Today, the Federal Trade Commission (FTC) announced proposed revisions to the Children’s Online Privacy Protection Rule. See Federal Register Notice. The FTC is requesting comments on these proposed changes by November 28, 2011.
The Children’s Online Privacy Protection Act (COPPA) was enacted by Congress in 1998, and is enforced by the FTC through its Rule. COPPA protects the privacy of personal information of children under the age of 13, in general by preventing the collection of personal information from such children unless a parent has given prior consent. The FTC has been fairly active, especially of late, in pursuing alleged COPPA violations. The FTC announced its review of the Rule in 2010, in order to determine what revisions should be made to the COPPA Rule given changing technology.
Below are highlights of the major proposed changes.
One of the biggest proposed revisions is over the scope of the definition of “personal information.” The FTC proposes that “personal information” be expanded to include screen names and persistent identifiers when such information is used for any purpose other than internal site operations. Thus, for example, the use of a persistent identifier to provide behavioral advertising would constitute collection of personal information. The FTC also proposes that photographs, video, and audio files containing a child’s image or voice, as well as a child’s geolocation data, be deemed “personal information.”
The FTC’s proposed changes would also clarify that sites that allow children to chat interactively are not “collecting” information if the sites have reasonable measures in place to delete all or virtually all personal information from a child’s posts before they are made public.
Further, the proposed revisions make clear that the FTC believes that mobile applications, and texting that makes use of the internet, are “online services” within COPPA’s reach.
Parental Notice & Consent
Another major proposed change concerns how parents can give their consent to a site’s collection of their child’s personal information. The FTC proposes that parents can now consent through video conferencing or by sending scanned versions of signed consent forms. The FTC also proposes that sites may use government issued identification numbers—such as a driver’s license—to confirm a parent’s consent, if the sites then delete the information. Further, the FTC proposes a process by which businesses may seek approval from the Commission for new forms of parental consent. One old method of parental consent available in limited situations in the past—the so-called “email plus”—would no longer be acceptable under the FTC’s proposal.
Additionally, the FTC proposes a more streamlined direct notice to parents of a site’s information collection practices. The FTC hopes this notice will enable parents to find the information they need quickly and without always needing to read lengthy privacy policies.
Confidentiality & Security Requirements
The FTC’s proposed revisions would require that sites take reasonable measures to ensure that third parties with whom they share children’s personal information—such as service providers and others—have in place reasonable procedures protecting the confidentiality, security, and integrity of such shared personal information.
Safe Harbor Programs
The proposed revisions give safe harbor programs more freedom, while also subjecting them to more oversight. For example, the FTC’s proposed revisions would allow safe harbor programs to approve new forms of parental consent. At the same time, the FTC’s proposed revisions would require that safe harbor programs conduct periodic audits of their members and provide reports to the FTC.