The Federal Trade Commission announced this month proposed changes in FTC regulations that would require many website operators to change significantly their policies and practices in handling information collected from children under 13.  In its notice of proposed rule and request for comment (officially summarized here), the FTC concludes a review initiated in April of 2010, by summarizing comments received through submissions and a public roundtable and setting forth proposed changes to regulations that have been in place for more than ten years.  Public comments on these proposed changes are due by November 28, 2011.

The Children’s Online Privacy Protection Act (COPPA or Act) was enacted by Congress in 1998 in an effort to proscribe unfair or deceptive acts relating to the collection of information from children on the Internet.  COPPA delineates general provisions for website operators to follow in requesting, using, and disclosing personal information of children under 13.  Under the Act, the Federal Trade Commission (FTC or Commission) has the authority to adopt, implement, and enforce regulations to ensure compliance.  In 1999, the FTC issued the Children’s Online Privacy Protection Final Rule pursuant to COPPA, and the Rule came into effect in April 2000.  The Rule attempts to balance the concerns of preserving the internet as an accessible medium to children and COPPA’s aim to protect children online.

The FTC’s Rule implementing the COPPA statute has remained largely unchanged since its implementation.  But now the FTC has concluded that recent developments in technology and marketing practices call for significant changes to required practices of website operators. 

First, the FTC proposes to expand the “personal information” subject to regulation upon collection to include geolocation information, screen or user names, and additional types of persistent identifiers used in tracking the user behavior of children, such as Internet Protocol addresses and unique device identifiers.  Persistent identifiers would only be considered “personal information” when they are used for purposes other than supporting internal operations of the website.  Further, the proposed rule introduces a new “catch-all” category of personal information, covering identifiers that link activities of children across websites or online services. 

Second, the proposed rule would significantly change the mechanisms for obtaining verifiable parental consent before collecting children’s information.  One such change eliminates the “email plus” method of consent.  This method, on which many site operators rely, allows  operators who collect children’s personal information only for internal use to obtain parental consent by email so long as an additional verification step was taken.  The proposed rule would also add several new mechanisms, including consent by video-conference and consent by electronic scanned signature.  The Commission further proposes a notice-and-comment approval process to determine other methods of verifiable parental consent, whereby applicants can seek public comment on a proposed method of consent before the FTC decides whether to adopt that consent mechanism.  This is one of the main issues on which the FTC seeks public comment.

Third, the FTC proposes adding security and confidentiality measures.  Operators of sites that collect children’s information would be required to ensure that any third parties receiving user information have reasonable security measures in place.  Further, a new data retention and deletion provision would ensure that collected information is only retained for as long as reasonably necessary, and is thereafter deleted.  Finally, the Commission proposes strengthening safe-harbor programs by incorporating initial audits and annual reviews.

The proposed rule also contains changes that could streamline or clarify existing requirements.  For example, the FTC proposes that an operator be treated as collecting information from children if it prompts or encourages the child to submit personal information online.  Furthermore, the FTC proposes defining the term “release of personal information.”  Although the term is currently included in the definition of “disclosures,” the Commission finds that a separate definition would provide greater clarity to the regulations, as the term is used outside the “disclosure” context as well.  Finally, the proposed rule seeks to streamline the Rule’s lengthy requirements regarding an operator’s privacy policy, substituting a simple statement explaining what information is collected from children, how the information is used, and whether and how the information is disclosed.  The Commission also proposes a new provision that lists the requirements for direct notice when an operator collects parental information from a child for purposes of providing notice to the parent about the website’s collection, use, and disclosure practices.

The FTC also decided against making certain other significant changes, but indicated that it would revisit these possibilities at a later time.  One such consideration involves implementing privacy protections for teenagers, who are not currently covered by COPPA.  Although several commenters suggested extending the Act and Rule to all children under 18, the FTC ultimately decided not to change the definition of “child” within the context of COPPA.  However, the FTC is considering new privacy rules or guidelines to address online privacy issues specific to teenagers.  See A Preliminary FTC Staff Report on Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers, 36-36 (Dec. 1, 2010), available HERE; Protecting Youths in an Online World, supra, note 18, at 14-15. 

The proposed amended FTC rule, if implemented, will greatly impact the requirements imposed on website operators who collect information from children.  The public comment period provides supporters and opponents with one more opportunity to provide insight into the FTC’s recommendations.