On December 19, the Federal Trade Commission (FTC) adopted important revisions to its rules implementing the Children’s Online Privacy Protection Act (COPPA). The net effect of the rules will be to expand the number of websites and mobile applications subject to COPPA regulations and impede the ability of the operators of websites or online services to attract advertising revenues to pay for those services. The new rules will take effect on July 1.
In particular, the new FTC regulations:
- Expand their scope by broadening the definition of "personal information" to include photographs, audio and video files, geo-location and Internet Protocol addresses. The inclusion of IP addresses is particularly controversial, as the U.S. courts that have considered the question have usually ruled that they are not personal information.
- Now will apply to third-party plug-ins (such as Facebook "Like" buttons and, importantly, advertising networks) that collect personal information (including IP addresses) even where the host site does not. This is aimed at curtailing behavioral advertising on sites and apps that target children under 13.
- Extend the restrictions to situations in which third-parties, including ad networks, collect personal information even where the host site itself collects and receives no personal information at all. Such websites will be held strictly liable for data collection (from children under 13) and use by such third-parties on their sites. FTC Commissioner Ohlhausen dissented from this aspect of the new rule on the ground that it exceeds the agency’s authority.
- Will apply to mobile applications.
- Allow websites to use automated filtering systems or take other "reasonable measures" to delete all, or virtually all, personal information from a child’s postings (and from the site’s records) before they are made public. Websites that do so are deemed not be "collecting" personal information.
In contrast, a website will be allowed to collect personal information from children under the age of 13 for, among other things, contextual advertising, site analysis, and network communications, as long as it provides notice to the parents. Parental consent is not required for uses that constitute “support for the internal operations of the website.”
The FTC’s new rules have two aims. One is to update them in light of the modern abilities of users to upload photos, videos and music, and the widespread use of smartphones. The second is to curtail the use of behavioral advertising to children under the age of 13. In contrast, “contextual” advertising by the operator within its own site will be allowed, as well as analytics to support the internal operations of the website.
The FTC will allow sites that are “directed to” children under 13 but whose “primary audience” is older than 13 to use an age filter to confine its COPPA-related obligations to those users under 13. But COPPA obligations will apply to all users if the number of children using a site is “disproportionate,” although that term is undefined and necessarily vague.
Website operators now will have to take “reasonable steps” to make sure that any third-parties collecting, or to which they transfer information (such as to a service provider), are capable of “maintaining the confidentiality, security and integrity” of such information. This creates a new due diligence obligation for website operators that deal with third-parties.
The FTC’s new rules leave many questions unanswered. For example, will COPPA obligations be triggered if a child embeds a YouTube video in a website’s chat room? How will the website operator know that the poster is a child and not a parent?
Another important issue is what will constitute “actual knowledge.” These questions will be very important to broadcaster websites, because advertising networks may reduce the number and type of sites on which they are willing to provide service, rather than undertaking the burdensome consent process. As a result, child-directed sites could lose revenue and may become unaffordable to operate. Even websites and services that are not “directed” at children may suffer as well.
Several aspects of the FTC’s new rules may be legally suspect. For example, the FTC’s decision to define IP addresses as “personal information” runs counter to the trend of U.S. law, and that definition is a major “hook” used by the agency to reach behavioral advertising. Nonetheless, unless a reviewing court suspends those rules, they will take effect on July 1, 2013.