Businesses Across a Wide Range of Industries May Be Affected
The Federal Trade Commission (FTC) announced on August 1, 2012, that it was seeking public comment on a Supplemental Notice of Proposed Rulemaking (Supplemental NOPR) concerning the FTC's revision of the Children's Online Privacy Protection Rule (COPPA Rule) under the Children's Online Privacy Protection Act (COPPA). Comments on the Supplemental NOPR will be accepted from now until September 10, 2012.
FTC Expansion of COPPA Has Two Main Approaches
The shift in policy that the FTC has in mind is to dramatically expand the scope of COPPA in two main ways. The first shift in policy is to apply COPPA requirements and liability to websites and mobile applications that have never been covered by COPPA before. Specifically, the FTC proposes to have COPPA apply to mixed audience websites and services even if a "portion" of the website or service is "attractive" to kids. The second shift in policy is to dramatically restrict the scope of information that can be collected from the end-user if COPPA applies (without obtaining verifiable parental consent). Under the current rule, only "personal information" as commonly understood is covered (i.e., names, addresses and analogous information), whereas under the proposed policy that term will now be greatly expanded to include a wide variety of arcane technical information, such as random numbers stored in browser cookies, unique device identifiers (such as UDIDs) and IP addresses. Furthermore, mere facilitation of the collection of such information on behalf of others runs afoul of the new COPPA regime. It is safe to say that the FTC intends to extend regulatory oversight as well as liability to a wide variety of websites, mobile apps and data to which COPPA never previously applied.
If the proposed changes stand, they will negatively impact a wide variety of different businesses. This impact may not have corresponding positive effects in protecting children online. Companies who were not previously subject to COPPA may now find themselves directly affected and may want to comment on the latest proposed changes.
Broader Allocation of Responsibility and Changes to Key Definitions
First, in issuing the Supplemental NOPR, the FTC aimed to "allocate and clarify the responsibilities under COPPA" when third parties such as advertising entities or social networks collect information from users through widgets, buttons, and plug-ins on websites and services directed or attractive to children.1 Previous to this proposed modification, the FTC had suggested that the responsibility for providing notice to parents and obtaining parents' consent for the collection of children's personal information was solely with the entity collecting the information (the third party) and not the website (which hosted the third party) that is directed at children. In its current state, COPPA will hold both the operator of the child-directed website and, under certain circumstances, the third party collecting the information responsible as co-operators. The FTC does this by proposing to modify the definition of "operator" to encompass those entities that collect or maintain personal information on behalf of an operator where it is "collected in the interest of, as a representative of, or for the benefit of, the operator."2 According to the FTC, this change would "make clear that an operator of a child-directed site or service that chooses to integrate the services of others that collect personal information from its visitors should itself be considered a covered 'operator' under the [COPPA] Rule."3 The bottom line: host websites should be careful where and when they use plug-ins, widgets and buttons (Facebook "Like" buttons, Twitter badges and "Share This" widgets to name a few).
Second, the definition accepts that some websites that contain child-oriented content also reach older audiences, but takes these websites out of COPPA coverage only if these "mixed audience websites" age-screen (i.e., ask all visitors to provide their age).4 Under the current rule, the FTC says that these mixed audience websites must treat all visitors as under age 13. Screening visitors on mixed audience websites is intended to provide COPPA's protection only to users under age 13. Further, the definition clarifies that child-directed websites that knowingly target children under age 13 as their primary audience, or whose overall content is likely to attract children under age 13 as their primary audience, must still treat all users as children.5
Finally, the FTC proposes to modify the definition of "personal information" to add "persistent identifiers" to the definition and to clarify that a "persistent identifier will be considered personal information" in instances where: (1) "it can be used to recognize a user over time"; or (2) across different websites, where "it is used for purposes other than support for internal operations."6 The FTC has explicitly stated that this will cover targeted advertising and most instances of sharing with third-party service providers — except in narrow instances where necessary for authentication, enabling network communications and the like.7
Businesses Should Be Proactive to Determine If They Will Be Affected
The FTC is engaged in an aggressive campaign to increase the scope of its COPPA oversight, both as to covered parties and as to covered information and data. Businesses across a broad range of industries may be affected. It is recommended that any business with a consumer-facing website or mobile application review their online and mobile operations to determine if they will be negatively impacted. In addition, businesses may want to comment on the Supplemental NOPR which can be found on the FTC's website.