But some members of Congress just wrote a letter to the FTC, asking it to make COPPA a priority.
Background on COPPA
As most of our readers know, COPPA protects the privacy of kids under 13, mostly by requiring kid-directed web sites or apps, or sites/apps that have actual knowledge they’re dealing with kids, to get parental permission before collecting, using, or sharing kids’ data. Enacted in 1998, COPPA is now nearly 25 years old, a dinosaur in today’s fast-moving world of privacy. However, using the APA rulemaking authority granted in COPPA, the FTC has amended its COPPA rule to ensure that it keeps pace with developments – for example, extending the rule to ad networks and plug-ins; adding geolocation, persistent identifiers, photos, and videos to the definition of “personal information”; and strengthening the rule’s requirements governing data security, retention, and deletion.
However, those updates to COPPA became final in 2013 – almost ten years ago – and the FTC hasn’t amended the rule since then. Although the FTC initiated a rule review in July 2019, that review is still pending more than three years later. According to Regulations.gov, the Commission received over 176,000 public comments in the rule review. That’s a lot of comments, but it surely can’t explain such a lengthy delay.
Why hasn’t the FTC moved forward here?
There are likely a few reasons. First, as Commissioner Bedoya reportedly stated at a recent conference, the FTC is hoping that Congress updates the law – whether through amendments to COPPA (aka “COPPA 2.0”) or enactment of general privacy legislation – before the FTC must decide if and how to revise its COPPA rule. This is because Bedoya and other champions of kids’ privacy believe that fundamental changes to COPPA are needed – changes that go beyond what the FTC can do via rulemaking. Such changes include, for example, extending protections to teens or “tweens”; banning certain practices, like targeted advertising to minors; and changing the knowledge standard for general audience sites/apps from “actual knowledge” to “constructive knowledge.”
Second, the FTC appears to be considering whether it can expand kids’ and teens’ privacy protections through its FTC Act/Mag Moss authority – i.e., without having to rely on the COPPA statute. As we blogged a few weeks ago, the FTC’s “commercial surveillance” ANPR includes numerous questions about kids and teens that extend well beyond the FTC’s authority under COPPA, presumably in reliance on the underlying authority for the rulemaking (i.e., the FTC Act and Mag Moss). However, as we mentioned in the blogpost, there are obstacles to doing so, which the FTC is likely mulling. For one thing, the FTC’s power to expand kids’ protections through Mag Moss is limited. Indeed, Mag Moss requires proof that any practice to be regulated is “unfair or deceptive” but includes a specific provision restricting the FTC’s ability to regulate kids’ advertising using unfairness. (Advertising and privacy aren’t exactly the same thing, but there’s a big overlap.) For another thing, Congress and/or the courts might look askance at efforts by the FTC to “fill gaps” in COPPA using its general FTC Act/Mag Moss authority.
Third, the FTC (and its roughly 50-person privacy division) may simply have its hands full with the all of the tasks it has undertaken in privacy – including the “commercial surveillance” rulemaking; the upcoming workshop on “stealth advertising” directed to kids; the still-pending 6(b) study on social media and video streaming services (which included pointed questions regarding kids’ privacy); the “crackdowns” it has announced on EdTech, dark patterns (see here and here), and the misuse of sensitive health and location data; and other ongoing enforcement and policy demands.
Congressional letter
The above context makes the letter that four Democratic members of Congress (Senators Markey and Blumenthal and Representatives Castor and Trahan) sent to the FTC last week all the more interesting. The letter, which appears to be a response to Commissioner Bedoya’s statement that the FTC is waiting for Congress to act, essentially says “please don’t wait for us” and “we expect you to move forward on COPPA.” These members are all key players in kids’ privacy: Markey is the architect of the original COPPA statute and all four have sponsored bipartisan bills to expand kids’ and teens’ privacy (with the two bills in the Senate getting markups and votes out of the Senate Commerce Committee). However, they see time running out in this Congress for passage of their bills, and potentially time running out for the FTC before the 2024 election – and they don’t want the opportunity for kids’ privacy reform to slip away.
In particular, the letter commends the FTC for including questions about “surveillance threats to young users” in its “commercial surveillance” ANPR, and recognizes that Congress has a “responsibility to pass strong legislation” protecting kids. However, the letter stresses that the FTC also has a duty to “use its regulatory authority [under COPPA] to institute additional protections that address pressing threats online, a process the Commission has already begun.” According to the letter, such additional protections include expanding the scope of personal information covered by COPPA; fleshing out the prohibition on conditioning a child’s participation in an activity on excessive data collection; and updating and expanding protections related to platforms and online advertising.
Perspective
What does this mean? At one level, this finger-pointing exchange illustrates why state legislatures are moving forward more swiftly than Congress on privacy. At another, it provides some insight on the status of privacy legislation and the COPPA rulemaking. In particular, it suggests that (1) even the ardent privacy hawks in Congress don’t expect privacy legislation to pass during this session, and are now recognizing that publicly, and (2) FTC action on the COPPA rule might resume when the session in fact ends without passage of a privacy law (especially if Congress continues to send letters to the FTC like this one). We will continue to track all of these developments and dimensions here.
]]>While the FTC’s Republican Commissioners questioned whether there was anything really new in the Policy Statement (which was based on longstanding COPPA provisions, as well as FAQs posted on the FTC’s website), all seemed to agree that it elevates the issues highlighted and shows that COPPA is a top FTC priority.
And of course it is! Protecting kids and their data is one privacy issue that most people, regardless of professional or political affiliation, support. Further, under COPPA, the FTC can seek monetary relief (even post-AMG) and conduct rulemaking under the Administrative Procedures Act, as opposed to under the more cumbersome Mag-Moss process. So it’s not surprising that this issue would be high on the FTC’s agenda during this dynamic and volatile time for privacy.
