The new regulations implementing the Children’s Online Privacy Protection Act (“COPPA”) (the “New Rule”) go into effect July 1. As we have previously reported, the new Rule greatly expands what kind of data requires verified parental consent before collected from a child under 13, including persistent identifiers (i.e. an identifier used to recognize a user, browser or device over time and across sites and services such as IP address), absent certain narrow exceptions.1
The New Rule makes sites and services directed to children strictly liable for violations, including by vendors and other services that interact with their site or service. It also makes general audience sites or services liable if they have a basis for knowing they are collecting restricted data from children. With only a week remaining before the New Rule goes into effect, and with the FTC refusing to postpone implementation and already sending out scores of warning letters to websites and mobile apps, online sites and services need to audit their data practice, and those of their vendors, ad servers and networks, analytics providers, third party platforms, social media plug-ins and any other party collecting data in connection with their site or service. Here are some of the more vexing issues:
- The New Rule creates a new category of so-called mixed use service for sites and apps that may in part be directed to children but not primarily so. These sites and services must now age screen users in a neutral manner, and treat them differently based on self-reported age. They cannot block children under 13 completely, but must offer them COPPA-compliant services. This may make it more difficult for sites and apps intended for teens or parents of toddlers and pre-school children to take the position that they are general audience sites that only have COPPA obligations if they have actual knowledge a user is under 13 and have no obligation to inquire. There are steps these operators can take to improve their position if they elect not to completely age gate their site or service.
- The FTC staff has made it clear that once an operator has notice that a persistent identifier belongs to a child under 13, it must immediately take action to prevent violation of COPPA. This includes ensuring that behavioral advertising is not served to them, that social media plug-ins and tools where they can submit publically available content are not made available to them and that anyalytics providers and other vendors do not use their identifiers or other personal information except pursuant to certain narrow exceptions. Even if an operator could employ a cookie or other device to identify users it learns are under 13, given all the third parties affected (e.g., in the advertising ecosystem) real challenges remain to be solved before effective differentiation can become reality. In the meantime, other workarounds can be employed to minimize risk.
- One exception to the limitation on collection and use of persistent identifiers without verified parental consent is the “support for the internal operations of the site or service necessary to (a) maintain or analyze the functioning of the website or online service; (b) perform network communications; (c) authenticate users of, or personalize content on, the website or online service; (d) serve contextual advertising [but not behavioral advertising] on the website or online service or cap the frequency of advertising; (e) protect the security or integrity of the user, website or online service; (f) ensure legal or regulatory compliance; or (g) fulfill a [permitted] request of a child…. [but for NO other reason]” Section 312.2. The FTC staff has said that site analytics may potentially fall under this exception, and operators can use analytics vendors to perform the analytics that fall within the specific definition. COPPA FAQ I.7. That vendor can also use the persistent identifier for its own internal operations purposes, but no other purposes. COPPA FAQ I.6. However, the operator will be strictly liable for the vendor’s collection or use of the persistent identifier for any other purpose. The FTC suggests that if operators conduct due diligence, and get contractual commitments from vendors and others they allow to interact with the site or service that they will not go beyond the exceptions, the FTC is likely to exercise prosecutorial discretion not to hold the operator strictly liable. COPPA FAQ # D.7 and D.8. However, many of these vendors are not only not willing to make such commitment, but have announced that they do not currently fit within the exception and are thus not appropriate for use in connection with children. 2
- The FTC treats data that was not subject to COPPA restrictions before, but will be after July 1, differently. Some, such as photos of children, are grandfathered and may be retained. Others, such as geo-location (which might be in metadata in photos) must be deleted absent verified parental consent. Previously downloaded children’s mobile apps are not grandfathered and need to obtain verified parental consent or change their features and practices.
- Push notifications to children’s apps require either prior verified parental consent or a parental notice and opt-out opportunity, depending on the purpose of the notice.
- Apps that store pictures on a device do not need verified parental consent, but those that store pictures in the cloud do.
Civil penalties for violation of the New Rule can be up to $16,000 per instance, and recent COPPA settlements have been in the six and seven figure range. The New Rule changes are complex and expand the net as to what data and which operators are covered and when. Operators of online and mobile services need to look closely at their data practices and policies, and those of third parties they interact with, and implement necessary changes before July. The Advertising, Digital Media and e-Commerce and Privacy and Data Security practices at Edwards Wildman have been working with online and mobile developers and publishers, analytics companies, social media operators, e-commerce providers, safe harbor providers, COPPA compliance solutions providers and others in preparation for the July 1 deadline. This includes frequent interaction with staff of the FTC and the self-regulatory Children’s Advertising Review Unit of the Better Business Bureau to present client issues and proposed solutions, on an anonymous basis, to help clients make prudent risk management decisions.