The FTC has ended a two-year long process of revising the rules implementing the Children’s Online Privacy Protection Act (COPPA Rule), which is now a decade old and set to expire in 2014. The new rule, effective July 1, 2013, follows three rounds public comments, and two sets of proposed rule revisions. The FTC has reversed course on many of its original proposals that would have unreasonably burdened online and mobile publishers, service providers and advertisers. It has also adopted many suggestions from industry that actually make it easier in many cases for such parties to provide entertainment and educational content to kids. As such, the new COPPA Rule can be seen as a victory for both industry and consumers, and as rejecting radical proposals supported by advocacy groups that tried to use the COPPA Rule revisions as a way to restrict advertising to children, something COPPA was never intended to do. COPPA remains about protecting children from inappropriate contact without parental knowledge and consent, and not about preventing advertising to children. This will permit entertainment and educational content to continue to be advertiser-supported, subject to a few restrictions such as on behavioral advertising, and thus free to users. Some of the proposed changes would have resulted in burdens that would have reduced the content available for free to kids, and drawn sites intended for teens and young adults into the scope of COPPA compliance.
Some of the highlights are:
What is good for industry:
- Surprisingly, the FTC listened to the overwhelming majority of industry that urged retention of “e-mail plus.” This allows operators to obtain consent to collection of personal information of children, by means of an e-mail from the parent along with a follow up confirmation such as sending a delayed follow-up email or calling or sending a letter. The FTC had been adamant that it needed to sunset e-mail plus because it was unreliable and if ended would force industry to innovate new methods of verified parental consent (“VPC”). The Promotional Marketing Association (recently renamed the Brand Activation Association)(“PMA”), the American Association of Advertising Agencies, the Toy Industry Association and others had argued that in the absence of any evidence of harm caused by e-mail plus, it was inappropriate to end it and put a financial burden on industry merely to foster innovation. This will be a huge disappointment to many self-appointed consumer watchdogs that had campaigned for an end to e-mail plus. However, the FTC indicated that it was conceding begrudgingly and “encourages industry to innovate to create additional useful mechanisms as quickly as possible.”
- Importantly, the FTC retained the one time use exception in Section 312.5(c)(3) for promotional and advertising purposes, which its proposed changes would have changed to require prior verified parental consent. The FTC stated “[T]he Commission did not intend to further constrict the permissible uses of online contact information under the one-time-use exception (such as notifications regarding a contest or sweepstakes, homework help, birthday messages, forward-to-a-friend e-mails, or similar communications).” Rule p. 89. The FTC cited to objections from the PMA, in noting that the proposed change would have violated the COPPA statute and thus exceed the FTC’s authority. Rule p.89 and fn 274. This is significant since it is an express rejection of changes urged by the Center for Digital Democracy and other consumer advocates in both comments and complaints filed against leading marketers and publishers which urged a ban on direct advertising to children through promotions and send-to-friend tools absent VPC.
- Although third parties that collect personal information because they have been integrated into a site that may have children on it now have COPPA responsibilities, such third parties are only responsible if they have “actual knowledge” that they are collecting personal information from a child, a big victory for industry since the FTC had proposed an “know or have reason to know” standard.
- The FTC adopted Disney’s proposal for so-called mixed-use or family oriented sites that have children as a secondary audience, and such operators will only be required to obtain VPC for users that self-identify as under 13. Furthermore, the FTC revised its original proposal and added some clarifying notes indicating that a site that may have a disproportionate number of children as compared to that existing in the general population would not be per se obligated to undertake such age screening and user differentiation. Rather this was optional. Sites and services will continue to be subject to the actual knowledge standard (meaning they are only responsible for VPC if they know they are collecting personal information from those under 13) or if they are, based on the totality of the circumstances, actually directed to children. This means sites for intended for teens and college students will not be forced into the mixed-use site model of age gating and differentiating users, something PMA, apparel and consumer products companies adamantly opposed. Sites that do target children as a primary audience, must continue to presume all users are children.
