Ad Law Access

Congress to FTC: “Please Update the COPPA Rule Now”

Laura Riposo VanDruff — Tue, 04 Oct 2022 08:13:31 -0400

Amidst all of the recent news and developments about the privacy of kids and teens (including multiple Congressional hearings; Frances Haugen’s testimony; enactment of the UK’s and California’s Age Appropriate Design Codes; the Irish DPC’s GDPR decision against Instagram; numerous bills in Congress; and the FTC’s ongoing focus on kids’ privacy in policy statements, workshops, and its “commercial surveillance” rulemaking), the FTC still has a powerful tool that seems to be sitting on the back-burner: the Children’s Online Privacy Protection Act (COPPA) and its implementing rule.

But some members of Congress just wrote a letter to the FTC, asking it to make COPPA a priority.

Background on COPPA

As most of our readers know, COPPA protects the privacy of kids under 13, mostly by requiring kid-directed web sites or apps, or sites/apps that have actual knowledge they’re dealing with kids, to get parental permission before collecting, using, or sharing kids’ data. Enacted in 1998, COPPA is now nearly 25 years old, a dinosaur in today’s fast-moving world of privacy. However, using the APA rulemaking authority granted in COPPA, the FTC has amended its COPPA rule to ensure that it keeps pace with developments – for example, extending the rule to ad networks and plug-ins; adding geolocation, persistent identifiers, photos, and videos to the definition of “personal information”; and strengthening the rule’s requirements governing data security, retention, and deletion.

However, those updates to COPPA became final in 2013 – almost ten years ago – and the FTC hasn’t amended the rule since then. Although the FTC initiated a rule review in July 2019, that review is still pending more than three years later. According to Regulations.gov, the Commission received over 176,000 public comments in the rule review. That’s a lot of comments, but it surely can’t explain such a lengthy delay.

Why hasn’t the FTC moved forward here?

There are likely a few reasons. First, as Commissioner Bedoya reportedly stated at a recent conference, the FTC is hoping that Congress updates the law – whether through amendments to COPPA (aka “COPPA 2.0”) or enactment of general privacy legislation – before the FTC must decide if and how to revise its COPPA rule. This is because Bedoya and other champions of kids’ privacy believe that fundamental changes to COPPA are needed – changes that go beyond what the FTC can do via rulemaking. Such changes include, for example, extending protections to teens or “tweens”; banning certain practices, like targeted advertising to minors; and changing the knowledge standard for general audience sites/apps from “actual knowledge” to “constructive knowledge.”

Second, the FTC appears to be considering whether it can expand kids’ and teens’ privacy protections through its FTC Act/Mag Moss authority – i.e., without having to rely on the COPPA statute. As we blogged a few weeks ago, the FTC’s “commercial surveillance” ANPR includes numerous questions about kids and teens that extend well beyond the FTC’s authority under COPPA, presumably in reliance on the underlying authority for the rulemaking (i.e., the FTC Act and Mag Moss). However, as we mentioned in the blogpost, there are obstacles to doing so, which the FTC is likely mulling. For one thing, the FTC’s power to expand kids’ protections through Mag Moss is limited. Indeed, Mag Moss requires proof that any practice to be regulated is “unfair or deceptive” but includes a specific provision restricting the FTC’s ability to regulate kids’ advertising using unfairness. (Advertising and privacy aren’t exactly the same thing, but there’s a big overlap.) For another thing, Congress and/or the courts might look askance at efforts by the FTC to “fill gaps” in COPPA using its general FTC Act/Mag Moss authority.

Third, the FTC (and its roughly 50-person privacy division) may simply have its hands full with the all of the tasks it has undertaken in privacy – including the “commercial surveillance” rulemaking; the upcoming workshop on “stealth advertising” directed to kids; the still-pending 6(b) study on social media and video streaming services (which included pointed questions regarding kids’ privacy); the “crackdowns” it has announced on EdTech, dark patterns (see here and here), and the misuse of sensitive health and location data; and other ongoing enforcement and policy demands.

