FTC Proposes Significant Revisions to Children's Online Privacy Protection Rule
September 20, 2011
On September 15, 2011, the Federal Trade Commission (FTC) issued a Proposed Rule and Request for Comment (PRRC) that would amend and significantly expand the Children's Online Privacy Protection Rule (COPPA Rule), which implements the Children's Online Privacy Protection Act (COPPA).1 Companies that may be affected by the proposed amendments have until November 28, 2011, to submit comments to the FTC.
The current COPPA Rule applies to operators of websites and "online services" that collect information from children under 13 years of age. The rule is triggered where either the website/service is directed to children under the age of 13 or the operator has actual knowledge that the website/service is collecting "personal information" from such children. Among other things, the rule requires covered operators to provide detailed notice to parents about the information being collected and its uses, and to obtain parents' verifiable consent prior to collecting, using, or disclosing personal information from children under the age of 13.
The FTC did not plan to review the rule until 2017.2 However, in light of the "rapid-fire pace of technological change," including an explosion in children's use of mobile devices and the proliferation of online social networking and interactive gaming, the FTC initiated its review of the rule on an accelerated schedule.
FTC DISCUSSION REGARDING SCOPE OF EXISTING RULE
Although application of COPPA and the COPPA Rule are limited by their text to operators of websites and online services,3 the FTC is taking an expansive view of what constitutes an online service. In the PRRC, the agency stated its view that the term "online service" includes:
- any service available over the Internet, or that connects to the Internet or a wide-area network;
- new technologies such as mobile applications (including those that allow children to play network-connected games, engage in social networking, make online purchases, and receive behaviorally targeted ads);
- voice-over-Internet protocol services;
- Internet-enabled interactive television; and
- Internet-enabled interactive gaming.
The FTC also considered mobile communications such as short message services (SMS) and multimedia messaging services (MMS), and it concluded that both mobile applications that enable users to send texts from web-enabled devices without routing through a carrier-issued phone number and retailers' premium texting and coupon-texting programs that register users online and send texts from the Internet to users' mobile phones are online services. Because the FTC concluded that COPPA and the COPPA Rule already were written broadly enough to encompass these technologies, it declined to further define the term "online services."
The FTC's proposed amendments touch on five key areas: definitions, parental notice, parental consent mechanisms, confidentiality and security of children's personal information, and the role of self-regulatory "safe harbor" programs.4
The following are among the most significant proposed amendments to definitions in the rule:
"Collects or Collection": The current rule exempts from the definition of "collects or collection" operators who permit children to make personal information available online—such as on message boards and within social-networking features—but who delete all individually identifiable information from postings before they are made public and who also delete that information from their records.5 The FTC proposes liberalizing this "100% deletion" exception to cover operators who use "reasonable measures" to delete "all or virtually all" personal information from a child's postings before they are made public, and to delete such information from their records.6 Operators taking these steps and not otherwise collecting personal information from children may permit children to participate in interactive communities without parental consent. The FTC's objective in making this change is to encourage the development and implementation of automated filtering technologies that would detect and remove children's personal information before it is posted online, recognizing that such systems are not currently 100 percent effective.
"Personal Information": The FTC may include within the definition of "personal information" any identifier that permits physical or online contacting of a specific individual.7 The FTC proposes to use this authority to expand the definition of personal information to reflect technological changes. The new definition of personal information would include the following new elements:
- Online screen names and user names when they are used for any function other than, or in addition to, support for the internal operations of the website or online service8
- Persistent identifiers, including customer numbers held in cookies, IP addresses, and unique device identifiers, when they are used for any purpose other than, or in addition to, support for the internal operations of the website or online service (use of persistent identifiers for purposes such as amassing data on a child's online activities or behaviorally targeting advertising do not fall within the "support for internal operations" exemption)9
- Identifiers that link the activities of a child across different websites or online services10
- Photographs, videos, and audio files that contain a child's image or voice11
- Geolocation information, such as GPS coordinates that may be obtained from mobile devices12
The FTC declined to propose including date of birth, gender, and ZIP code within the definition of personal information, but seeks comment as to whether the combination of those elements should be included. The FTC also seeks comment regarding whether "ZIP+4 code," which contains a five-digit ZIP code along with a more precise four-digit code corresponding to an area within that ZIP code, should be included in the personal information definition.13
"Directed to Children": The FTC proposes to include the presence of child celebrities and celebrities that appeal to children on a website or online service in the nonexclusive set of indicia that the FTC uses to determine whether a website or online service is directed to children. It declined to adopt a per se rule that would deem a website "directed to children" if audience demographics show that 20 percent or more of its visitors are children under 13, but will continue to consider such evidence in applying its totality of the circumstances test.14
II. Parental Notice
Notice on the Website or Online Service: First, the FTC proposes requiring all operators of a website or online service to provide contact information, including, at a minimum, the operator's name, physical address, telephone number, and email address.15 This departs from the current rule, which permits operators to designate a single operator as the contact point.16
Second, the FTC proposes eliminating the requirement that operators recite their full collection, use, and disclosure practices in favor of a simple statement of:
- what information the operator collects from children, including whether the website or online service enables a child to make personal information publicly available;
- how the operator uses such information; and
- the operator's disclosure practices for such information.17
Direct Notice to Parents: The FTC proposes revisions to the requirements of the direct notice to parents to ensure that this notice works as an effective "just-in-time" message to parents about an operator's information practices. For each form of direct notice to parents required by the COPPA Rule, the amended rule would specify the precise information that operators must provide to parents regarding:
- the items of personal information the operator already has obtained from the child (the parent's online contact information either alone or together with the child's online contact information);
- the purpose of the notification;
- action that the parent must or may take; and
- what use, if any, the operator will make of the personal information collected.
