On August 1, 2012, the FTC issued a request for public comments on additional proposed modifications to the Children’s Online Privacy Protection Act (COPPA) Rule relating to privacy policies. The FTC is seeking to include online advertising networks and makers of browser plug-ins to the list of entities required to comply with the rule. All entities covered by the rule are required to get parental permission before collecting personal information on websites and on-line services targeted at children under 13. Public comment on the proposals will be accepted until September 10.
In addition the FTC is proposing to modify the COPPA Rule's definition of "personal information" to make clear that a “persistent identifier” will be considered personal information if it can be used to recognize a user over time, or across different sites or services.
These changes track the FTC’s report, Mobile Apps for Kids: Current Privacy Disclosures are Disappointing issued in February (Mobile Apps Report), that found that mobile app developers and merchants are providing insufficient information to parents before they download apps and that many apps did not disclose what information is being collected from children, how it is being used and who has access to it.
In the Mobile Apps Report the FTC made recommendations to industry:
- Apps should disclose if the app connects to social media or allows targeted advertising.
- Apps should disclose privacy policies.
- App stores should do more to help parents by providing a designated space to share privacy information.
- App stores should provide standardized icons to reflect privacy settings and connections to social media.
These proposed changes are also consistent with the recent Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers (Final Report). The Final Report recommends that companies implement three best practices for protecting privacy:
- Privacy by Design - build in privacy protections at every stage of product development;
- Simplified Choice - give consumers the option to decide what information is shared, e.g., a Do-Not-Track mechanism allowing users a simple way to control activity tracking; and
- Greater Transparency - disclose collection and use details of consumers' information, and provide access to the data collected about them.
The Final Report applies to “all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer” with some narrow exceptions. The FTC has stated that it will enforce the Final Report through enforcement actions, pursuing the most egregious actors first. Recent consent decrees Google, Facebook and Myspace have resulted in each company being required to implement a comprehensive privacy program designed to protect consumer information and for biennial assessments of privacy programs for 20 years.