The new COPPA privacy rule was announced today by the FTC. It will become effective on July 1, 2013. As predicted, it includes a substantial expansion in the number of entities covered by COPPA and expands important definitions as well as the kinds of data collection technologies (and categories of data) that can be used in the absence of verifiable parental consent.
Expansion of Scope—New Companies, Web Properties and Apps Covered
The first major change involves an expansion of the types of entities covered. No longer is the COPPA regime reserved for only those companies that focus primarily on kids’ content, apps and toys. Now COPPA also covers websites outside of the kid economy that have only a small amount of content directed to kids. The new COPPA rule also covers apps as well as third-parties who collect information through child-directed sites or services such as social networks and other 3rd party entities. The sum total of these changes significantly increases the number of entities that must now concern themselves with COPPA.
Websites, Portions of Websites and Apps Covered. In determining whether a website, portion of a website, or app is directed to children, the Commission will consider its subject matter, visual content, use of animated characters or child-oriented activities and incentives, audio content and other kid-centered characteristics. The Commission will also consider empirical evidence regarding audience composition, and evidence regarding the intended audience. If web pages or apps fall within the scope of these admittedly squishy definitions, then consent under COPPA is required before “personal information” can be collected. Unfortunately, the term “personal information” has been expanded to include just about anything.
Greatly Expanded Definition of Personal Information: Technologies Newly Covered by COPPA include Browser Cookies, Widgets, Social Network Buttons and Plug-Ins, Flash Cookies, Tags, IFA and Device Identifiers (such as UDID and MAC address)
Under the prior regime, “Personal Information” typically meant first and last name, date of birth, social security number, street address and similar kinds of information. Now, any data that can be reasonably used to reveal the identity of a child is protected by COPPA, so long as it is not used purely for the operation or maintenance of the site or service. Although the FTC is allowing industry to seek formal approval to add permitted activities to the definition of "support for internal operations" (i.e., no personal consent is currently not required when persistent identifier collected for sole purpose of supporting the website or online service's internal operations, such as contextual advertising, frequency capping, legal compliance, site analysis, and network communications), the FTC appears unlikely to expand the list by much. The bottom line is that the new COPPA rule applies to a broad swath of “passive tracking” on web pages directed to children and that this reflects a dramatic shift by the FTC.
Device and Network Identifiers. In the mobile context, for apps directed to kids, developers and publishers will now be prohibited from sharing device or other persistent identifiers with ad networks, ad exchanges, or social networks. Such persistent identifiers include Apple’s new “Identifier for Advertising” or IFA, IP address, UDID, Open UDID, MAC address, IMEI, and unsalted hashes of such identifiers.
The point of the FTC’s actions in this regard is to kill child-directed OBA and data brokering dead in their tracks. These changes are dramatic and will require substantial efforts by companies to comply.
Obtaining Parental Consent
Determine Best Option to Obtain Consent. The amendments to the new COPPA Rule add several new methods that operators can use to obtain verifiable parental consent: electronic scans of signed parental consent forms; video-conferencing; use of government-issued identification; and requiring a parent, in connection with a monetary transaction, to use a credit card, debit card, or other payment system that provides notification of each discrete transaction to the primary account holder. In addition, after considering the comments on “email plus,” the FTC concluded that it remains a valued and cost-effective consent mechanism for certain operators. The Final Rule retains email plus as an acceptable consent method for operators that collect personal information only for internal use. Under this method, operators that collect children’s personal information for internal use only may obtain verifiable parental consent with an e-mail from the parent, as long as the operator confirms consent by sending a delayed e-mail confirmation to the parent, or calling or sending a letter to the parent. Finally, companies participating in a Commission-approved safe-harbor program may use any consent method approved by the program.
The new Rule also provides for exceptions to prior parental consent. Prior consent is not required where the purpose of the collection is to: 1) obtain consent; 2) provide notice or an update about the child's participation in a service; 3) respond to specific requests from a child, with some restrictions; 4) protect the safety of a child; 5) protect the security of the website, respond to judicial process, or for public safety concerns; and 6) provide support for "internal operations" of the website or online service. Also, consent need not be obtained by an operator covered under paragraph (b) of the definition of "website or online service directed to children" who collects only a persistent identifier and no other personal information from a user who affirmatively interacts with the operator and whose previous registration with that operator indicates that such user is not a child. Paragraph (b) of the definition of "website or online service directed to children" provides: "A website or online service shall be deemed directed to children when it has actual knowledge that it is collecting personal information directly from users of another website or online service directed to children."
To encourage the development of new consent methods, the Commission established a voluntary 120-day notice and comment process so parties can seek approval of a particular consent method.
Attend our “COPPA Boot Camp: 5 Steps Towards Compliance” on January 15th in Washington DC and another date soon in NYC.
Determining which Websites and Mobile Apps Are Covered. The first step toward complying will be for companies to identify those websites, portions of websites, or mobile apps that are covered by the new rule. Technical Review of Website and Mobile Apps. The Next step necessary for compliance will be to identify the technologies used and the data collected. The technical review should involve: (1) an analysis of network traffic from the website or mobile app in order to determine the identities of the third-parties collecting data (along the lines of the FTC’s 2nd Report on mobile apps for kids), (2) further analysis of network traffic, including an examination of encrypted communications commonly used by ad networks and social networks, to determine the natural of the data, (3) an investigation of local device storage to determine what data is being tracked by third-parties locally, and (3) a functional review of the website or application in order to identify which categories of data collection are fairly categorized as necessary for the operation or maintenance of the site or app.
Strategic Decisions: Keep Data Collection, Remove It or Obtain Consent. Once COPPA-covered data collection is identified, compliance staff and development teams need to decide what features or data collection are not covered and require no change, which should be removed, and which should remain, but with parental consent.