In September 2011 the Federal Trade Commission (“FTC” or “Commission”) issued a notice of proposed rulemaking for revisions to its implementation of the Children’s Online Privacy Protection Act (“COPPA” ), 15 U.S.C. §§ 6501-06, through the Children’s Online Privacy Protection Rule (“COPPA Rule”) 16 C.F.R. § 312 (1999), to in part address mobile and new technology, and asked for public comments. 76 FR Vol. 76, No. 187, 59804-59833 (September 27, 2011) (“NPR”). Over 350 public comments were filed in response, which the FTC has been considering since December last year. On August 1, 2012, the Comission published a Supplemental Notice of Proposed Rulemaking [enable link] (http://www.ftc.gov/os/2012/08/120801copparule.pdf ) where it changed several aspects of its proposed revisions to the COPPA Rule and will be allowing new public comments until September 10, 2012.
The underlying intent of COPPA is to provide reasonable and practical safeguards to foster efforts to protect young children from being contacted online absent parental consent. The hundreds of comments to the FTC’s proposed rule revisions make it clear that opinions differ as to how to strike a proper balance between protecting children and recognizing the practicalities and challenges of operating within an online or mobile environment and the importance and benefits of the Internet, mobile media and e-commerce to the consumers of the United States, including children. While the FTC’s response to these comments indicate a likely willingness to make some accomodations to industry based on comments made, many of the Commission’s remaining proposed changes are likely to be deemed by publishers and advertisers as ill-conceived, not supported by any evidence of harm that is in need of redress and likely to create an undue burden on industry that may result in reduced online offerings made available to children.
In its supplemental filing, the Commission asks:
- how should it define "operator" and "website or online service directed to children", in particular with respect to when an operator of a site or service directed to children should be deemed to be responsible for the data collection practices of third parties on or via its site or service, such as ad networks, third party social networking services and downloadable software providers. Currently, an operator of a site or service directed to children under 13 that both collects the information, and also maintains ownership, control and access to it, would be responsible for COPPA compliance (such as obtaining verified parental consent before collecting personal information). Facilating a third party’s collection is not covered. The FTC proposes to revise the definitions to hold both the third party collecting personal information and the site operator allowing such collection by third parties responsible, but with different standards of care. Children's site operators are now proposed to be required to ensure that advertisers, ad networks, ad exchanges, software kit and patch providers, widget and application publishers and others that interact with their site or service are not collecting personal information from children under 13 absent verified parental consent. In addition, if other proposed changes go into effect, the opertor will be required to post notice of who all such third parties are and how to contact them. It is important to note that a failure results in strict liability for these operators, regardless of knowledge. Conversely, those third parties that collect personal information on sites or services operated by others will also be responsible for ensuring COPPA compliance, with respect to their activities on children's sites, or portions of sites directed to children, but only if they "know or have reason to know" that they are interacting with a site or service directed to children. This is not a strict liability standard, but rather applies a knowledge or wilfull blindness standard. While the FTC says this will not impose a duty to investigate or monitor what sites and services these third parties' services are integrated into, "they will not be free to ignore credible information brought to their attention" and that the change "requires a person to draw a reasonable inference from the information he does have." Effectively, given what sales and operational staff may know about the sites and services these third parties integrate into, this standard would seem to require some level of instiutional diligence by these parties as to where they are being integrated. The FTC specifically asks for comments on whether the standard is appropriate or should be clarified, broadened or narrowed. Since persistent identifiers are proposed to become personal information requiring verfied parental consent prior to collection for certain uses such as to track behavior and send behavioral advertising, this change and the exact standard to be applied should be of particular concern to the online and mobile advertising industry and other third parties that interact with sites, apps and online services they do not control. These companies would be better off with an actual knowledge standard, the standard under the COPPA Rule that is applied to general audience web sites that are not directed to children, but on which children might be present.
- if it should permit mixed audience sites, those "with child-oriented content appealing to a mixed audiance, where children under 13 are likely to be an over-represented group," to age screen users and apply the COPPA-mandated protections only to children under 13, as opposed to all users of the site. This would help sites like Facebook, and some channels on YouTube, specifically invite children under 13 to participate and for companies like Disney to more easily operate family friendly sites that cater to both children and parents. Indeed, this approach was advocated by the Walt Disney Company in its 2011 comments. The current COPPA Rule requires operators of sites, or portions of sites, directed to children to treat all users as children. A significant benefit of the new proposal is that if a mixed audience site operator, or a third party integrated into such a site such as a social media plug-in or an online behavioral ad network or exchange, age screens its users it can treat those that self-identify as 13 or over as adults. Those older users could then be offered chat and social networking services, and their behavior could be tracked to serve them with ads based on their online behavior. The FTC invites comments on how this could be practically implemented, and one seemingly obvious issue is how to deal with multiple users of a family computer. Dropping a cookie on the computer or blocking its IP address to designate a child, would also result in other family members beng similarly treated. A solution could be individual uers accounts for site users, but many sites are open to unregistered users and for those identification issues will need to be solved. One winner if this change goes into effect is Facebook, which has announced a desire to open its site up to young children who are now tychically not permitted to register for the site.
