On September 15, 2011, the Federal Trade Commission ("FTC") issued its proposed amendments
to the Children's Online Privacy Protection Rule ("COPPA Rule" or the "Rule").1
COPPA requires commercial websites and online services that target children to obtain verifiable parental consent before collecting personal information from children under the age of 13. The proposed revisions would modify or expand key definitions within the Rule, including the definition of "personal information," and would update the Rule's requirements concerning parental notice and consent, and existing safe harbor provisions. The proposed amendments also would include new safeguard requirements, including provisions that involve personal data minimization and disposal obligations.
The FTC's proposed revisions to the COPPA Rule are a response to the substantial changes in consumer technology that have occurred over the past decade since the Rule first became effective. Specifically, the proposed revisions are intended to ensure that the Rule continues to provide privacy protections for children who increasingly participate in social networking and interactive gaming, or engage in online activities through a mobile device. The FTC seeks written comments to the proposed amendments. Comments are due by November 28, 2011.
Proposed Revisions to the COPPA Rule
When The COPPA Rule Is Triggered
The COPPA Rule applies to both commercial websites and online services directed to children that collect personal information from a child. The Rule also applies to an online service that targets a general audience if that company has actual knowledge that it is collecting or maintaining personal information from a child.
While the Commission has advised that operators of general audience sites are not required to investigate the ages of their users, the Commission again emphasized in its commentary in the proposed amendments that if such companies ask for, or otherwise collect, information establishing that a user is under the age of 13, they will be subject to the COPPA Rule. This would include, for example, where an operator learns of a child's age or grade from the child's registration at the site, from a concerned parent who has learned that his child is participating at the site, and those that ask "age identifying" questions, such as "what type of school do you go to: (a) elementary; (b) middle; (c) high school; (d) college."
The FTC also clarified that, while it will not seek to expand COPPA to cover teenagers, it expects that companies will provide clear information to teenagers about the uses of their data and give them meaningful choices about such uses. Along those lines, the Commission is exploring new privacy approaches that will ensure that teens (and adults) benefit from stronger privacy protections than are currently generally available, including "just in time" privacy disclosures at the point when personal information is collected from the consumer. We expect to see more clarification on such a policy when the FTC Staff release the final Privacy Report
, which will likely be issued later this year. The recommendations outlined in the Staff's draft Privacy Report
are summarized in Kelley Drye's December 8, 2010 client advisory
Finally, with respect to the Rule's application to "online services," the FTC stated that the Rule, as it currently stands, already covers the host of emerging technologies that connect online, including mobile applications that allow children to play network connected games, engage in social networking activities, purchase goods or services online, receive behaviorally targeted advertisements, or interact with other content or services, as well as Internet-enabled gaming platforms, voice-over-Internet protocol services, Internet-enabled location based services, some types of texting programs that connect online, including mobile applications that enable users to send text messages from their web-enabled devices without routing through a carrier-issued phone number constitute online services, and companies' premium texting and coupon texting programs that register users online and send text messages from the Internet to users' mobile phone numbers are online services. Thus, no changes were necessary to the Rule on this point.
The FTC proposes revisions to a number of definitions within COPPA that are intended to either clarify current requirements or broaden the scope of defined terms to encompass technological developments that have occurred since the Rule was enacted. A brief description of the proposed changes is set forth below:
: The most notable proposed changes to the definitions section is a significant expansion of the term "personal information" to include new forms of data that the FTC now considers personally identifiable. Under the proposed revisions, "personal information" would include online screen and user names, except in cases where such names are used solely for technical maintenance of the online service or website. "Personal information" also would include "online contact information" which includes identifiers that permit direct contact with a child online (including an instant messaging user identifier, a voice over internet protocol (VOIP) identifier, or a video chat user identifier. The revised definition also would cover photographs, and video or audio files containing a child's image or voice.
Notably, the FTC is proposing that "personal information" also include geolocation information emitted by a child's mobile or electronic device. This provision, if adopted, would expand the current location-based criteria under "personal information" that includes "a home or other physical address including street name and name of a city or town. The proposed revision responds to recent concerns expressed by Congress and the FTC
over the extent to which mobile operators are collecting location information from user devices.
The Commission also proposes to broaden the meaning of the term "persistent identifier" as it applies to personal information. Under the current rule, a persistent identifier-including a website cookie, Internet Protocol ("IP") address, or a device serial number-must be linked to other information relating to a child or parent before it is classified as "personal information" under the rule. The FTC is proposing that a persistent identifier, standing alone, would be "personal information," unless the identifier is used solely to support the internal operations of the website or online service. The proposed revision would exempt a persistent identifier from the definition of personal information if it is used solely for user authentication, improving site navigation, serving contextual advertisements, or protecting against fraud or theft. Finally, a mobile device's unique identifier, or other identifier that can link a child's activities across different websites or online services also would fall within the "personal information" definition under the proposed changes.