Congressional letter

The above context makes the letter that four Democratic members of Congress (Senators Markey and Blumenthal and Representatives Castor and Trahan) sent to the FTC last week all the more interesting. The letter, which appears to be a response to Commissioner Bedoya’s statement that the FTC is waiting for Congress to act, essentially says “please don’t wait for us” and “we expect you to move forward on COPPA.” These members are all key players in kids’ privacy: Markey is the architect of the original COPPA statute and all four have sponsored bipartisan bills to expand kids’ and teens’ privacy (with the two bills in the Senate getting markups and votes out of the Senate Commerce Committee). However, they see time running out in this Congress for passage of their bills, and potentially time running out for the FTC before the 2024 election – and they don’t want the opportunity for kids’ privacy reform to slip away.

In particular, the letter commends the FTC for including questions about “surveillance threats to young users” in its “commercial surveillance” ANPR, and recognizes that Congress has a “responsibility to pass strong legislation” protecting kids. However, the letter stresses that the FTC also has a duty to “use its regulatory authority [under COPPA] to institute additional protections that address pressing threats online, a process the Commission has already begun.” According to the letter, such additional protections include expanding the scope of personal information covered by COPPA; fleshing out the prohibition on conditioning a child’s participation in an activity on excessive data collection; and updating and expanding protections related to platforms and online advertising.

Perspective

What does this mean? At one level, this finger-pointing exchange illustrates why state legislatures are moving forward more swiftly than Congress on privacy. At another, it provides some insight on the status of privacy legislation and the COPPA rulemaking. In particular, it suggests that (1) even the ardent privacy hawks in Congress don’t expect privacy legislation to pass during this session, and are now recognizing that publicly, and (2) FTC action on the COPPA rule might resume when the session in fact ends without passage of a privacy law (especially if Congress continues to send letters to the FTC like this one). We will continue to track all of these developments and dimensions here.

FTC Announces “Crack Down” on COPPA Violations by Ed Tech Companies

Tue, 24 May 2022 12:44:35 -0400

Amidst the rising focus on privacy issues affecting children and teens (which we’ve highlighted here, here, here, and here), the FTC just released a new Policy Statement on COPPA, its signature rule protecting the privacy of kids under 13. The Policy Statement, which the FTC unveiled at its May 19 Open Meeting, focuses in particular on COPPA’s application to education technologies used in and by schools to support learning (including remote learning during the pandemic). All five Commissioners voted for the Statement, including newly sworn-in Commissioner Bedoya, and four issued their own written statements. After the meeting, a bipartisan group of Senators, as well as President Biden, released statements praising the FTC’s actions.

While the FTC’s Republican Commissioners questioned whether there was anything really new in the Policy Statement (which was based on longstanding COPPA provisions, as well as FAQs posted on the FTC’s website), all seemed to agree that it elevates the issues highlighted and shows that COPPA is a top FTC priority.

And of course it is! Protecting kids and their data is one privacy issue that most people, regardless of professional or political affiliation, support. Further, under COPPA, the FTC can seek monetary relief (even post-AMG) and conduct rulemaking under the Administrative Procedures Act, as opposed to under the more cumbersome Mag-Moss process. So it’s not surprising that this issue would be high on the FTC’s agenda during this dynamic and volatile time for privacy.

What does the Policy Statement Say?

The Policy Statement emphasizes that COPPA includes substantive limits on the collection and use of children’s data (not just notice and consent requirements), and says that the FTC intends to fully enforce these provisions, including in school and learning settings where “parents may feel they lack alternatives.”

The Statement focuses in particular on the use of ed tech tools and devices, which have become integral to a range of school activities (especially during the pandemic) but which, per the Statement, raise concerns about data collection, use, and sharing beyond what’s necessary for these activities.

