The Federal Trade Commission ("FTC") has proposed new revisions to the federal scheme for regulating children’s online and mobile privacy, known as the Children's Online Privacy Protection Act ("COPPA"). The proposed revisions would ease some burdens for publishers and advertisers, but continue to call for greater levels of verified consent than is currently required from parents before such entities could collect certain information from children under 13 years old. Of particular interest is a new proposal to add the concept of a mixed audience site, which would give more flexibility to family-friendly site operators that want to treat children and adults on the same site differently. However, for sites that do not intend to target children, but nevertheless have a user population that includes children under 13 in an amount that is disproportionately large when compared to the amount of such children in the general population, the proposed regulations would impose liability on operators if they fail to age screen and apply COPPA protection to children on the site. The proposed new regulations would essentially require those sites to age screen and protect young children. In addition, the FTC continues to propose to sunset the widely used e-Mail Plus method of parental verification for collection of personal information for company internal uses, to tighten exceptions to parental consent requirements, and to expand the scope of the definition of personal information to include items such as photos, which will make compliance more burdensome. It also seeks to hold responsible both site operators and third party service operators, such as ad networks, for third party data collection on a site. The FTC has invited public comments on its proposals.
The FTC had previously issued, in September 2011, a notice of proposed rulemaking for revisions to its implementation of the Children’s Online Privacy Protection Act, 15 U.S.C. §§ 6501-06, in part to address mobile and new technology, and asked for public comments. Over 350 public comments were filed in response, which the FTC has been considering since December of last year. On August 1, 2012, the Commission published a Supplemental Notice of Proposed Rulemaking in which it changed several aspects of its proposed revisions to the COPPA Rule, and invited new public comments until September 10, 2012.
The underlying intent of COPPA is to provide reasonable and practical safeguards to foster efforts to protect young children from being contacted online absent parental consent. The hundreds of comments to the FTC’s proposed rule revisions make it clear that opinions differ as to how to strike a proper balance between protecting children, recognizing the practicalities and challenges of operating within an online or mobile environment, and the importance and benefits of the Internet, mobile media and e-commerce to consumers, including children. While the FTC’s response to these comments indicate a likely willingness to make some accommodation to the industry, many of the Commission’s proposed changes are likely to be deemed by publishers and advertisers as ill-conceived, not supported by any evidence of harm that is in need of redress, and likely to create an undue burden on industry that may result in reduced online offerings made available to children.
The Commission Raises New Issues
In its supplemental filing, the Commission raises new issues by asking the following questions, and inviting comment on them:
- Who should be responsible for third party data collection via a site or service? The FTC is considering changes to how it defines "operator" of a "website or online service directed to children." It addresses the question of when an operator of a site or service directed to children should be deemed to be responsible for the data collection practices of third parties on or using its site or service, (such as ad networks, social networking services that have “share” buttons on others’ sites, and downloadable software providers). Currently, an operator of a site or service directed to children under 13 that both collects information and maintains ownership, control and access to it, would be responsible for COPPA compliance (such as obtaining verified parental consent before collecting personal information). Merely, serving as the host conduit of a third party’s collection is not, however, currently covered. The FTC proposes to hold both the third party collecting personal information and the site operator allowing such collection by third parties responsible, but with different standards of responsibility. The new proposal would require children's site operators to ensure that third parties that interact with their site or service are not collecting personal information from children under 13 absent verified parental consent. Other proposed changes would require the operator to post notice of who such third parties are and how to contact them. A failure would result in strict liability for these operators, regardless of knowledge. Those third parties that collect personal information on sites or services operated by others will also be responsible for ensuring COPPA compliance with respect to their activities on children's sites, or portions of sites directed to children, but only if they "know or have reason to know" that they are interacting with a site or service directed to children. Thus, new levels of institutional diligence may be required under the proposed new rules.
