Instead of revealing the long-anticipated final revisions to its rule relating to the Children's Online Privacy Protection Act (COPPA), the Federal Trade Commission last week proposed additional changes to the Rule, as a result of the overwhelming commentary it received to the revisions it proposed last fall (read our September 2012 alert on those proposed changes), and initiated another round of public comment. In its Aug. 1, 2012, Notice of Proposed Rulemaking, the Commission proposed modifications to several definitions in the Rule, including "operator" and "website or online service directed to children" that, if enacted, would clarify that providing the protections required by COPPA is the responsibility of both the entities operating child-directed websites and the third-party services, such as advertising networks, that collect information through those sites. The proposed revisions would also alter the way in which websites with content that attracts a mixed-age audience would be required to comply with COPPA requirements, and redefine "personal information" to include screen or user names, and persistent identifiers, subject to specific exceptions. Because the proposed revisions diverge from those it initially proposed in September 2011, the FTC is not making final amendments to the Rule, but rather is seeking another round of public comments.
Under the current form of the Rule, the responsibility for providing the required notice to parents and obtaining parental consent to the collection of personal information from children rests with the third party collecting information, such as an advertising network or provider of downloadable software - known as "plug-ins" - not with the website operator that allows these third parties to collect information, as long as the operator does not own, control or have access to the information collected. The FTC proposes modifying the definition of "operator" in the Rule to state that personal information is "collected or maintained on behalf of" an operator where it is collected in the interest of, as a representative of, or for the benefit of, the operator. As a result, an operator of a child-directed site or service that allows or integrates the services of third parties that collect personal information from its visitors would be considered a covered "operator" under the Rule.
The Commission's concurrent proposed revision to the definition of "website or online service directed to children," would also clarify that a third party, such as an advertising network or provider of a plug-in, would be covered by the Rule when it knows or has reason to know that it is collecting personal information through a child-directed website or online service. In the Notice of Proposed Rulemaking, the Commission noted that while the phrase "reason to know" does not impose a duty on entities such as ad networks or providers of plug-ins to monitor or investigate whether their services are incorporated into child-directed sites, they "will not be free to ignore credible information brought to their attention indicating that such is the case."
The FTC also proposed modifications that would relieve websites containing child-oriented content that appeals to mixed-age audience - both children and others, including their families for example - from the obligation under the current rule to treat all visitors as if they are less than 13 years of age. The revised Rule would allow these websites that are likely to attract an audience that includes a disproportionately large percentage of children under age 13 as compared to the percentage of such children in the general population to screen all visitors for age and to provide the protections required by COPPA only to those users who are actually below age 13. Under the proposed modification, child-directed sites or services that knowingly target children under 13 as their primary audience or that have overall content that is likely to attract children under age 13 as their primary audience must still treat all users as children. The FTC views this modification as an extension of its present enforcement policy to charge "sites or services with being directed to children only where the Commission believed that children under age 13 were the primary audience."
The Commission also proposed a modification to the definition of "personal information" to include screen or user names, in cases in which those identifiers could be used by children as a single credential to access multiple online sites, but only if those identifiers function as online contact information - that is allowing children to be directly contacted online even if the screen or user names do not contain an email address. The FTC proposed the modification to the definition as a result of comments to the September 2011 proposed changes arguing that the use of screen or user names is an important part of the effort of operators of child-directed websites at anonymization of children's personal information.
The definition of "personal information" would also be revised to include a persistent identifier (a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier), if it can be used to recognize a user over time, or across different sites or services - except when used for support of internal operations. In connection with this change, the FTC also proposes to modify the definition of "support for internal operations" to expressly include certain activities - including contextual advertising, but not behavioral advertising. Use of persistent identifiers for authenticating users and maintaining user preferences, as well as protecting against fraud, would not be considered collection of "personal information," as long as the information collected is not used or disclosed to contact a specific individual.
The FTC is accepting public comments on its proposed changes to the COPPA Rule until Sept. 10, 2012.