The statement describes COPPA’s substantive limits as follows:

Prohibitions Against Mandatory Collection: Covered entities can’t condition participation in an activity on collecting more information from a child than is necessary for that activity. (This prohibition comes right out of the COPPA statute and is echoed in the rule.)
Use Prohibitions: Covered entities, including ed tech providers, are “strictly limited” in how they can use data collected from children; for example, ed tech providers that collect kids’ data pursuant to a school’s authorization may use it only for the authorized educational purpose. (This isn’t in the COPPA statute or rule but builds on COPPA guidance and FERPA.)
Retention Prohibitions: Covered entities can’t retain personal information from a child longer than reasonably necessary to fulfill the purpose for which it was collected. (This isn’t in the COPPA statute, but was added to the rule as part of the 2013 amendments.)
Security Requirements: Covered entities must have reasonable procedures to maintain the confidentiality, security, and integrity of kids’ data. (This comes from the COPPA statute, and the FTC expanded these duties in the 2013 amendments. See Section 312.8)

What are some key takeaways?

Kids’ privacy (and advertising) will be a major focus in the coming year. Yeah, this one is obvious, especially since the FTC released the Policy Statement alongside (1) a press release announcing an October 19 workshop on “stealth advertising” directed to children, and (2) proposed updates to the Endorsement Guides, with a new section addressing child-directed endorsements. (The May 23 announcement for Privacy Con also calls for research on privacy risks for kids and teens.) However, it’s worth noting that while the FTC has significant authority to address these issues (under COPPA and the FTC Act), that authority isn’t limitless. By law, COPPA is confined to children under 13, so the FTC can’t use it to address teens – currently a big concern. Further, Congress barred the FTC (long ago) from using its unfairness authority to regulate kids’ advertising. See FTC Act Section 18(h).
The provisions highlighted in the Policy Statement aren’t limited to ed tech (for the most part). I say “for the most part” because one of the limits discussed (use limitations) is narrower than the Statement suggests. In particular, the Statement implies that COPPA contains “strict” use limitations that extend to all covered entities. In fact, the COPPA law and rule don’t contain broad use limitations (other than the limits created by notice and consent) – ed tech is a special case, woven together from COPPA guidance and FERPA.
Ed tech and other covered entities should assess their compliance now. The FTC is unlikely to be sympathetic to any company caught violating the highlighted provisions. All five Commissioners voted for the Policy Statement; it reiterates longstanding COPPA requirements (mostly – see above); and it has bipartisan support in Congress. Although we may not see the big “crack down” promised in the FTC’s press release (indeed, the FTC has announced a lot of “crack downs” and it has a lot on its plate), the FTC is likely to conduct investigations and bring some cases here.
The status of the COPPA regulatory review remains a mystery. A formal review of the COPPA rule has been pending since 2019, and Commissioners Wilson and Philips (among others) queried why the FTC would issue a policy statement instead of completing that review. Where’s the rule? Neither the Policy Statement nor discussions at the Open Meeting answered that question.
The announcement provides clues about the FTC’s future plans. Clearly, the FTC is moving forward to impose more substantive limits on business conduct, as Khan has said it would. That’s evident here, as well as in FTC cases requiring, for example, deletion of data and algorithms as a remedy. Khan and her colleagues have also stated that they want to use unfairness more aggressively (for example, to stop “surveillance” and discrimination) – a strategy that could apply to cases and rulemakings across the FTC’s many program areas. In the coming months, we should expect to see stricter conduct limits imposed (or proposed) in multiple contexts, including in the FTC’s anticipated “surveillance” rulemaking.
The Commissioners are worried about staff morale. In the face of crushing reports about the steep drop in staff morale at the agency, all of the Commissioners (in their oral and written remarks) thanked staff profusely for their work in developing the Policy Statement and related announcements. (As well they should.)

We’ll keep the news coming on kids and privacy!