- if it should modify its proposal to treat persistent identifiers (e.g., IP address, mobile device identifier, an identifier associating a computer with a cookie) used to recognize a user over time or across sites as personal information (which would require verified parental consent to collect from children), to better clarify that the "support for internal operations" exception explicitly excludes from coverage the use of persistent identifiers only for internal activities now specifically identified as site maintenance and analysis, performing network communications, authenticating users, setting and maintaining user preferences, severing contextual advertisements (but not for serving behaviorally targeted ads), protecting against fraud, and responding to certain requests of users, so long as the information is not used to contact a specific individual. The FTC's original proposed changes were, it stated, intended to require verified parental consent for using persistent identifiers "for purposes such as amassing data on a child's online activities or behaviorally targeting advertising to the child". It was not clear what would amount to the prohibited amassing of data, as opposed to permitted internal uses. These proposed changes seek to clarify what types of use of persistent identifiers are and are not permitted when they are collected on a site directed to children or knowingly from a child. Most operators will likely conclude that the FTC has not gone far enough. Persentent identifiers identify devices not individuals and the primary purpose of COPPA --to prevent the contacting of children absent parental consent-- could be met by treating persistent identifiers as personal information only if they are used to contact a child. In otherwords, to regulate the use not collection of them. The FTC noted comments urging this approach, but has chosen to disregard them. Also, the Commission failed to respond to comments pointing out that it attempts to draw a line between “contextual” and “behavioral” advertising, with identifiers used for “contextual” advertising being permissible while identifiers for “behavioral” advertising requiring prior verified parental consent, but that it fails to define the terms. This seems like a distinction without a difference, as all “contextual” ads depend upon some action taken by the computer user (e.g., entering a search string, viewing certain content, engaging in certain activities) - this sounds an awful lot like “behavioral” advertising and the FTC still does not explain how it interprets the difference between the terms. The FTC should further expand the definition of support for internal operations to explain where it draws the line between contextual and behavioral advertising and, many operators are likely to also seek to permit use of identifiers for coordinating operations by a single operator over multiple platforms and between affilied websites and online services, an approach the FTC appears now willing to accept for screen names as discussed below.
- if it should modify its proposal to treat user names and screen names as personal information that requires verified parental consent to collect only if that identifier is associated with functionality that permits the person to be contacted online (i.e., it functions as an instant message or e-mail address). This would give some relief to operators who use user names for certain internal administrative purposes and for operators of a service accessible by multiple platforms and devices and operators of a family of sites or applications.
While some of these proposed changes to what the FTC originally proposed in September 2011 are positive for digital advertisers, website and mobile app publishers and other online service operators, the fact that the FTC did not suggest it was considering other changes to its proposals suggests that these might be the only material changes under consideration. Indeed, the Commission stated: "Because these changes diverge from those proposed in the September 2011 proposal, the Commission has determined they warrant additional public comment prior to finalizing the Rule." If no other changes are likely, advertisers and operators may soon be subject to much more burdensome requirements. As an example, the FTC’s proposals, if not further modified, would terminate the ability of operators to use E-Mail Plus to obtain parental consent; terminate the current one-time use exceptions for prize fulfillment for sweepstakes and contest promotions and for send-to-friend e-card promotions; require an online notice by a site or service operator to list all operators collecting personal information via the site or service rather than listing a single responsible operator; and expand the definition of personal information for which verified parental consent is required to collect to include not only persistent identifiers and screen names (subject to the new proposed exceptions discussed above), but also geo-location data; photos, videos and audio files; and potentially a combination of date of birth, gender and ZIP code and/or Zip+4 alone. The methods for parental consent are proposed to become much more burdensome, with the current so-called E-Mail Plus system of getting parental consent for purely internal purposes (i.e., the information is not shared with third parties) through an exchange of e-mails and some additional step to confirm that the person is a parent (that is less verified than would otherwise be required) set to go away. The FTC failed to point to any evidence of harm to children to support these changes, and in the case of sunsetting E-Mail Plus stated that it was doing to to spur innovation of new and better parental notification and consent mechanisms, a purpose that many in industry have complained is improper and unfairly burdens them despite an absense of any suggestion that a harm is being avoided.
While the proposed expansion of the use of persistent identifiers for certain now narrowly defined internal purposes, and the proposal to let mixed audience sites age screen and apply COPPA requirements only to those that self-identify as under 13, will provide some assistance to operators, the loss of E-Mail Plus and other proposed changes will require significant operational changes by many and may result in a decrease in Internet and mobile content for children. However, the Commission also stated that it "continues to consider comments submitted in response to its [September 2011 proposed rulemaking]" and is seeking comments on "various aspects of the proposed Rule", particularly but not exclusively the specific questions newly posed and revisions newly proposed. Thus, advertisers and operators may want to take this new comment opportunity to not only comment on the new proposals, but to also reinforce why other proposed changes are not prudent. Certainly, companies that would be affected by the new proposals should timely file comments.