The Federal Trade Commission’s (FTC’s) revised rule implementing the Children’s Online Privacy Protection Act (COPPA) is scheduled to take effect on July 1, 2013. (Our January issue summarized the extensive nature of the changes at www.wileyrein.com/new_rule.) Websites and app developers have little time left to understand the new rule’s requirements and to implement the many changes in software and operational systems, and perhaps contract renegotiations, that may be necessary to meet the new requirements.
On April 15, the Application Developers Alliance asked the FTC to delay the effective date of the new rules until at least January 1, 2014. That request was supported a week later by a coalition of 19 trade organizations, including the Direct Marketing Association, the Interactive Advertising Bureau, the National Association of Broadcasters, the Newspaper Association of America, the Toy Industry Association and the U.S. Chamber of Commerce. Opposing the extension was a coalition of privacy advocates that support the revised regulation. On May 6, the Commission announced that it would not defer the July 1 effective date.
However, on April 25 the FTC did release a set of updated “Frequently Asked Questions” regarding how to comply with the COPPA. The FAQs can be found at www.ftc.gov/opa/2013/04/coppa.shtm.
Although the FAQs have the status merely of non-binding staff recommendations, they provide very useful guidance regarding how the FTC staff, and ultimately the agency, intend to interpret and enforce the COPPA regulation. And the FAQs make quite clear the many changes that the agency expects websites, online services and mobile apps to make in order to comply.
For example, the FAQs remind operators of websites, online services (e.g., some mobile gaming services and VoIP services) and mobile apps that the new COPPA regulation will apply to the collection not only of names, addresses, telephone numbers and online contact information as in the past, but also “persistent identifiers” (such as IP addresses and mobile device IDs), photographs, videos (or audio files containing a child’s image or voice) and geolocation information sufficient to identify a street name and town, among other data.
The extension of the rule to “persistent identifiers” such as IP addresses or device serial numbers—even when not combined with individually identifiable information—also has broad implications. Not only does it have the purpose and effect of sweeping in mobile devices and apps, it also extends obligations to advertising networks that engage in interest-based advertising. In fact, the FAQs are quite clear that the FTC intends to apply COPPA to advertising networks that engage in behavioral advertising.
Plug-ins and “Directed” to Children
For a second example, the FAQs highlight that the revised rule applies to websites that integrate third-party services such as plug-ins or advertising networks, and will also apply to those third-party services when they have “actual knowledge” that they are collecting personal information through a child-directed website. This change effectively creates significant new obligations for websites and mobile apps. One of these, for instance, is a duty to list all of the “operators” collecting information at a site, although this duty can be met in more than one way.
As a third example, the FAQs explain how even teen-oriented sites may fall within the scope of COPPA if the FTC determines that the site (or part of the site) is “directed” to children under 13. If a site is “directed” to children under 13, but such children are not its “primary” target audience, then the new rule allows sites to undertake a process—paradoxically, one that requires the site to collect age information—to determine what users are under 13 and for whom parental consent must be obtained. And the website is essentially stuck with this task—the FAQs state that a website “directed to children” may not block children from participating.
There are also new requirements concerning matters such as the location of privacy notices, the need for “just-in-time” notifications to parents and specific requirements as to the content of direct notices to parents of an operator’s information collection practices. Importantly, if a child-directed website or app uses an advertising network to serve ads, it must be aware of the types of advertising likely to be served, as this may affect what the direct notices to parents must state.
And the revised rule spells out particular requirements for when and how parental consent is to be obtained. And there are many more requirements.
The new COPPA regulations are extensive, potentially burdensome to many sites and can be tricky to navigate. Many app developers and app publishers may still be unaware that the revised regulation will apply to their offerings. Civil penalties can run as high as $16,000 per violation, where the Commission treats each information collection or use as a separate violation (one collection from each of 5,000 children is 5,000 violations). There is little time before July 1.