FTC Issues Enforcement Policy on Collection and Use of Voice Recordings of Children Under COPPA

Dana B. Rosenfeld — Fri, 27 Oct 2017 06:55:35 -0400

On Monday, the FTC issued an Enforcement Policy Statement stating that the Commission will not take action against operators that collect an audio file of a child’s voice as a replacement for written words, such as for translation into text, without first obtaining parental consent, provided the file is retained only for the brief time necessary for that purpose. However, the operator is still obligated to indicate in its privacy policy how it will collect and use children’s voice recordings, as well as its policy for deletion. The FTC reasons that, although COPPA applies to the collection online of files that contain children’s voices, even if they are immediately deleted after collection, the risk associated with such collection and immediate deletion is minimal.

There are some additional limitations on this policy. It does not apply when the operator requests personal information, such as a child’s name. Moreover, the operator may not use the recording for any use other than translation into text, such as behavioral targeting or identification purposes, before deleting it. If the operator does plan to collect other types of personal information, then it would be required to obtain parental consent.

Although the policy provides some clarification about the application of COPPA to voice-capture technologies, operators of child-directed services that collect children’s voices should ensure that their privacy policies and consent and notification procedures comply with COPPA requirements. Violators are liable for up to $40,654 in civil penalties per violation.

Privacy Certification Program Settles COPPA Violations with NYAG

Thu, 13 Apr 2017 15:14:49 -0400

Last week, True Ultimate Standards Everywhere, Inc. (“TRUSTe”) agreed to pay the New York Attorney General (“NYAG”) a $100,000 penalty, and beef up privacy measures, to settle alleged violations of the Children’s Online Privacy Protection Act of 1998, 15 U.S.C. §§ 6501-6506 (“COPPA”). The Federal Trade Commission (“FTC”) is authorized to issue rules under COPPA, § 6502(b), and, along with the State Attorneys General, enforces it, §§ 6504(a), 6505(a). Generally, the FTC’s “COPPA Rule” mandates that operators of websites directed to children under the age of 13, or website operators that knowingly collect personal information from children under 13, must provide parents with notice of their information practices, make the collected information available upon request, limit the collection of such information, and secure it. See generally 16 C.F.R. pt. 312. Additionally, and relevant to this settlement, “collection” includes the passive tracking of children’s personal information through a persistent identifier, and not just its active collection. 16 C.F.R. § 312.2. Failure to comply may subject an operator to a penalty up to $40,654 per violation and a permanent injunction. See 15 U.S.C. §§ 45(a)(1), 45(m), 53(b), 57a(d)(3), 6502(c); 16 C.F.R. §§ 1.98, 312.9.

TRUSTe offers a privacy compliance certification solution to website and app operators. The FTC approved TRUSTe (along with six other organizations to date) as a self-regulatory, safe harbor program that subjects its operators to the same or greater protections for children as the COPPA Rule. See 16 C.F.R. § 312.11. Once certified, TRUSTe’s members may display the “TRUSTe Kids Privacy” seal on digital properties (and possibly avoid being the subject of government enforcement). According to the NYAG, however, TRUSTe failed to scan its members’ web sites for third-party tracking practices prohibited by COPPA during annual recertification assessments required of any safe harbor program. In other instances, TRUSTe failed to notify members about the detection of prohibited tracking, or accepted member representations about the legality of such tracking. These accusations came on the heels of TRUSTe’s settlement with the FTC a few years ago for similar concerns. See True Ultimate Standards Everywhere, Inc., Doing Business as TRUSTe, Inc.; Analysis To Aid Public Comment, 79 Fed. Reg. 69850 (Nov. 24, 2014). Similar to its settlement with the FTC, TRUSTe must improve the scanning, assessment, and reporting of any third-party tracking on its members’ sites in addition to its penalty to the NYAG.

COPPA remains a powerful tool in the arsenal of the FTC and State Attorneys General to curtail the ever-increasing marketing by online businesses to children under the age of 13. Failure to adequately prevent illegal tracking technology, or any other enumerated prohibition of COPPA, opens the door to regulatory scrutiny and enormous monetary penalties. The increasing enforcement of COPPA by states signifies that the welfare of children online is a top priority for federal and state authorities alike.

