On February 16, 2012, Kelley Drye & Warren LLP hosted the seminar and audiocast, "Privacy in 2012: What to Watch Regarding COPPA, Mobile Apps, and Evolving Law Enforcement and Public Policy Trends." The seminar highlighted regulatory and legislative developments in privacy and information security during the past year, with an emphasis on children's online privacy and mobile applications ("apps").
Peter Swire, a professor at The Ohio State University Michael E. Moritz College of Law and a Senior Fellow with the Center for American Progress, opened the seminar with a keynote address that gave historical context to the most recent regulatory efforts addressing consumer privacy. Professor Swire's remarks were followed by two panel sessions that included six experts representing key industry representatives and the federal agencies integral to recent privacy initiatives. The first panel discussed children's online privacy and the Federal Trade Commission's ("FTC") proposed revisions to the Children's Online Privacy Protection Rule ("COPPA Rule" or "the Rule"). The second panel discussed various consumer privacy enforcement and regulatory initiatives relating to mobile apps. This advisory provides the key takeaways from the seminar.
Mr. Swire's keynote address, "Then and Now – a Second Wave of Privacy Protection," set the stage for the panel discussions by providing an overview of consumer privacy-focused regulatory activity beginning in the early 1990's. He traced the early rulemaking and enforcement initiatives by the Federal Trade Commission ("FTC"), the Department of Commerce, and the European Union ("EU") from the "dial-up" Internet era to the current online environment dominated by smartphones and new online platforms with interactive features. Professor Swire described the most recent regulatory push – which includes the pending final privacy frameworks from the FTC and the Commerce Department as well as stringent new EU regulations – as the "second wave" of consumer privacy regulation intended to address the rise of social networking, location-based services, and online advertising.1
Professor Swire noted that, while it is unclear whether Congress will pass consumer privacy legislation in the current session, the level of ongoing regulatory activity is forcing businesses to reevaluate their existing privacy practices and policies.
Panel 1 – Moderated by Kelley Drye Partners Dana Rosenfeld and Alysa Hutnik
- Mamie Kresses, Senior Attorney, Division of Advertising Practices, Federal Trade Commission
- Ellen Blackler, Vice President, Global Public Policy, The Walt Disney Company
- Saira Nayak, Director of Policy, TRUSTe
Panelists discussed the FTC's proposed amendments to the COPPA Rule and how certain proposed changes would impact current online industry practices, affect how children access and use the Internet, and influence the means by which parents give consent to the collection of their child's personal information.2
- Mamie Kresses, with the FTC, and Ellen Blackler, with The Walt Disney Company ("Disney"), discussed the rapid pace of change with respect to children's online preferences and the growing challenge in classifying websites and online services as "directed to children" as more Internet users shift to multi-generational content and access online sites through new platforms and devices. Ms. Blackler discussed Disney's comments to the COPPA proposal, including the recommendation that the Commission expand the current classification of websites beyond those that either are or are not targeted to children, and include a new "Family Friendly" category that would bring COPPA privacy safeguards to a larger number of the online destinations that children now frequent. According to Ms. Blackler, not all users to Family Friendly sites would be presumed to be children. Rather, these websites and online services would be required to be designed deliberately to avoid the collection of personal information until the user's age is ascertained.
- Panelists discussed the need for new solutions to overcome the ongoing logistical challenges with obtaining verifiable parental consent prior to the collection of a child's personal information. Ms. Kresses described the "difficult paradox" in which operators must employ sufficiently stringent privacy controls for children, yet still provide parents with a convenient means to provide consent. Ms. Blackler commented on the need for an ecosystem-wide approach to obtain parental consent because of the multiple entities that now reside within the value chain. Specifically, she described the concept of a Kids Privacy Portal, a pin-based system through which parents would give consent for multiple sites at one time, thereby reducing the burden on parents and creating greater efficiency in the consent process. Saira Nayak, with TRUSTe, also noted the proliferation of platforms and online functionality and called for more streamlined consent mechanisms that recognize the various form factors in the devices that children now use to access online content.
- Ms. Nayak discussed the potential effects of the proposed amendments on TRUSTe's COPPA Safe Harbor program. She commended the proposed data security, retention, and deletion requirements; however, she advised against a uniform mandate on the timeframe for deleting personal information given the diversity of business models and the varied uses of personal information within the online space. Ms. Nayak also discussed the proposed annual audit requirement for all Safe Harbor program members and acknowledged that TRUSTe will face additional costs to meet this requirement. In response, Ms. Kresses explained the FTC's belief that the annual requirement is necessary to create more consistency in reporting among the four different COPPA Safe Harbors and that the Commission continues to evaluate the appropriate scope of the annual reporting requirements.