- Should sites and services for both children and adults be able to age screen users and treat only those that self-identify as under 13 as children? The FTC is considering changing the definition of “website or online service directed to children” to, in effect, permit mixed audience sites (those "with child-oriented content appealing to a mixed audience, where children under 13 are likely to be an over-represented group") to apply the COPPA-mandated protections only to children under 13. A significant benefit of the new proposal is that if a mixed audience site operator screens its users it can treat those that self-identify as 13 or over as adults, so long as it prevents the collection, use, or disclosure of personal information from users who identify as under age 13 without first obtaining verifiable parental consent. This would help sites that invite children under 13 to participate or operate family friendly sites that cater to both children and parents. Indeed, this approach was advocated by the Walt Disney Company in its 2011 comments.
The change, however, could impose new requirements on sites that do not age screen, even if children are not the primary audience, if the percentage of users under 13 is greater than that in the general population. This would be a move away from holding general audience sites to an actual knowledge standard of liability. It would also expand the universe of sites deemed directed to children by adopting a mathematical test for determining when a site that has content attractive to children even if children are not the primary targeted audience, is to be deemed a site “directed to children.” In its prior September 2011 proposal the FTC had rejected such a mathematical test, noting that site audience statistics were unreliable. Under the new proposals, the FTC invites comments on the mixed audience proposal, and how it could be practically implemented. One issue will likely be how to deal with multiple users of a family computer.
- When should parental consent be required to associate “persistent identifiers“ with users? The FTC is poised to modify its pending proposal to treat persistent identifiers used to recognize a user over time or across sites as personal information (e.g., an IP address, mobile device identifier, or other identifier associating a computer with a cookie). It now proposes to exclude from the scope of the new regulations those persistent identifiers used only for certain internal activities (site maintenance and analysis, authentication of users, setting of user preferences, severing contextual advertisements, protecting against fraud, and responding to certain requests of users), so long as the information is not used to contact a specific individual. These proposed changes seek to clarify the uses of such persistent identifiers that will not require parental consent even when the identifier is collected on a site or service directed to children, or is knowingly collected from a child. The Commission still needs to explain the distinction it attempts to draw between “contextual” advertising (permissible without prior parental consent) and “behavioral” advertising (impermissible without prior verified parental consent). Unless the FTC explains how it interprets the difference between the terms for COPPA purposes, publishers and advertisers will not know how to comply. In addition, the list of internal uses is written as an exclusive set of permitted uses, not as mere example, and thus may not be broad enough.
- When should parental consent be required to associate screen names or user names with children? The Commission suggests that it will modify its proposal to treat user names and screen names as personal information requiring verified parental consent to collect, but only if that identifier is associated with a functionality that permits the person to be contacted online (e.g., it functions as an instant message or e-mail address). This would give some relief to operators who use user names for internal administrative purposes, to operators of a service accessible by multiple platforms and devices, and to operators of a family of sites or applications.
The FTC Did Not Revisit Various Controversial COPPA Rule Changes It Previously Proposed
While some of these newly proposed changes are positive for digital advertisers, website and mobile app publishers and other online service operators, the fact that the FTC did not suggest it was considering other changes to its prior proposals hints that these new proposals may be the only material changes to its proposed rule revisions under consideration. If no other changes are likely, then advertisers and operators may soon be subject to more burdensome requirements than they presently have. As an example, the FTC’s proposals, if not further modified, would terminate the ability of operators to use E-Mail Plus to obtain parental consent; terminate the current one-time use exceptions for prize fulfillment for sweepstakes and contest promotions and for send-to-friend e-card promotions; require an online notice by a site or service operator to list all operators collecting personal information via the site or service rather than listing a single responsible operator; and expand the definition of personal information for which verified parental consent is required to collect to include persistent identifiers and screen names (subject to the new proposed exceptions discussed above); geo-location data; photos, videos and audio files; and potentially a combination of date of birth, gender and ZIP code and/or Zip+4 alone. The methods for obtaining parental consent would also likely become much more burdensome.
The Commission stated that it "continues to consider comments submitted in response to its [September 2011 proposed rulemaking]" and is seeking comments on "various aspects of the proposed Rule," particularly, but not exclusively, the specific questions newly posed and the additional revisions newly proposed. Thus, interested parties may want to take this new comment opportunity to submit to the FTC their comments on the new proposals and also to reinforce views as to the prior proposed changes.