App Developers Settle COPPA Violations Relating to Third-Party Ad Network Practices

Fri, 18 Dec 2015 15:00:25 -0500

This week, the FTC announced settlements with two mobile app developers – LAI Systems, LLC and Retro Dreamer (including two of its principals) – concerning allegations that their apps collected childrens’ personal information without obtaining parental consent in violation of COPPA. These cases are the first in which the FTC has held a company liable for COPPA violations relating to the information collection practices of a third-party ad network .

In separate complaints, FTC alleges that LAI and Retro Dreamer created a number of apps directed to children. The FTC's determination that the apps were kid-oriented was based on a number of factors, such as the subject matter, visual content, language, and use of animated characters or child-oriented activities and incentives. In both complaints, FTC alleges that the Defendants permitted third-party advertising networks to collect childrens’ PII in the form of persistent identifiers through the apps in order to serve targeted advertising on the app based on users’ activity over time and across sites (the FTC added persistent identifiers to the COPPA Rule’s definition of “personal information” when it updated the rule in 2013). The complaints, however, do not identify the specific persistent identifiers used.

FTC alleges that both LAI and Retro Dreamer failed to: (1) inform the ad networks that the apps were directed to children; (2) instruct or contractually require the ad networks to refrain from targeted ads; or (3) provide the required notices or obtain the required parental consent. In the case of Retro Dreamer, FTC also alleges that one of its advertising networks specifically warned the company about the obligations of the revised COPPA Rule, and also told the company that certain of its apps appeared to be targeted to children under the age of 13. The settlements prohibit the companies from further violations of the COPPA Rule. The settlement with LEI requires the company to pay a $60,000 civil penalty, while the settlement with Retro Dreamer requires it to pay a $300,000 civil penalty.

The settlements highlight that the FTC remains vigilant in this area. The agency will likely continue to closely monitor the information collection practices of website operators and app developers, in addition to third-party ad networks.

Privacy Groups Ask FTC to Investigate Contest Sponsor for Alleged COPPA Violations

Tue, 16 Dec 2014 09:00:42 -0500

Last week, ten privacy groups requested that the FTC open an investigation into a Topps Co. online contest, which they allege violated the Children’s Online Privacy Protection Act (COPPA). Specifically, the groups claim that Topps's #RockThatRock contest collected photos of children under age 13 without obtaining their parents’ consent.

Last spring, Topps invited its Facebook, Twitter, and Instagram followers to post photos of themselves “rocking” a Ring Pop (the company’s edible candy lollipop) using the hashtag #RockThatRock for a chance to have their photo featured in a music video for a popular tween band. In addition to social media, Topps promoted the contest on Candymania.com – its allegedly child-directed website that features content such as candy-related games. Entrants’ photos were posted on Candymania.com, and the music video, which has appeared on YouTube since June, has received over 900,000 views.

COPPA requires that businesses provide parental notice and obtain parental consent prior to collecting the personal information of children under age 13. The definition of “personal information” was updated in July 2013 to explicitly include photographs. COPPA violations carry a hefty fine – up to $16,000 per affected child – so it’s important to always consider a promotion’s potential audience, as well as the types of information collected.

FTC Updates COPPA FAQs on Parental Consent Mechanisms

Fri, 18 Jul 2014 09:45:15 -0400

This week, the Federal Trade Commission announced the latest revisions to its Frequently Asked Questions (“FAQs”) document to assist online operators as they work to comply with changes to the Children’s Online Privacy Protection (“COPPA”) Rule that went into effect on July 1, 2013. The updated FAQs provide the following expanded guidance on verifiable parental consent (“VPC”) mechanisms under the Rule:

