The FTC staff has issued guidance to its January 2013 updates to the Children’s Online Privacy Protection Act (COPPA) regulations (COPPA Rule), which go into effect in July. COPPA prohibits collection of certain data from children under 13, absent certain exceptions, by the operator of an online or mobile site or service without giving certain required notices to verified parents and obtaining their verified consent. Different standards apply to operators that are directed to children, adults or both. These “Frequently Asked Questions” or “FAQs” provide some basic instruction to businesses on how to avoid non-compliance. Unfortunately, the staff dodged the more vexing issues such as what a general audience site or service that has behavioral advertising needs to actually do if it becomes aware that a user is a child or is coming from a site or portion of a site directed to children. For instance, must a merchant that has a children’s section of its site where it identified certain users by their device identifier as children (e.g., there is a kids club for which children register) need to drop a cookie on those children to prevent them from receiving targeted ads if they visit portions of the site intended for adults (e.g., e-commerce pages). Rather, the FTC merely reiterated that once knowledge is obtained by a general audience operator that it has a child user it must immediately act to comply with COPPA with regard to that child user. The FAQs do, however, provide helpful tips on other issues and explain the basics of the new COPPA Rule in an easy to read question and answer format.
Although taking a middle ground between what the FTC Commission had originally proposed and what industry was advocating, the new COPPA Rule radically changes the privacy rules applicable to companies operating online and mobile services, such as making persistent identifiers (e.g., IP address and photo/video/audio files) personal information that cannot be collected from children, unless certain exceptions are met, absent prior verified parental consent and banning behavioral advertising to children. A detailed discussion of what has changed between the old and new COPPA Rule is set forth here: http://digilaw.edwardswildman.com/blog.aspx?entry=4485. Despite pages of commentary from the FTC preceding the new COPPA Rule explaining why the Commission accepted or rejected various public comments that had been made and decided upon the changes they did (see: http://www.ftc.gov/os/fedreg/2013/01/130117coppa.pdf), many questions remained as to how to interpret and apply the new COPPA Rule. Companies should look to the FAQs, and consult legal counsel that has studied the issues, to ensure they are in compliance by July as the FTC has a history of vigorously enforcing COPPA and settlements are typically in the six and seven figure range. See for example: http://digilaw.edwardswildman.com/blog.aspx?entry=4571 and http://digilaw.edwardswildman.com/blog.aspx?entry=3817.
The staff guidance in the FAQs, which is not binding on the Commission, includes:
- The new COPPA Rule makes general audience services that interact with sites and services directed to children, such as ad networks and social media share plug-ins, liable only if they have actual knowledge that they are interacting with a child directed service. However, the staff warns: If, however, you or one of your authorized representatives recognizes, through independent evidence, the child-directed nature of a site or service through which you are collecting personal information, you will be held to have acquired actual knowledge.” FAQ #39. The staff continues to explain that if a general audience site or service obtains information that a user is under 13, such as through a contact us or customer service inquiry or in a post on a monitored message board, it may respond to an inquiry on a one- time basis, but must take prompt action to delete personal information and stop its collection. The staff explained that under such and other circumstances, an operator may obtain “actual knowledge that you have collected personal information from a child (e.g., if you had previously collected the child’s email address as part of a Web site registration process [and then your customer service group later receives an e-mail from that registered user indicating she is a child]).” The staff explains that immediate action would then be required to comply with COPPA -- obtain consent or destroy and prevent further collection. FAQs # 55, 56 and 83. This creates a substantial challenge for general audience sites particularly those that engage in behavioral advertising, but the staff fails to explain how sites or services need to do in this when they discover a user is a child. The burden of compliance, regardless of practicality, is on the operator.
- Although sites and services directed to children will be strictly liable if the vendors and networks they use to serve advertising engage in behavioral advertising or retargeting in connection with children absent verified parental consent, these sites are advised to obtain contractual commitments that they will provide only contextual advertising and not behavioral advertising or retargeting. FAQ #41 The staff also advises these sites to “conduct an inquiry into the information collection practices of every third party” that can collect information through your app or site and ensure their compliance. FAQ # 42. They also clarified that using persistent identifiers to “personalize” ads is not “support for internal operation” that does not require consent. FAQ # 79.
