This month, the Federal Trade Commission (FTC) announced that it is seeking comments on its proposed changes to the Children’s Online Privacy Protection Rule (the “COPPA Rule” or the “Rule”), which was implemented to enforce the Children’s Online Privacy Protection Act. As background, COPPA became effective in April 2000. It applies to websites and online services that are directed to children under the age of 13, as well as those that knowingly collect information from children (collectively, “covered websites”). Primarily, the Rule requires a covered website to provide notice to parents about its information collection practices, as well as obtain verifiable parental consent prior to collecting personal information from children. It also requires privacy policies that fully explain how information will be used.
As a result of rapid changes to online technologies that far exceed the pace with which children mature, the FTC feels that COPPA must evolve to better protect their interests. In the words of FTC Chairman Jon Leibowitz, “kids are often tech savvy but judgment poor.” Therefore, the FTC has proposed five major changes, which are detailed below:
The FTC has proposed changes to the definitions of “collects or collection,” “online contact information,” “personal information,” “support for the internal operations of the website or online service,” and “website or online service directed to children.” While the proposed changes to the majority of these definitions primarily clarify the definitions to help covered entities to better understand the FTC’s purpose, the proposed change to the definition of “personal information” is slightly more substantial.
The definition of “personal information” may be expanded to include screen names, persistent identifiers, photographs, videos and audio files. Screen names and persistent identifiers (i.e., codes and cookies that recognize specific IP addresses) would be considered personal information where they are used to identify children in ways other than, or in addition to internal website purposes. Screen names were added because they can track users across multiple websites and, at times, direct to a specific individual regardless of whether the screen name contains an e-mail address or uniquely identifying information. Persistent identifiers were also noted as being able to direct to a specific individual. For example, screen names and persistent identifiers often follow users across the Internet. Screen names do this based on a user’s choice and through websites that are linked to one another, while persistent identifiers often track website users across the Internet without the user’s knowledge. Due to this tracking and ability to identify a specific individual, the FTC proposes adding these to the definition of personal information. As an additional measure to avoid tracking children, photographs, videos and audio files may also be included due to the metadata that they store. For example, geolocation data is often transmitted with photographs, videos and audio files, which can easily identify the location of a child.
- Parental Notice Requirements
The COPPA Rule requires both online and direct notices to parents regarding the use of their child’s information on covered websites. With respect to online notice, in addition to requiring more prominent, clearly labeled links to data use and disclosure notices (i.e., privacy policies) on a website’s home page and where information is collected, the proposed changes also simplify the Rule’s requirements regarding the content of privacy policies.
With respect to the content, the proposed Rule has three major changes. First, it would require contact information for all operators of covered websites, not just a central point of contact for the operator of the host website. For example, where a website or mobile application also hosts advertising content from third parties and those third parties can collect user information, the third party operator would have to be identified and contact information would have to be provided. Second, the Rule clarifies the information it requires in privacy policies by shortening the list to only include (i) what information is collected, including whether or not it will be made publicly available, (ii) how the collected information is used, and (iii) the website operator’s disclosure practices. And third, the Rule would no longer require covered websites to include a provision in their privacy policies indicating that participation in activities on the websites is not conditioned on the “child’s disclosing more personal information than is reasonably necessary to participate in such activity,” although the Rule’s prohibition of such a condition will remain.
- Parental Consent
The COPPA Rule requires website operators to obtain verifiable parental consent prior to collecting personal information from children. Proposed additions to the current list of consent methods include electronic scans of signed parental consent forms, video conferences, and obtaining portions of government-issued identifications, provided that the identification information is deleted immediately after consent is verified. The proposed consent methods could take the place of the FTC’s current “e-mail plus” model, which permits operators to obtain consent by sending an email to parents, then using an additional step such as a phone call, letter, or a delayed e-mail confirmation provided after receiving the consent. Additionally, to help strengthen the parental consent procedures in place, the FTC proposes allowing operators using safe harbor guidelines to experiment with approved parental consent models and to submit parental consent models to the FTC for approval in the hopes of finding ones that will better ensure proper, verifiable parental consent.
- Confidentiality and Security
The COPPA Rule currently requires website operators to keep children’s personal information confidential and secure. The proposed changes include adding a requirement that operators provide more oversight of service providers and third parties to whom they disclose personal information to ensure that they have reasonable procedures to protect the information. Additionally, the proposed changes reinforce that operators should retain information only while the information is necessary, and then destroy it to prevent unauthorized access.
- Safe Harbor Provisions
The COPPA Rule also encourages industry groups to create their own COPPA programs, seek FTC approval, and help website operators to comply with the Rule by using the programs. These programs are referred to as “safe harbor programs.” Now, the FTC proposes changes to the safe harbor programs. First, it would require the industry groups seeking to create programs to verify their competence to create and oversee such programs. Second, it would require groups that run safe harbor programs to oversee its members. Third, it would require the groups to submit a periodic report to the FTC regarding the program. These changes are proposed in an attempt to make the programs more effective.
While the goal of the FTC’s proposed revisions is to catch the COPPA Rule up with evolving technologies, the changes also help to clarify the Rule and provide additional guidance to covered websites. All entities operating websites directed to children or websites that are used by children should be aware of the COPPA Rule, as well as the FTC’s proposed changes