- The Commission revised the definition of “personal information” to limit treatment of screen name functions as a method of “direct, private, user-to-user contact” similar to an e-mail address. This helps families of sites user a common screen name across multiple sites, services and platforms without VPC, something the original FTC proposal would not have permitted.
- Although persistent identifiers were added as personal information, use for internal uses was exempted from VPC obligations. Further, the definition of internal uses was expanded (such as to allow frequency capping of ads) and clarified (to permit intellectual property protection, payment and delivery functions, spam protection, optimization, statistical reporting, de-bugging and other internal functions not previously articulated). The FTC also added a process for obtaining approval of further expansions. In addition, instead of treating an identifier used “to recognize a user over time OR across different websites or online services” the FTC settled on a definition where it is used “to recognize a user over time AND across different websites or online services.”, This makes use for traditional first party advertising, and serving contextually relevant content, clearly permissible. Further, the FTC clarified that use of persistent identifiers to enable “the delivery of advertisements based upon a consumer’s current visit to a web page or single search query, without collection and retention of data about the consumer’s online activities over time” as permissible. Thus contextual advertising is in and third party ad network behavioral advertising is out. Furthermore, the FTC indicates that “different” means only “sites or services that are unrelated to each other, or sites or services where the affiliate relationship is not clear to the user.” Finally, the FTC clarified that the internal use and operations exception could also be used by third party operators that are integrated into a primary site, easing the burden on them.
- The definition of collection was changed to allow participation of children in interactive activities such as chat without VPC if they take reasonable measures, such as use of filtering software, to eliminate posting of personal information such as email and phone number. Previously, a 100% deletion standard was required to qualify for the exception, and this resulted in the omission of interactive content from many sites and apps that found the VPC process too cumbersome, but could have employed technology to reasonably protect against sharing of contact info by children. See Section 312.2(b)
- The methods for obtaining VPC were expanded, including use of alternative payment systems (where a monetary transaction occurs) as opposed to merely credit card transactions. The FTC had previously expressed concerns that these methods were not as reliable, but was convinced that the notification to the account holder of a monetary transaction would be sufficient just as it is for a credit card. Further, there is now a method to have additional means of obtaining VPC approved.
Challenges for industry:
- “Personal information” was, as proposed, expanded to include geolocation data and photographs, audio files and videos per se. The existing COPPA Rule only does so if they include contact information. This means verified parental consent is required before collecting such information from children, even if such information does not include data that would enable the contacting of a child. This will restrict user generated content and location-based activities in services aimed to children and will thus limit that kind of content offering in many circumstances.
- “Personal information” was also expanded to cover persistent identifiers, but the exceptions discussed above will ease the burden of compliance.
- Both publishers and third party service providers, such as ad networks, plug-in providers and analytic companies, are responsible for obtaining verified parental consent if they collect personal information via children’s sites and services. However, third parties are only responsible if they have actual knowledge that they are collecting personal information from a child, a big victory for industry since the FTC had proposed a “know or have reason to know” standard. These third party operators can under the final rules, also take advantage of the internal use exception with regard to persistent identifiers. As the primary sites, the FTC retained its proposal that child-directed sites and services be strictly liable for the activities of third parties integrated with the site or service for COPPA compliance, meaning that operators need to undertake diligence on all third parties in the digital ecosystem that interact with their sites or apps. The FTC rejected a safe harbor for operators that exercised reasonable measures to police such third parties and calls for a “knows or has reason to know” standard such as that advocated by the PMA. It did, however, note that “in applying prosecutorial discretion, [it] will consider the level of due diligence a primary site exercise” Rule p. 24. It also clarified that the changes are not intended to apply to providers that merely offer access to children’s content, such as app stores, an obligation to be responsible for the content providers they offer access to. See Section 312.2.
- The FTC requires operators to give notice of every party collecting personal information on its site or service, including third party operators integrated into the site or service, but does permit a single operator to be designated as the party responsible for responding to parental inquiries.
The new COPPA Rule goes into effect July 1, 2013.
To read the full rule, click here.