The Children’s Online Privacy Protection Act (“COPPA”) was passed by Congress at the end of the last century to add protections when an internet site sought to collect “personally identifiable information” (“PII”) from children under 13. The Congress directed the Federal Trade Commission to issue Rules to implement the Act, which it did. Now the FTC on August 1 proposed amendments to its Rule to keep up with changes in communications and information gathering.
When the FTC Chairman announced its new COPPA Rules at a press conference in 1999, he explained how certain sites would have to request age information from users and require clear parental consent when the user was younger than 13 years old. The Rule raised a number of complicated issues at the time.
The very first media question was, “suppose a 12 year old child lies about his age and enters 14?” The Chairman answered with an air of resignation, “there is only so much a rule can accomplish.” Since that time, the FTC and others have struggled to keep the Rule relevant and current with changes in the world of technology.
It all seemed so simple in 1999. Child goes to computer and connects with internet. Child goes to website that seeks PII for some purpose-—getting a newsletter or becoming a member of a group sponsored by the site operator. It was hard to foresee that computers would be supplemented with various “smart” hand-held devices and that websites would routinely become linked to popular social networks where PII would often be entered, even when not solicited by the web operator itself.
As with other regulations that have faced obsolescence as commerce and communications advanced, the FTC again seeks public comment on a number of proposed changes to its COPPA Rule, which is published at 16 CFR Part 316. These are actually modified proposed changes based on comments the FTC received following a similar request in 2011.
The latest proposal is replete with subtle distinctions that, if approved, will require close scrutiny by operators of sites that attract young users. The full FTC proposal and instructions for submitting comments can be found here.
The FTC proposes to modify only certain definitions to clarify the scope of the Rule and strengthen its protections for children's PII. Specifically, the defined terms include: (1)"operator," and (2) "website or online service directed to children." The FTC proposal also would expand the meaning of "collected or maintained on behalf of" an operator and, importantly, would expand the definition of “personally identifiable information” to included “persistent identifiers” in certain circumstances.
The thread that runs through all of the proposed changes is that they are needed to keep pace with real world communications. For example, until now the person responsible for compliance was the “operator” of the website, presumably the party that was collecting the PII from children.
All of that has changed. A large number of websites contain links to Facebook and other social media, which may ask for and obtain PII even if the primary “operator” does not. Other devices, including pop-up ads on a web page, may also be used to gather PII.
As the FTC explains, this change makes clear that “an operator of a child-directed site or service that chooses to integrate the services of others that collect personal information from its visitors should itself be considered a covered operator under the Rule.”
Similarly, the Commission proposes to modify the Rule's definition of "personal information" to reflect changes in online practices. Previously, a “persistent identifier” was used, without specific PII, to establish that the same person or computer was being used to access the website. Other uses were “internal,” that is, to improve the website rather than to interact with the user.
In time, it has become possible for operators to use some recurring bits of information to identify a specific person-—thereby making it PII. When that person is less than 13 years old, the same privacy issue comes into play as it once did with traditional PII. The FTC exempts from the expanded definition those identifiers that are used, as traditionally, only to "support for internal operations" of the website but not used or disclosed to contact an individual, including for example, through the controversial tool of “behavioral advertising.”
These two examples demonstrate the overarching purpose of the proposed changes, that is, to prevent the onset of obsolescence of Rules that were adequate at the time they were issued. It is a safe bet that the COPPA Rule is one that will be revisited periodically as long as website operators find new ways to extract PII from the youngest users among us.
The text of the Federal Register Notice for the proposal is available at the FTC's website. Public comments on the Supplemental Notice of Proposed Rulemaking will be accepted until September 10, 2012. Instructions for submitting comments are found in the Notice.