On December 19, the Federal Trade Commission (FTC) adopted long-awaited final amendments to the Children’s Online Privacy Protection Rule (“COPPA Rule” or “Rule”). The amended rule – which will take effect July 1, 2013 – follows a lengthy public comment period initiated in April 2010, designed to ensure that protection for children’s privacy kept pace with new technology and the manner in which children use the Internet.
Congress granted the FTC the power to implement and update the COPPA Rule when it passed the Children’s Online Privacy Protection Act of 1998, long before the growth of the mobile marketplace, tablets, apps, social networks, and third-party companies that are now involved in the collection of personal information from consumers, including children. The amended Rule takes into account this new environment and clarifies the scope of the Rule and seeks to enhance protection for children’s privacy by giving parents greater control over their children’s personal information.
Importantly, the final amended Rule modifies the definitions of “operator,” “personal information,” and “website or online service directed to children;” updates the requirements for notice, parental consent, confidentiality and security, and safe harbor provisions; and adds a new provision on data retention and deletion. Most notably, the new COPPA Rule:
- Revises the definition of “personal information” – the collection of which triggers COPPA obligations – to include geolocation information, photos, videos, and audio files that contain a child’s image or voice. Further, personal information now includes persistent identifiers, such as IP addresses and mobile device IDs, that can be used to recognize specific users over time and across different websites.
- Expands the definition of “operator” – to cover the data collection practices of third parties that are used by or with child-directed sites, apps, and online services such as plug-ins and advertising networks.
- Offers operators new mechanisms for obtaining verifiable parental consent.
- Retains the “e-mail plus” consent mechanism for certain uses.
- Enhances and places new data protection requirements on operators.
Closing of a “Loophole.” One of the more notable changes to the Rule is the “closing of the loophole” that allowed third parties to collect personal information from children without parental consent. The FTC accomplished this by amending the definition of the term “operator” to cover a child-directed site or service that integrates outside services (e.g., plug-ins or advertising networks) that collect personal information from its visitors. Although the FTC recognized the “potential burden that strict liability places on child-directed content providers, particularly small app developers,” it noted that when Congress enacted COPPA, it imposed absolute requirements on child-directed sites and services regarding restrictions on the collection of personal information and that those requirements cannot be avoided through outsourcing offerings to other operators in the online ecosystem.
Expanded Data Collection Coverage. In addition to holding operators liable for the activities of third parties, the amended Rule also revises the definition of “website or online service directed to children” to extend coverage in some cases to third parties doing the collection, requiring them to comply with COPPA before collecting personal information from children. However, this revision came in a much narrower form of the Rule than an earlier proposal, which would have held responsible a third party that “knows or has reason to know” that it is collecting personal information through a host, website or online service directed to children. A coalition of consumer groups had supported this proposal, which would have required parental permission regardless of whether ad networks knew they were present on child-directed sites, based on the premise that third parties could be relieved from COPPA liability by claiming that they did not know how their plug-ins were being utilized or where ads were placed, nor would they have an incentive to find out this type of information.
Actual Knowledge for Third Parties. Nevertheless, the final amended Rule only extends COPPA to third parties with “actual knowledge” that they are collecting personal information through a child-directed website or online service. Although knowledge is a highly fact-specific inquiry, the FTC has set forth two scenarios in which it believes the actual knowledge standard it is adopting would be met: (i) when a child-directed content provider (who will be strictly liable for any collection) directly communicates the child-directed nature of its content to the other online service; or (ii) a representative of the online service recognizes the child-directed nature of the content.
Parental Consent. With respect to parental notice and consent, the amendments purport to streamline and clarify the direct notice requirements to ensure key information is presented to parents in a succinct “just-in-time notice” and expand the list of appropriate methods of parental consent. The Rule allows parental consent to be provided by methods such as video conferencing, use of government-issued identification, electronic scans of signed parental consent forms and alternative payment systems. Moreover, the Rule encourages companies to create simple low-cost and effective means of obtaining parental consent and by establishing a voluntary 120-day notice and comment process so parties can seek approval of a particular method of consent. Finally, the subject of numerous comments, the Rule retains “email plus” as an acceptable method of consent for operators that collect personal information for internal use.
Data Security Requirements. The final Rule also enhances the confidentiality, security, and integrity of personal information collected from children by requiring operators to adopt reasonable procedures for data retention and deletion, and take reasonable steps to release children’s personal information only to companies that can maintain the confidentiality, security, and integrity of such information. Specifically, operators are required to anticipate the reasonable lifetime of the personal information they collect from children and apply the same concepts of data security to disposal as they are required to do with collection and maintenance. Operators are also required to inquire about entities’ data security capabilities and, either by contract or otherwise, receive assurances from such entities about how they will treat the personal information they receive. Here, the FTC rejected an earlier proposal that would have required operators to “ensure” those entities secured the information absolutely.
Increased FTC Oversight of Safe Harbor Programs. The final amendments to the Rule also strengthen the FTC’s oversight of self-regulatory safe harbor programs through changes to the reporting and recordkeeping requirements. COPPA establishes a “safe harbor” for operators fully complying with an FTC-approved COPPA self-regulatory program to be deemed in compliance with the Rule and, in lieu of enforcement, would first be subject to the safe harbor program’s review and disciplinary procedures. The amendments alter the reporting obligations of such programs as follows: (i) self-regulatory programs must, at minimum, conduct annual, comprehensive reviews of each members’ information practices, as opposed to a review every 18 months; (ii) applicants to a safe harbor program must explain in detail their business model and technological capabilities and mechanisms for initial and continuing assessment; and (iii) safe harbor programs must submit a report to the FTC containing an aggregated summary of the results of the assessments, rather than a summary that names the member operators subject to the review.
In a press conference introducing the revisions, FTC Chairman Jon Leibowitz made clear that the revisions to the Rule only affect behavioral advertising, that is, advertising that is displayed based on a person’s browsing activities. Advertisers and ad networks can continue to advertise, even on sites directed to children; the rule simply limits behavioral advertising without parental consent.
Why it matters: Chairman Leibowitz commented, “I am confident that the amendments to the COPPA Rule strike the right balance between protecting innovation that will provide rich and engaging content for children, and ensuring that parents are informed and involved in their children’s online activities.” While federal legislation is still pending, including legislation that would offer similar protections to teenagers, regulators and legislators alike commented in a press conference about the new Rule that the amendments to the COPPA Rule underscore a bipartisan commitment to protect the most vulnerable members of society: our children. Thus, the FTC’s revisions seek to protect children by strengthening the role that parents play as gatekeepers of their children’s information, without hindering innovation and unduly restricting the rights of others on the internet.