"Collects or collection"
: The proposed revisions would update the definition of "collects or collection" to clarify that COPPA covers instances where an operator merely prompts or encourages a child to provide certain information, and not just when the operator mandates that information be provided to access the site. Further, the FTC is proposing language to clarify that "collects or collection" includes all forms of passive tracking of a child online, irrespective of the technology used.
The FTC also is proposing several modifications to the definition of "collects or collection" that it hopes will encourage operators to develop new processes that can delete virtually all personal information submitted by children before such information is made public. Specifically, the FTC would modify the current "100% deletion standard" that requires an operator to delete all individually identifiable information from its records and from postings by children before they're made public. In its place, the Commission proposes a "reasonable measures" standard whereby operators who use technologies reasonably designed to capture all or virtually all personal information from children would not be deemed to have "collected" personal information.
"Release of personal information"
: The proposed rule revisions would clarify that "release of personal information" pertains to business-to-business uses of personal information, while "public disclosures of personal information" is addressed in COPPA's definition of "disclosure."
"Support for the internal operations of the website or online service"
: This term is used in the Rule to designate certain instances where a website operator may be permitted to use information provided by a child. The FTC's proposed changes would expand this definition to include "activities necessary to protect the security or integrity of the website or online service" in recognition of the website operators' need for protection from fraud and online security threats.
"Website or online service directed to children"
: Whether a website or online service is "directed to children" will continue to be based upon the totality of the circumstances. But as one of the factors that will be considered in evaluating whether the website is directed to children, the FTC proposes expanding the meaning of "audio content" to include music, and expressly noting that the use of a child celebrity on a website or online service is a strong indicator of the site's appeal to children.
Streamlining Parental Notice.
The COPPA Rule requires that a website or online service operator provide parents with two forms of notice concerning its intent to collect or use a child's information: (1) through the website or online service ("online notice"); and (2) through direct outreach to a parent whose child seeks to register on the site or service ("direct notice"). The Commission is proposing to streamline the current notice requirements in an effort to give parents easy-to-understand information provided on a real-time basis. This proposed revision is consistent with the FTC's previously noted preference that disclosure and notice information be "embedded in the interaction
Specifically, parents would receive notices through "just in time" messages that describe an operator's information practices at the most relevant points of interaction. The proposed revisions further describe the precise information that operators must provide to parents regarding: (1) the personal information that the operator has already obtained from the child; (2) the purpose of the notification; (3) actions that the parent must or may take; and (4) how the operator intends to use the personal information collected. For example, with respect to the notification purpose, the proposed revision would require that the operator's notice states that (1) the operator collected the parent's contact information in order to provide notice; (2) the parent's information will not be used for any other purpose; and (3) the parent may refuse to allow the child to participate in the site, and may require the deletion of his or her contact information. The FTC also would require that all forms of direct notice include a hyperlink to the operator's online notice of its information practices.
Notice Must Identify All Operators.
The proposed revisions also would modify online notice requirements by mandating that all
operators involved in the operation of an online service-and not just a designated operator, as permitted under the current Rule-provide contact information that includes the operator's name, physical address, telephone number, and email address. This revision specifically is intended to address the mobile applications environment in which multiple parties, including mobile app developers, advertising networks, and service providers are responsible for different functions in delivering the app to the consumer. The Commission believes this change will assist parents in finding the appropriate party to whom to direct an inquiry.
No Lengthy Policies for Parental Notice.
The FTC's final proposed revision to the Notice section would eliminate the use of lengthy privacy policies to provide online notice and, instead, would require a simple statement that describes: (1) the information that the operator collects from children, and whether the child can make information publicly-available on the operator's site; (2) how the operator uses the child's information; and (3) the operator's disclosure practices for such information. The intent of the proposed change is to provide consumers with more readily-available and easy-to-understand information, given that an increasing amount of online content is provided over mobile devices with smaller screen sizes.
Parental Consent Mechanisms
Expand Types of Parental Consent.
The Commission is proposing several substantial changes to the mechanisms that an operator can use to obtain verifiable parental consent before it can collect, use, or disclose information obtained from children. For example, the proposed revisions would expand the methods by which operators can seek and obtain verifiable parental consent to include electronically-scanned versions of signed parental consent forms, videoconferencing, and government-issued identification - such as a driver's license - that is checked against a database. Operators could use such information for verification purposes only.
Payment Card Consent Only For Transactions.
The Rule also would clarify that credit card information can be used for verification purposes only in instances where the parental consent is needed to facilitate an actual monetary transaction.
