On September 15, 2011, the Federal Trade Commission announced proposed revisions to the Children’s Online Privacy Protection Act Rule (“COPPA Rule” or “Rule”). The proposed revisions would modify the COPPA Rule in five areas:
- Parental Notice
- Parental Consent Mechanisms
- Confidentiality and Security of Children’s Personal Information
- Safe Harbor Programs
Public Comment Period
As discussed in more detail below, each of the proposed amendments could have a significant impact on websites and other online services, including mobile applications, geared toward children under 13 years old. The FTC seeks comments from the public on these proposed revisions, which must be submitted on or before November 28, 2011. The FTC press release announcing its proposed revisions is available here.
The current COPPA Rule requires that operators of websites or online services directed to children under 13, or those that have actual knowledge that they are collecting personal information from children under 13, obtain verifiable consent from parents before collecting, using, or disclosing such information from children. The COPPA Rule was promulgated in 2000 pursuant to the Children’s Online Privacy Protection Act, which was enacted by Congress in 1999 (“COPPA”). The proposed amendments represent the first major revision to the COPPA Rule since it went into effect in 2000.
Prior to announcing the proposed revisions, the FTC sought public comment on the entire COPPA Rule, posing numerous questions for consideration. According to the FTC, revisions are necessary to “ensure that the Rule continues to protect children’s privacy, as mandated by Congress, as online technologies evolve.”
Importantly, the proposed revisions do not address many of the key issues raised in the initial comment period. For example, the FTC does not propose to broaden the definition of “child” to include all minors or teenagers, as suggested by some initial comments. Additionally, the proposed amendments do not clarify the term “actual knowledge,” a term that many companies claimed is confusing.
Clarification on the Applicability of COPPA to Online Services
The FTC noted in its announcement that in its initial proposal it sought public input on the implications for COPPA raised by technologies such as mobile communications, interactive television, interactive gaming, and other evolving media. Specifically, it asked for comments on the terms “website,” “website located on the Internet,” and “online services,” each of which is used, but not defined, in COPPA and the Rule. Following the initial comment period and subsequent roundtable discussion, the FTC found participant consensus that COPPA and the Rule are “written broadly enough to encompass many new technologies without the need for new statutory language.” Thus the FTC concluded that “online service” is broad enough to “cover any service available over the Internet, or that connects to the Internet or a wide-area network.”
As a result, the FTC announced that it views COPPA and the Rule as applying to “mobile applications that allow children to play network-connected games, engage in social networking activities, purchase goods or services online, receive behaviorally targeted advertisements, or interact with other content or services.” Similarly, the FTC noted that “Internet-enabled gaming platforms, voice-over–Internet protocol services, and Internet-enabled location-based services also are online services covered by COPPA and the Rule.” The FTC concluded that it will continue to assess emerging technologies to determine whether or not they constitute “websites located on the Internet” or “online services” subject to COPPA’s coverage.
Less clear, the FTC observed, is the applicability of COPPA and the Rule to text (SMS) and multimedia (MMS) messaging on mobile devices. The FTC acknowledged that these messages are most commonly routed through private carrier networks and not the public Internet; however, several commenters noted that some mobile applications enable users to send text messages from a Web-enabled device without using these networks. The FTC offered no further discussion or guidance on this topic.
Summary of Major Proposed Changes
- “Personal Information”: The proposed amendment would expand the definition of personal information to include a customer identification number held in a cookie, an IP address, a processor or device number, or a unique device identifier that is used for functions other than internal operations of the Web site, as well as tracking cookies used for behavioral advertising. The proposed amendment would also add geolocation information, photographs, videos, and audio files that contain a child’s image or voice to the definition of personal information.
Note: This new definition would expand the definition of personal information to include not just personally identifiable information provided by a consumer, but information that would identify the user’s computer or mobile device. In addition, the definition would now also include information that Web site operators, ad networks, and others use to track consumers as they surf the Web.
- “Collection”: The new definition would clarify that the Rule covers the online collection of personal information both when an operator requires the personal information and when the operator merely prompts or encourages a child to provide such information. The revised definition would permit a Web site operator to allow children to participate in interactive communities without parental consent, provided that the operator take reasonable measures to delete “all or virtually all” children’s personal information before it is made public, and to delete it from its records.
- “Release”and “Online Contact Information”: The amendment would define the term “release” of personal information separately from the definition of “disclosure.” A “release” would be the sharing, selling, renting, or transfer of personal information to a third party. The definition of “Online Contact Information” would be expanded to include instant message user identifiers, VoIP identifiers, and video chat user identifiers.
- COPPA requires that parents be notified both on the operator’s Web site and in a notice delivered directly to the parent whose child seeks to register on the site or service. The proposed amendments would streamline the parental notice requirement, presenting key information to parents in a link placed on the Web site’s homepage and in close proximity to every information request.
Note: This simplified presentation of notice and choice is consistent with the FTC’s recent efforts to encourage businesses to present consumers with more straightforward and understandable information about their privacy practices.
Parental Consent Mechanisms
- The proposed amendment would add new methods to obtain verifiable parental consent, including electronic scans of signed parental consent forms, video conferencing, and use of government-issued identification checked against a database.
- At the same time, the proposed amendment would eliminate the “email – plus” method of parental consent.
Confidentiality and Security of Children’s Personal Information
- Data Retention: The amendment would introduce a data retention and deletion requirement, which would require that data obtained from children be retained only for as long as is necessary to fulfill the purposes for which it was collected. The proposed amendment would also require operators that delete the child’s personal information to take reasonable measures to protect against unauthorized access to, or use of, the information in connection with its disposal.
- Service Providers: The amendment would add a requirement that operators ensure that service providers or third parties to whom they disclose a child’s personal information have reasonable procedures in place to protect it.
- The amendment would strengthen the COPPA Safe Harbor Programs by requiring that the Safe Harbor self-regulatory bodies, at minimum, audit their members at least annually and report the results of these audits to the Commission periodically.