On September 15, 2011, The Federal Trade Commission (“FTC”) released a proposed rule (“Proposed Rule”) to amend its Children’s Online Privacy Protection Rule (“COPPA Rule”). The COPPA Rule applies to operators of commercial web sites and online services directed to children under age 13 that collect, use, or disclose personal information from children, and operators of general audience web sites that have actual knowledge that they are collecting, using, or disclosing personal information from children under the age of 13. The COPPA Rule seeks to provide parents with tools to control how information about their children is collected online. Comments on the Proposed Rule will be accepted through November 28, 2011
In the Proposed Rule, the FTC declined to advocate for applying COPPA to teenagers aged 13 and older and retained the existing rule that COPPA applies to general audience websites only when they have actual knowledge that they are collecting personal information from children. The FTC’s Proposed Rule seeks to amend five key areas:
- Definitions (including “personal information” and “collection”): The Proposed Rule would extend the current definition of “personal information” to capture certain geolocation information, visual and audio files, persistent identifiers used by first parties for purposes other than internal support, and any identifiers that link children’s activities across websites. The definition of what “collection” triggers COPPA would also be expanded to include “prompting” or “encouraging” children to submit information.
- Parental Consent: The FTC seeks to eliminate the “e-mail plus” means of obtaining parental consent when children’s personal information is used for internal purposes only. At the same time, the Commission proposes to add more non-exclusive examples of other permissible ways to obtain consent, including electronic scans of consent forms.
- Confidentiality and Security of Children’s Personal Information: The FTC also proposes to require operators to delete children’s personal information when it is no longer reasonably necessary and to ensure that service providers and third parties with whom they share children’s personal information have reasonable procedures in place to protect the confidentiality, security, and integrity of such information.
- Self-Regulatory Safe Harbor Programs: The Proposed Rule would require safe harbor programs to annually audit each of their members and to report their findings and any disciplinary actions to the FTC.
At least once every ten years, the FTC conducts a review of its regulations to determine whether they should be retained or modified. Previously, the FTC conducted a voluntary review of the COPPA Rule in 2001 and a statutorily mandated review in 2005, retaining the COPPA Rule without change after the most recent review. The FTC explained that another review of the COPPA Rule is warranted at this time because a change has occurred in how people access the Internet, particularly through the use of mobile technology.