Credit or Debit Card Number: The FTC revises FAQ H.5 to recognize that an operator may collect a credit or debit card number without engaging in a monetary transaction, if the method is “reasonably calculated” to ensure that consent is being provided by the parent. For example, an operator could supplement the request for credit card information with special questions to which only parents would know the answer and find supplemental ways to contact the parent. This is a change from the FTC’s previous FAQ, which required all credit or debit card numbers to be coupled with a monetary transaction.
Reliance on Third Party Platforms to Obtain VPC: The FTC revises FAQ H.10 to allow app developers to rely on VPC obtained by a third party, such as an app store, if the developer provides parents with a direct notice outlining its information collection practices before the parent provides consent. The operator, however, must ensure that the third party is obtaining consent in a way that is reasonably calculated to ensure the person providing the consent is the parent. Merely allowing a parent to enter an app store account number or password, however, would not be enough to guarantee that it is the parent, and not the child, entering the information.
Third Party Platform Liability for Obtaining VPC: In connection with FAQ H.10, the FTC provides a new FAQ H.16 for app stores providing a VPC mechanism for operators to use. The FTC recognizes that, because app stores are not “operators” under COPPA, they will not be liable under COPPA for failing to investigate the privacy practices of the operators for whom they obtain consent. The FTC cautions such third parties that they may nonetheless be liable under Section 5 of the FTC Act if, for example, they overstate the level of oversight provided for a child-directed app.

These updates are the latest in a series of recent updates to the COPPA FAQs (also see here, here, here, and here) to educate operators of websites and online services directed to children about their obligations under the amended COPPA Rule.

FTC Approves kidSAFE as Safe Harbor Program Under COPPA

Alysa Z. Hutnik — Tue, 18 Feb 2014 17:08:54 -0500

Last week, the Federal Trade Commission approved the kidSAFE Seal Program as a safe harbor program under the Children’s Online Privacy Protection Act (COPPA) and FTC’s COPPA Rule. The FTC’s revised COPPA Rule (effective July 2013) restricts the ways that child-directed sites and their third-party affiliates can collect and use personal information from children under the age of 13. The Rule contains a “safe harbor” provision enabling industry groups or others to submit self-regulatory program guidelines to the FTC for approval. Companies that meet the requirements of a safe harbor program will be deemed to be in compliance with the COPPA Rule for purposes of enforcement. To date, the FTC has approved six COPPA safe harbor programs.

In order to meet the requirements of the kidSAFE Seal Program, a child-directed site or service must demonstrate compliance with the basic safety guidelines (the “kidSAFE certification”) and additional privacy guidelines (the “kidSAFE+ certification”). The program’s basic safety rules require: (1) chat and other interactive community features to be designed with safety protections and controls; (2) posting of rules and educational information about online safety; (3) procedures for handling safety issues and complaints to be in place; (4) parents to have basic safety controls over their child’s activities; and (5) content, advertising, and marketing to be age-appropriate.

The program’s privacy guidelines are specific to COPPA and require the operator to: (a) have neutral age-screening mechanisms, when appropriate; (b) provide notice and verifiable parental consent, as required under the COPPA Rule; (c) allow parents to access their child’s personal information; (d) protect the integrity and security of a child’s information; (d) post a COPPA-compliant privacy policy; and (e) cooperate with the kidSAFE Seal Program’s oversight and enforcement mechanisms.

The kidSAFE Seal Program was submitted to the FTC for approval on August 15, 2013. The Commission announced kidSAFE’s application in the Federal Register on September 18, 2013 and received public comment on the application through November 4, 2013. During the notice and comment period, some concerns were raised regarding certain aspects of the kidSAFE Seal Program, including the potential for consumer confusion regarding the meaning of the different kidSAFE self-regulatory programs (i.e., kidSAFE vs kidSAFE+) and the ability to evaluate and enforce member compliance. To address these and other concerns raised by the Commission, kidSAFE agreed to modify certain aspects of its program.

Insights from Kelley Drye's 4th Annual Privacy Seminar

Wed, 22 Feb 2012 17:53:55 -0500

On February 16, 2012, Kelley Drye & Warren LLP hosted the seminar and audiocast, “Privacy in 2012: What to Watch Regarding COPPA, Mobile Apps, and Evolving Law Enforcement and Public Policy Trends.” The seminar highlighted regulatory and legislative developments in privacy and information security during the past year, with an emphasis on children's online privacy and mobile applications.

