The Federal Trade Commission (FTC) is continuing its efforts to revise the rule it put in place to enforce the provisions of the Children’s Online Privacy Protection Act (COPPA). COPPA applies to web sites targeted at children that collect personal information directly from children or to web sites where the operator has actual knowledge that children under 13 are providing their personal information to the site. COPPA requires that web site operators notify parents and obtain their consent before collecting personal information from children under 13.
In September 2011, the FTC released proposed revisions to the COPPA Rule. At that time, the FTC proposed changes to the definitions of “collects or collection,” “online contact information,” “personal information,” “support for the internal operations of the website or online service,” and “website or online service directed to children.” The revisions also addressed the parental notice requirements, confidentiality and security concerns, as well as safe harbor programs. The goal of the revisions was to address the rapid changes in online technologies, such as an increase in behavioral advertising and social media use. See our alert here discussing these revisions.
Most recently, in August 2012, the FTC proposed additional revisions to the Rule. In this latest round of revisions, the FTC has proposed additional modifications to the definition of “operator,” “personal information,” and “website or online services directed to children.” The recent revisions were made in the hopes of strengthening and clarifying the Rule. Many of these changes were in response to public comments concerned with third party “plug-ins” such as advertising networks or downloadable software kits where such plug-ins are able to collect information from website visitors with or without transmitting the information through the website operator.
Specifically, the latest FTC proposed revisions include changes to the definitions of several terms, including the following:
- The definition of “operator” is expanded to include both a plug-in (cookie) operator and the operator of the website. Therefore, both parties would be responsible for ensuring that a parent is provided with notice and choice and that the requirements of the Rule are met. Previously, only the cookie operator was responsible where it was believed that the information was collected from a website, but the website operator had no real access to the information.
- The definition of “personal information” was broadened in September to include persistent identifiers as well as screen or user names when those are not used to support internal operations. Now, the FTC suggests that such identifiers only fall within the definition of “personal information” where the screen name rises to the level of “online contact information.” For example, a screen or user name that is an email address or instant messenger code name would fall under the revised definition as it can be used to track children across multiple websites and devices. As the September revisions made clear that persistent identifiers were also considered personal information if they were used for purposes other than for support of internal operations, these latest revisions have also clarified “support for internal operations” to only include necessary website operations such as authentication, contextual advertising, security, request fulfillment, and the like.
- The definition of “website or online services directed to children” has been segmented into three subcategories to show a spectrum of websites, including (i) those specifically targeted to children; (ii) those who, “based on the overall content of the website or online service, [are] likely to attract children under age 13 as [the] primary audience; and (iii)those likely to attract a large percentage of children under 13 provided however that such site will not be included in the definition if it does not collect any personal information from users or it age screens and does not collect personal information from children under 13 without obtaining consent.
Comments to the latest proposed revisions are due to the FTC by September 24, 2012. We are continuing to monitor developments in this area and are awaiting the issuance of the final revised Rule.