A hyperlink to the online notice would be mandatory.19
III. Parental Consent
The FTC proposes significant changes to the rule's provisions regarding mechanisms of obtaining verifiable parental consent, and proposes a new exception to when prior parental consent is required.
Methods of Obtaining Consent: Currently operators "must make reasonable efforts to obtain verifiable parental consent, taking into consideration available technology. Any method to obtain verifiable parental consent must be reasonably calculated in light of available technology to ensure that the person providing consent is the child's parent."20 The rule sets forth a non-exclusive list of methods that meet this standard, such as requiring a parent to use a credit card in connection with a transaction.21 The FTC proposes to add several new methods to this non-exhaustive list, including electronic scans of signed parental consent forms, videoconferencing, and use of government-issued identification (such as a driver's license, or a segment of the parent's Social Security number) checked against a database, provided that the parent's ID is deleted promptly after verification is complete.22 It also proposes adding the word "monetary" to modify "transaction" in connection with the use of a credit card to verify consent in order to make clear that credit card verification may be used only in connection with monetary transactions.23
Elimination of Sliding-Scale Approach to Parental Consent: Under the sliding-scale approach to parental consent contained in the current rule, an operator, when collecting personal information only for its internal use, may obtain verifiable parental consent through an email from the parent, so long as the email is coupled with an additional step (such as sending a delayed confirmatory email to the parent after receiving consent).24 Citing its belief that this consent method, often called "email plus," has inhibited the development of more reliable methods, the FTC proposes eliminating it.25
FTC and Safe-Harbor Approval of Parental Consent Mechanism: The proposed rule would add two new means of obtaining prior approval for a specific method of obtaining verifiable parental consent. First, the amended rule would provide for a voluntary review process for parental consent mechanisms. Applicants would present the FTC with a detailed description of the proposed mechanism, along with an analysis of how the mechanism meets applicable requirements. The FTC would publish the application for public comment, and rule on the request within 180 days.26 Second, the amended rule would provide that operators participating in an FTC-approved COPPA safe-harbor program may use any parental consent mechanism that the safe-harbor program deems to meet the rule's parental consent standards.27
New Exception to Parental Consent Requirement: The FTC proposes adding one new exception to the prior parental consent requirement in order to give operators the option of collecting a parent's online contact information for the purpose of providing notice to or updating the parent about a child's participation in a website or online service that does not otherwise collect, use, or disclose children's personal information. It would not be permissible to use or disclose such information for any other purpose, and the information could not be combined with any other information collected from the child.28
IV. Confidentiality and Security Requirements
Third-Party Confidentiality, Security, and Integrity Requirements: The current rule obligates operators to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.29 The FTC proposes amending the rule to require operators to take reasonable measures to ensure that any service provider or third party to whom they release children's personal information has in place reasonable procedures to protect the confidentiality, security, and integrity of such personal information.30
Data Retention and Deletion: The FTC proposes adding new data-retention and deletion provisions. Under these proposed provisions, operators would be required to (a) retain children's personal information for only as long as is reasonably necessary to fulfill the purpose for which the information was collected; and (b) take reasonable measures to protect against unauthorized access to, or use of, the information in connection with its deletion.31
V. Safe-Harbor Programs
COPPA contains a "safe harbor" for participants in FTC-approved COPPA self-regulatory programs.32 The COPPA Rule provides that operators complying fully with an approved safe-harbor program will be deemed to be in compliance with COPPA for purposes of enforcement. In lieu of FTC enforcement actions, such operators are subject first to the safe-harbor program's review and disciplinary procedures.
The FTC proposes to strengthen the safe-harbor provisions of the rule by proposing three substantive changes: (a) requiring safe-harbor program applicants to submit comprehensive information about their capability to run an effective safe-harbor program; (b) establishing more rigorous baseline oversight by FTC-approved safe-harbor programs of their members; and (c) requiring FTC-approved safe-harbor programs to submit periodic reports to the FTC. Significantly for businesses participating in an approved safe-harbor program, the amended rule would require these programs to conduct, at minimum, comprehensive annual reviews of each of their members' information practices to ensure members' compliance.33
IMPLICATIONS OF PROPOSED AMENDMENTS
Since its enactment in 2000, the COPPA Rule has been aggressively enforced by the FTC. Numerous companies have paid multimillion-dollar settlements or penalties due to non-compliance. These proposed revisions, issued on an expedited basis, reflect the FTC's continued focus on consumer privacy, particularly with respect to children.
Businesses that interact with children via the Internet should pay close attention to the requirements of COPPA and the COPPA Rule in general, and, if enacted, to the amended provisions of the rule.
Given the significance of the proposed changes, as well as the FTC's broad interpretation of the scope of the rule, businesses that collect information from children may consider now a good time to review their existing practices and consider participating in the FTC's rulemaking proceeding.
Our attorneys routinely counsel clients on the subtleties of COPPA and other rapidly changing domestic and international privacy issues. If you have questions in these areas, please contact Lydia Parnes at firstname.lastname@example.org or (202) 973-8801; Tonia Klausner at email@example.com or (212) 497-7706; Matthew Staples at firstname.lastname@example.org or (206) 883-2583; Gerry Stegmaier at email@example.com or (202) 973-8809; or any of the many members of our privacy and data security practice.