Peter Swire, a professor at The Ohio State University Michael E. Moritz College of Law and a Senior Fellow with the Center for American Progress, opened the seminar with a keynote address that gave historical context to the most recent regulatory efforts addressing consumer privacy. Professor Swire’s remarks were followed by two panel sessions that included six experts representing key industry representatives and the federal agencies integral to recent privacy initiatives. The first panel discussed children's online privacy and the Federal Trade Commission’s proposed revisions to the Children's Online Privacy Protection Rule. The second panel discussed various consumer privacy enforcement and regulatory initiatives relating to mobile apps.

For more on the seminar, including a synopsis of key takeaways, see the Kelley Drye client advisory. An audio recording of the full program is also available.

Join us Feb. 16 for "Privacy in 2012" Seminar and Teleconference

Wed, 25 Jan 2012 10:39:07 -0500

Changes to privacy regulations, such as proposed revisions to the Children's Online Privacy Protection Act (COPPA), and continuously evolving technologies, including mobile apps with location-based services, can make it difficult for businesses to ensure their privacy practices are up to par.

On February 16, Kelley Drye will gather government leaders from the FTC and FCC, and thought leaders in the industry, for a discussion about new regulations, enforcement trends, and best practices to avoid consumer privacy risks. Please join us for "Privacy in 2012: What to Watch Regarding COPPA, Mobile Apps, and Evolving Law Enforcement and Public Policy Trends."

Email [email protected] to register for the live seminar or teleconference.

KEYNOTE SPEAKER

Peter Swire, Professor of Law, Ohio State University; former Clinton Administration Chief Counselor for Privacy, U.S. Office of Management and Budget

PANEL 1: COPING WITH COPPA: CHILDREN'S PRIVACY AND PROPOSED REVISIONS TO THE COPPA RULE

Ellen Blackler, Vice President - Global Public Policy, The Walt Disney Company

Mamie Kresses, Senior Attorney, Division of Advertising Practices, Federal Trade Commission

Saira Nayak, Director of Policy, TRUSTe

Moderated by partners Dana Rosenfeld and Alysa Hutnik of Kelley Drye & Warren LLP

PANEL 2: MOBILE APPS: A PRIVACY AND CONSUMER PROTECTION HOT SPOT

Michael Altschul, Senior Vice President and General Counsel, CTIA

Jessica Rich, Associate Director, Division of Financial Practices, Federal Trade Commission

Jennifer Tatel, Associate General Counsel, Federal Communications Commission (invited)

Moderated by partners John Heitmann and Gonzalo Mon of Kelley Drye & Warren LLP

When:
February 16, 2012, 2:30 PM - 5:30 PM EST

Location:
Kelley Drye & Warren LLP
3050 K Street, NW, Suite 400
Washington, DC 20007-5108

And via audio webcast

RSVP:
Email [email protected] or contact Cassidy Russell at 202.342.8400.

This seminar is free of charge, but space is limited. Reserve your place today.

CLE and CPE credit may be available in certain jurisdictions.

FTC Proposes Changes to Children's Privacy Rule

Fri, 16 Sep 2011 16:51:42 -0400

Late this week, the FTC issued its proposed amendments to the Children’s Online Privacy Protection Rule ("COPPA Rule"). The proposed revisions are intended to maintain privacy protections for children who increasingly participate in social networking and interactive gaming, or engage in online activities through a mobile device. The FTC seeks written comments to the proposed amendments, which are due by November 28, 2011.

Kelley Drye prepared an advisory that outlines the proposed revisions to the Rule and describes what the new requirements would mean for businesses that have an online presence with respect to obtaining parental notice and consent, what data they can collect from children, and corresponding safeguards and data minimization requirements, to avoid incurring civil penalties of up to $16,000 per violation.