Eliminating Email Plus Verification.
The FTC also has proposed eliminating the "email plus" method of verification now used by operators that collect children's personal information for internal use only. The method requires operators to obtain consent through an email to the parent, in concert with a separate verification step such as confirming the parent's consent by letter or telephone. The Commission, in an effort to strengthen verifiable consent procedures by leveraging new technologies, has proposed a new process through which operators may voluntarily seek Commission approval of potential consent mechanisms. Applicants seeking approval would be required to submit to the FTC a description of the mechanism, along with an analysis of how it complies with COPPA. The mechanism then would be subject to public comment before the Commission would grant approval.
Safe Harbor Parental Consent Okay.
The FTC also has proposed adding a provision to the rule stating that operators participating in an FTC-approved safe harbor program may use any parental consent mechanisms deemed by the safe harbor program to meet COPPA requirements.
Confidentiality and Security of Children's Personal Information
Security Safeguards Required with Third Parties.
COPPA requires operators to establish reasonable procedures to protect the confidentiality, integrity, and security of children's personal information; however, the current rule is silent on the data security obligations of third parties. The proposed revisions would add a requirement that operators take "reasonable measures" to ensure that any service provider or third party to whom children's personal information is provided has enacted "reasonable procedures" to protect the confidentiality, security, and integrity of such personal information.
Data Minimization Requirements.
The proposed revisions also would impose a new data retention and deletion requirement, whereby operators could retain children's personal information only for so long as is reasonably necessary to fulfill the purpose for which the information was collected. The operator also would be required to take reasonable measures to protect against unauthorized access to the information during the data deletion or disposal process.
The Role of Self-Regulation Programs
COPPA permits operators to participate in safe harbor programs that have created guidelines that protect children's online privacy to the same or greater extent as COPPA, and include processes to ensure that member participants comply with program's provisions. The FTC has proposed several modifications to the manner in which it oversees safe harbor programs:
Annual Audits of Program Members
: Under the current rule, safe harbor programs are required only to conduct "periodic reviews" that may be conducted "on a random basis" to assess an operator's compliance with the program. The proposed revision would mandate that, at a minimum, safe harbor programs conduct annual, comprehensive reviews of each of their members' information practices as a way to improve accountability and transparency of such programs.
Provide FTC with Detailed Capabilities Overview
: The Commission proposes adding a new requirement that program applicants include with their safe harbor application a detailed explanation of their business model and the technological capabilities and mechanisms they will use to assess an operators' fitness for membership in the safe harbor program.
Report Periodically to the Commission
: The Commission proposes modifying the current requirement that safe harbor programs maintain records of consumer complaints, disciplinary actions, and the results of independent assessments for 3 years, which must be made available to the Commission upon request
. Under the proposed revision, safe harbor programs would be required
to submit reports to the Commission that include the results of its independent audits, and reports on any disciplinary actions taken against members during the relevant reporting period. The reports would be due to the Commission within one year from the effective date of the final amendment, and every eighteen months thereafter.
During the past year, the Commission has been a vocal advocate for children's online privacy protections in response to continuing changes in the manner by which children view and interact with online content. The FTC recently used its enforcement powers
to send a clear signal to website and mobile operators that target children, and the Commission is now employing its rulemaking authority to enhance current privacy protections for children. The FTC's proposed amendments to COPPA would impose significant new requirements on operators relating to parental notice and consent, the types of information that an operator can collect from children, and how such information must be protected. Because the FTC is able to levy fines of up to $16,000 per violation for non-compliance with the COPPA Rule, these proposed changes come with teeth if the proposed changes are implemented, and companies fail to comply with them.
During this review period for the proposed changes, the FTC has invited the public to submit comments on any or all issues raised within its notice of proposed rulemaking ("NPRM"), as well as responses to specific questions listed in Section X of the NPRM. The filing deadline for comments is November 28, 2011. Please contact us, if we can be of assistance in the preparation of comments on your behalf.
Kelley Drye & Warren LLP
Kelley Drye & Warren's Privacy and Information Security
practice is a leader in advising clients on privacy and information security issues and has been at the forefront of developments in this growing area of the law. Our attorneys regularly counsel clients regarding all aspects of privacy and data security compliance, including drafting and amending privacy and information security policies, advising clients on interpreting their own policies, crafting data security programs for clients, performing privacy and/or data security audits of existing business practices, drafting agreements with third parties regarding their obligations in connection with handling clients' customer data, and representing clients in connection with federal and state regulator privacy investigations regarding their privacy and data security practices.
For more information about this advisory, contact:
Dana B. Rosenfeld
John J. Heitmann
Alysa Zeltzer Hutnik
Christopher M. Loeffler
16 C.F.R. Part 312.