We previously discussed the Federal Trade Commission's ("FTC") proposed consumer data privacy framework.1 Additionally, on September 15, 2011 the FTC released for public comment proposed amendments (the "FTC Proposal")2 to the Children's Online Privacy Protection Rule (the "COPPA Rule"),3 which was promulgated by the FTC under the Children's Online Privacy Protection Act ("COPPA").4 The FTC Proposal is intended to address "changes in online technology, including in the mobile marketplace, and, where appropriate, to streamline" the COPPA Rule.5 The FTC proposes modifying certain COPPA Rule definitions, including the definition of "personal information," as well as the parental consent and notice mechanism, confidentiality and security, and safe harbor provisions. In addition, the FTC Proposal includes a new provision regarding data retention and deletion.
Changes to the Definitions
Among the proposed changes to the definitions, particularly noteworthy is the expanded definition of "personal information"6 which, if implemented, would include: (1) screen or user names that are used for functions other than or in addition to support for the internal operations of the website or online service;7 (2) persistent identifiers, including but not limited to Internet Protocol addresses, and processor or device serial numbers or unique device identifiers, where such identifiers are used for functions other than or in addition to support for the internal operations of the website or online service;8 (3) identifiers that link the activities of a child9 across different websites or online services;10 (4) photograph, video or audio files that contain a child's image or voice;11 and (5) geo-location information sufficient to identify street name and name of a city or town.12 The FTC Proposal states that the new language would allow operators to use persistent identifiers to support the site's internal operations, meaning for purposes such as user authentication, improving site navigation, maintaining user preferences, serving contextual advertisements, and protecting against security or integrity threats.13 The new language, however, would require prior parental notification and consent where such identifiers would be used for purposes such as tracking a child's online activities or targeting advertising to the child.14 This change is not surprising considering the FTC's privacy concerns about behavioral advertising.15 The Proposal would also consider photographs, video files and audio files as personal information even if they are not explicitly combined with "other information such that the combination permits physical or online contacting," as delineated in the current COPPA Rule.16 The FTC reasons, for example, that facial recognition technology may be used to identify children in photographs, which in turn may facilitate physical or online contact with the child.17 In addition, a photograph could contain embedded geolocation data, which would also aid a person in contacting the child.18
Collectively, these changes would directly affect social media sites and applications that run on social media platforms because they often rely on such information. Companies that use or collect online tracking information for behavioral advertising and other purposes would also be directly impacted and forced to alter their conduct. The FTC Proposal would also expand the definition of "online contact information" from "email addresses or any other substantially similar identifiers that permits direct contact with a person online" to clarify that the list of proposed identifiers is non-exhaustive and include: (1) instant messaging user identifiers, voice over internet protocol (VOIP) identifiers and video chat user identifiers.19 Although it did not propose inclusion of each item in the definition of personal information, the FTC Proposal seeks public comment as to whether the combination of date of birth, gender and zip code information may permit the contacting of a specific individual such that the combination should be included in the definition of personal information.20 This request for comment is particularly relevant in light of the number of recent class actions that have been filed to challenge the permissibility of the online collection of zip code information together with credit card information.
Under COPPA, in order for operators to collect, use, or disclose personal information of children, they must first obtain "verifiable parental consent" which is defined as "any reasonable effort (taking into consideration available technology), including a request for authorization for future collection, use, and disclosure, described in the notice."23 The FTC Proposal adds new mechanisms for parental consent, including submitting electronically scanned signed parental consent forms, obtaining parental consent through video conferencing with the parent, and verifying a parent's government issued identification against databases of such information, provided that the operator permanently delete the parent's information from its records promptly after such verification is completed.24 The FTC Proposal additionally eliminates the existing "sliding scale" or "email plus"25 method of obtaining parental consent, explaining that the email plus method has impeded the development of new and more reliable methods of obtaining verifiable parental consent.26 The FTC Proposal would allow, however, safe harbor programs to allow its member operators to approve the use of a new parental consent mechanism not enumerated in the FTC Proposal upon a determination that such parental consent mechanism is "reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent."27 The FTC Proposal also adds a new exception to the notice and consent requirements, under which operators may collect from a child, without a parent's consent, a parent's online contact information and contact the parent to notify or update the parent about the child's participation in a website or online service that does not collect personal information about children.28
Confidentiality, Security and Data Retention Provisions
The FTC Proposal seeks to strengthen COPPA's confidentiality and security provisions by requiring operators to take "reasonable measures to ensure that any service provider or third party to whom they release children's personal information has in place reasonable procedures to protect the confidentiality, security, and integrity of such personal information."29 This concept of providing broader protection when data is passed from the initial collector to third parties is also present in some of the pending privacy legislation in the U.S.30 At present, the COPPA Rule is silent on third party data security obligations. If the FTC Proposal is implemented, companies who share information with third parties would be required to ensure that the third party has reasonable data security measures in place before disclosing information that is subject to COPPA to such third parties.
The FTC also proposes adding a data retention provision to the COPPA Rule that would limit operators' retention of data to "as long as is reasonably necessary to fulfill the purpose for which the information was collected."31 Currently, there are no rules regarding data retention.
Safe Harbor Programs
The FTC Proposal also includes substantive changes to COPPA's safe harbor program, pursuant to which members of an approved safe harbor program are deemed to be in compliance with the COPPA Rule.32 The FTC proposes to mandate that safe harbor programs conduct comprehensive annual audits of each of their members' practices regarding children's information in order to "improve the accountability and transparency" of FTC-approved COPPA safe harbor programs.33 The FTC Proposal would also require safe harbor program applicants to include in their application, "a detailed explanation of their business model and the technological capabilities and mechanisms they will use for initial and continuing assessment of subject operators' fitness for membership in the safe harbor program."34 The FTC Proposal would also require safe harbor programs to submit to the FTC, within one year of the effective date of the FTC Proposal's amendments and every eighteen months thereafter, reports containing the results of an independent audit and any disciplinary action taken against any member operator within the relevant reporting period.35 Safe harbor programs that were approved prior to the publication of the amended COPPA Rule would have to submit proposed modifications to their guidelines that would bring them into compliance with the new amendments within 60 days of publication of the amended COPPA Rule to avoid their approval being revoked by the FTC.36
Although it does not recommend that Congress expand COPPA to cover teenagers, the FTC Proposal notes that the FTC is exploring new privacy approaches that will ensure that teenagers benefit from stronger privacy protections than are currently generally available.37 The issue of raising the age limit defining what a "child" is from 13 to an older age is a thorny one, as any amendment could impact more general purpose websites that are intended to cater to adults, but which might knowingly be capturing the interest of a teenager. Any proposed change to this provision of the law would likely result in substantial legal and industry debate.
The FTC remains an active participant in the development of U.S. data privacy law. Comments to the FTC Proposal are due by November 28, 2011.