FTC Settles with Mobile App Developer Over Alleged Privacy Violations

Alysa Z. Hutnik — Tue, 16 Aug 2011 09:17:46 -0400

On August 15, 2011, the FTC announced a settlement with W3 Innovations, LLC (“W3”) and its President over charges that the company violated the Children’s Online Privacy Protection Act (“COPPA”) when W3 allegedly collected and disclosed personal information from tens of thousands of children without their parents’ consent. The settlement requires W3 and its president to pay $50,000, and they must delete all personal information collected in violation of COPPA. The case marks the FTC’s first action against a mobile applications (“apps”) developer.

W3 Innovations, which does business as Broken Thumbs Apps, develops and distributes apps including Emily’s Girl World and Emily’s Runway High Fashion (the “Emily Apps”), which are sold through the “Games-Kids” section of Apple, Inc.’s App Store. According to the FTC Complaint, the Emily Apps encouraged children to submit emails, including messages to friends and requests for advice, that were then posted as publicly-available blog entries to the “Emily’s blog” feature available on all Emily Apps sites. Children also could submit comments in response to the blog entries using a standard comment form that required users to provide their name and email address.

The FTC’s COPPA Rule (16 C.F.R. Part 312) is triggered when companies collect online personal information about children under the age of 13. The Rule requires website operators to notify parents and obtain their express consent before they collect, use, or disclose such children’s personal information. The Rule also requires website operators to post a clear and conspicuous privacy policy at each area of an online site that collects personal information from children. The FTC alleged that W3 violated COPPA when it did not obtain parental consent before it (1) collected and maintained at least 30,000 email addresses from children who participated in the “Emily’s blog” feature; and (2) allowed children to publicly post information, including personal information, to the blog and comments section of the app.

As this case demonstrates, the FTC is following through on statements that it made earlier this year that it was actively investigating a number of privacy issues associated with mobile devices, including features targeting children. Given the FTC’s interest in this area, companies seeking to enter the mobile app market or engage a younger audience using games or other online features should be aware of the key considerations and best practices (see here and here) that can help reduce risks resulting from increased legal and regulatory scrutiny.

This post was written by Alysa Z. Hutnik.

Disney's Playdom Charged with Violating Children's Online Privacy, Enters $3 Million FTC Settlement

Fri, 13 May 2011 16:22:33 -0400

On May 12, 2011, the FTC announced that it reached a $3 million settlement with online “virtual worlds” website provider Playdom, Inc., a Disney subsidiary, for allegedly violating its own privacy policies and collecting and disclosing personal information on hundreds of thousands of children without parental consent – potential violations of the Children’s Online Privacy Protection Act (COPPA).

Playdom owns and operates a number of online “virtual world” websites, including sites geared for children such as Pony Stars, where users can play online games, post profile pages and engage in other online activities. In the process, between 2006 and 2010, Playdom’s websites collected personal information on over 400,000 children under the age of 13. In July 2010, Playdom was acquired by a subsidiary of The Walt Disney Company.

COPPA requires website operators to maintain clear privacy policies and obtain parental consent prior to the collection, use or disclosure of personal information – such as name, address, email, and telephone number – for children under the age of 13. Playdom allegedly violated COPPA by collecting children’s ages and email addresses during online registration and enabling children-users to post personal information – their names, email addresses, instant messenger names and location information – on profile pages without first obtaining parental consent. Further, Playdom allegedly violated the FTC Act by misrepresenting on their privacy policies that children could not post profile pages, when in fact they could.

On May 11, 2011, the Department of Justice (on behalf of the FTC) formally filed a Complaint and entered the proposed $3 million Consent Decree and Order in the U.S. District Court for the Central District of California in Los Angeles. The $3 million Consent Decree marks the largest civil penalty doled out by the FTC under COPPA. This case and the growing list of cases involving online consumer privacy rights highlight the due diligence required when website operators and other companies collect, use and disclose consumer information (or acquire a company that does).

Christopher S. Koves contributed to this post.