- The staff approves of providing parents that have been verified using one of the approved exacting methods (e.g., credit card transaction, government id verification, etc.) to address future consents (e.g., for changes and updates), and verification for providing parental access to their child’s data, by means of a password or PIN number. FAQ #64 In addition, using a cell number for future communication via text with a previously verified parent is an acceptable means of subsequent parental communication (but not for verified consent, absent more). FAQ # 67.
- The staff reiterates that, despite the initial proposed rule change, the final rule retains the one-time use exception for contest, sweepstakes and e-cards / send-to-friend promotions (if properly operated). FAQ 72 and 74. Not commented on, but also retained in the new COPPA Rule, is the ability to use the less exacting method known as “e-mail plus” for consent to collection for internal purposes.
- Persistent identifiers of children (e.g., IP address and mobile device ids) can only be shared with analytic vendors of sites and services directed to children, or general audience operators that know the user is a child, if the vendor does not use it, or other personal information, for purposes other than for the operator’s own internal operations. FAQ # 78. Since many analytics vendor agreements permit use data for the vendor’s own uses as long as the site or service is not specially identified as the source, such practices might violate COPPA and operators should revisit these contacts to limit data use so as to comply with the new COPPA Rule.
- App store account numbers and passwords, though associated with a credit card are not, alone, an acceptable method of verifying a user is a parent. FAQ #66.
- Counsel on how to treat children’s personal information that was collected under prior rules that have changed. For geolocation data, verified parental consent must be obtained prior to July to keep the data. However, photos and videos of children and audio files of children’s voices, collected from children prior to July, may continue to be used without parental consent (but the staff urges consent as a best practice). Persistent identifiers collected prior to July without parental consent may be retained, but they cannot continue to be used in a way that would require parental consent under the new COPPA Rule unless that consent is obtained. FAQ #4.
- Children’s sites and services may avoid the parental consent requirement for photos and videos if they can effectively pre-screen them to prevent submission of any that include recognizable images of any child (e.g., toys or animals only or blurring of kids) and ensure no geolocation or persistent identifier metadata is included with the file. FAQ # 43, 44 and 45. General audience sites only have this burden if the know the submitting party is a child and not an adult. FAQ #46. Children may upload pictures of kids without parental consent if the picture remains on the device (e.g., in app) and is not transmitted. FAQ # 47.
- To ensure that vendors are employing reasonable security to protect user data, operators should expressly require them to do so by contract and engage in periodic monitoring or other reasonable measures to ensure their compliance. FAQ # 82.
- An explanation of the changes to what must be included in parental notices. FAQ # 32 and 33.
- Existing privacy policies should be updated prior to July to reflect expansion of the definition of personal information if applicable to collection practices and otherwise to reflect rule changes. FAQ # 25.
- Children’s Privacy Policies must be clear, complete and may not include promotional statements or materials. FAQ #24.
- Guidance regarding when an operator can rely on an educational institution to provide consent as if the parent and what schools need to consider when allowing sites and apps access to students. FAQ # 86, 87 and 89.
- Although the COPPA Rule does not generally apply to non-profits, the FTC does apply it to nonprofits that operate for the profit of their commercial members (e.g., trade groups). FAQ #19.
- A reminder that civil penalties for non-compliance can be calculated at up to $16,000 per violation, with a link to recent six and seven figure settlements with companies. FAQ # 16.
The new COPPA Rule changes are complex and they expand the net as to what data and which operators are covered and when. Operators of online and mobile services need to closely look at COPPA compliance issues and implement necessary changes to their practices and policies before July. Edwards Wildman’s Advertising, Digital Media & e-Commerce practice group has been deeply involved in the COPPA Rule revisions process, including advocating the positions of trade associations to the FTC during and after the rule making process, and regularly advises clients on COPPA compliance. For more information, contact the author and see:
FTC Press release: http://www.ftc.gov/opa/2013/04/coppa.shtm
New COPPA Rule and Commentary: http://www.ftc.gov/os/fedreg/2013/01/130117coppa.pdf