers of plug-ins and ad networks, that collect personal information when those third parties have actual knowledge that they are collecting personal information through a child-directed website or online service. The actual knowledge standard is a change from the previously proposed amendment, which imposed liability on third-party data collectors when they knew or had reason to know that they were collecting personal information from a child-directed website or service.
Child-directed Websites or Services
The final amendments also revise the definition of "child-directed website or service" to allow websites containing child-oriented content that appeals to a mixed-age audience (both children and their families, for example) to age-screen visitors and provide protections required by COPPA only to those users under age 13. The revised rule provides that the FTC will first apply its "totality of the circumstances" standard to determine whether a website or online service is directed to children, based on the list of factors enumerated in the definition (which factors are not exclusive and none of which predominates) and then whether the children under age 13 are the primary audience for the site or service. A site or service that is directed to children, but that does not target children as its primary audience, need not treat all users as under 13 and instead may use an age screen and apply COPPA's protections only to users who self-identify as under age 13. Child-directed sites or services that knowingly target children under age 13 as their primary audience or that have overall content that is likely to attract children under age 13 as their primary audience must still treat all users as children.
Parental Notice and Consent
COPPA also requires that operators obtain verifiable parental consent prior to collecting personal information from children. The amended Rule revises the mechanisms by which operators obtain the required consent. The revisions retain "e-mail plus" as a valid method for operators that collect personal information only for internal use, and add additional options to the list of methods available for operators to obtain verifiable parental consent, including electronic scans of signed parental consent forms, video-conferencing, use of government-issued identification (drivers' license numbers, portions of social security numbers) to verify parents' identities, and using alternative payment systems, such as debit cards and electronic payment systems that meet certain criteria). Operators participating in a self-regulatory safe-harbor program approved by the FTC may use any consent method approved by the program.
Data Retention and Security
The amended final Rule requires operators to retain children's personal information for only as long as is reasonably necessary, and to protect against unauthorized access or use while the information is being disposed of. Operators must also take reasonable steps to make sure that children's personal information is released only to service providers and third parties that are capable of maintaining the confidentiality, security, and integrity of such information, and who assure that they will do so.
Self-regulatory Safe Harbor Programs
Under the amended final Rule, the Commission has enhanced oversight over approved self-regulatory safe-harbor programs, including requiring those programs to audit their members and report annually the results of those audits to the FTC.