- Panelists also discussed the proposed changes to key definitions within the COPPA Rule, including the definitions of "personal information" and "support for the internal operation of the website or online service." Ms. Blackler remarked that the proposal to include screen names and persistent identifiers (such as cookies) within the definition of "personal information" would have a significant impact on the industry. She noted that screen names currently are used by industry to help preserve a user's privacy and confidentiality. Similarly, Ms. Nayak stated TRUSTe's position that persistent identifiers and screen names, if not linked to an actual user name, should not constitute personally-identifiable information. Ms. Kresses responded that, as children use the same screen name across more web sites, there is an increased risk that the screen name can be paired with the child's real name or other personally-identifiable information, thereby creating a "bypass" around other privacy protections. Similarly, she reflected the Commission's view that persistent identifiers could be used to track children's activities during a child's visit to a website. With respect to the proposed definition of "support for the internal operation of the website or online service," Ms. Kresses noted that the Commission continues to consider whether the proposed definition is worded too narrowly and would unduly restrict operators from enhancing the user experience within their websites or online services.
Panel 2 – Moderated by Kelley Drye Partners John Heitmann and Gonzalo Mon
- Jessica Rich, Associate Director of the Division of Financial Practices, Federal Trade Commission
- Jennifer Tatel, Associate General Counsel, Federal Communications Commission
- Michael Altschul, Senior Vice President and General Counsel, CTIA – the Wireless Association
Panelists discussed the increased collection and use of consumer personal data resulting from technological innovations in mobile services and apps, recommended greater transparency by providers regarding those collection and usage practices, and emphasized the need for consumer control over those activities.
- Jessica Rich, with the FTC, discussed the FTC's focus on promoting greater transparency in how mobile app providers disclose their data collection and use practices. Ms. Rich highlighted some of the FTC's recent mobile-related enforcement actions, and indicated that the agency will continue to scrutinize mobile apps, including evaluating whether certain activities constitute unfair or deceptive practices. Referring to a survey released by the FTC earlier that same day, Ms. Rich noted that the FTC survey revealed that children's mobile app providers disclose little information on their data collection practices. Ms. Rich also highlighted the FTC's recommendations that all parties in the mobile eco-system must do a better job of disclosing privacy practices. She indicated that the FTC is addressing some of these issues in its revisions to the COPPA Rule. Ms. Rich also discussed the FTC's proposed privacy framework that emphasizes privacy-by-design and greater consumer control over personal information, and she discussed best practices for notice and consent on mobile devices, including the use of opt-in consent for location based services. Lastly, Ms. Rich commented on ongoing industry self-regulation efforts and emphasized that such initiatives must feature clear privacy standards that consumers actually understand, and enforcement mechanisms with "teeth."
- Jennifer Tatel, with the Federal Communications Commission ("FCC"), identified the agency's three primary privacy goals: (1) ensure personal information is protected from misuse and mishandling; (2) require greater transparency in provider data collection and use practices; and (3) enable consumers to exercise more control over how their personal data is used. Ms. Tatel noted the increased collection and use of consumer information by new online and mobile apps and discussed how consumer concerns about such use presents a barrier to greater broadband adoption. She described how the FCC is responding to these concerns through a series of rules and orders that address mobile-related issues including pretexting, notice standards, data breach notifications, and the handling and sharing of customer proprietary network information ("CPNI"), including geographic location information. Ms. Tatel also discussed the FCC's pending report on location based services and shared the FCC's concern about impeding the growth and development of mobile industries by applying too many prescriptive regulations. Lastly, Ms. Tatel recommended that mobile app providers view privacy as a competitive differentiator as consumers likely will begin to make choices based on how individual providers protect consumer privacy.
- Michael Altschul, with CTIA – The Wireless Association, highlighted the need for industry to educate consumers about privacy protections and continue improving privacy protections in response to raised consumer expectations. Mr. Altschul described the current "revolution" in how consumers and devices interact with mobile apps, and noted that consumers who previously were subject to the privacy practices of the wireless carriers that acted as gate-keepers to the apps are increasingly subject to the privacy practices of the app stores or the individual apps. Mr. Altschul also addressed the challenges with providing consumers with notice of the data use and collection practices on mobile devices, as well as the privacy considerations associated with mobile push alerts and health-related mobile services.
The seminar was presented by Kelley Drye's Privacy and Information Security
Dana B. Rosenfeld
John J. Heitmann
Alysa Zeltzer Hutnik
Gonzalo E. Mon
Information about the FTC and Commerce Department privacy frameworks can be found, respectively, in Kelley Drye & Warren's December 8, 2010
and December 22, 2010
Information about the FTC's proposed changes to the COPPA Rule can be found in Kelley Drye & Warren's September 16, 2011 client advisory