What does the Policy Statement Say?
The Policy Statement emphasizes that COPPA includes substantive limits on the collection and use of children’s data (not just notice and consent requirements), and says that the FTC intends to fully enforce these provisions, including in school and learning settings where “parents may feel they lack alternatives.”
The Statement focuses in particular on the use of ed tech tools and devices, which have become integral to a range of school activities (especially during the pandemic) but which, per the Statement, raise concerns about data collection, use, and sharing beyond what’s necessary for these activities.
The statement describes COPPA’s substantive limits as follows:
What are some key takeaways?
We’ll keep the news coming on kids and privacy!
]]>There are some additional limitations on this policy. It does not apply when the operator requests personal information, such as a child’s name. Moreover, the operator may not use the recording for any use other than translation into text, such as behavioral targeting or identification purposes, before deleting it. If the operator does plan to collect other types of personal information, then it would be required to obtain parental consent.
Although the policy provides some clarification about the application of COPPA to voice-capture technologies, operators of child-directed services that collect children’s voices should ensure that their privacy policies and consent and notification procedures comply with COPPA requirements. Violators are liable for up to $40,654 in civil penalties per violation.
]]>TRUSTe offers a privacy compliance certification solution to website and app operators. The FTC approved TRUSTe (along with six other organizations to date) as a self-regulatory, safe harbor program that subjects its operators to the same or greater protections for children as the COPPA Rule. See 16 C.F.R. § 312.11. Once certified, TRUSTe’s members may display the “TRUSTe Kids Privacy” seal on digital properties (and possibly avoid being the subject of government enforcement). According to the NYAG, however, TRUSTe failed to scan its members’ web sites for third-party tracking practices prohibited by COPPA during annual recertification assessments required of any safe harbor program. In other instances, TRUSTe failed to notify members about the detection of prohibited tracking, or accepted member representations about the legality of such tracking. These accusations came on the heels of TRUSTe’s settlement with the FTC a few years ago for similar concerns. See True Ultimate Standards Everywhere, Inc., Doing Business as TRUSTe, Inc.; Analysis To Aid Public Comment, 79 Fed. Reg. 69850 (Nov. 24, 2014). Similar to its settlement with the FTC, TRUSTe must improve the scanning, assessment, and reporting of any third-party tracking on its members’ sites in addition to its penalty to the NYAG.
COPPA remains a powerful tool in the arsenal of the FTC and State Attorneys General to curtail the ever-increasing marketing by online businesses to children under the age of 13. Failure to adequately prevent illegal tracking technology, or any other enumerated prohibition of COPPA, opens the door to regulatory scrutiny and enormous monetary penalties. The increasing enforcement of COPPA by states signifies that the welfare of children online is a top priority for federal and state authorities alike.
]]>In separate complaints, FTC alleges that LAI and Retro Dreamer created a number of apps directed to children. The FTC's determination that the apps were kid-oriented was based on a number of factors, such as the subject matter, visual content, language, and use of animated characters or child-oriented activities and incentives. In both complaints, FTC alleges that the Defendants permitted third-party advertising networks to collect childrens’ PII in the form of persistent identifiers through the apps in order to serve targeted advertising on the app based on users’ activity over time and across sites (the FTC added persistent identifiers to the COPPA Rule’s definition of “personal information” when it updated the rule in 2013). The complaints, however, do not identify the specific persistent identifiers used.
FTC alleges that both LAI and Retro Dreamer failed to: (1) inform the ad networks that the apps were directed to children; (2) instruct or contractually require the ad networks to refrain from targeted ads; or (3) provide the required notices or obtain the required parental consent. In the case of Retro Dreamer, FTC also alleges that one of its advertising networks specifically warned the company about the obligations of the revised COPPA Rule, and also told the company that certain of its apps appeared to be targeted to children under the age of 13. The settlements prohibit the companies from further violations of the COPPA Rule. The settlement with LEI requires the company to pay a $60,000 civil penalty, while the settlement with Retro Dreamer requires it to pay a $300,000 civil penalty.
The settlements highlight that the FTC remains vigilant in this area. The agency will likely continue to closely monitor the information collection practices of website operators and app developers, in addition to third-party ad networks.
]]>Last spring, Topps invited its Facebook, Twitter, and Instagram followers to post photos of themselves “rocking” a Ring Pop (the company’s edible candy lollipop) using the hashtag #RockThatRock for a chance to have their photo featured in a music video for a popular tween band. In addition to social media, Topps promoted the contest on Candymania.com – its allegedly child-directed website that features content such as candy-related games. Entrants’ photos were posted on Candymania.com, and the music video, which has appeared on YouTube since June, has received over 900,000 views.
COPPA requires that businesses provide parental notice and obtain parental consent prior to collecting the personal information of children under age 13. The definition of “personal information” was updated in July 2013 to explicitly include photographs. COPPA violations carry a hefty fine – up to $16,000 per affected child – so it’s important to always consider a promotion’s potential audience, as well as the types of information collected.
]]>In order to meet the requirements of the kidSAFE Seal Program, a child-directed site or service must demonstrate compliance with the basic safety guidelines (the “kidSAFE certification”) and additional privacy guidelines (the “kidSAFE+ certification”). The program’s basic safety rules require: (1) chat and other interactive community features to be designed with safety protections and controls; (2) posting of rules and educational information about online safety; (3) procedures for handling safety issues and complaints to be in place; (4) parents to have basic safety controls over their child’s activities; and (5) content, advertising, and marketing to be age-appropriate.
The program’s privacy guidelines are specific to COPPA and require the operator to: (a) have neutral age-screening mechanisms, when appropriate; (b) provide notice and verifiable parental consent, as required under the COPPA Rule; (c) allow parents to access their child’s personal information; (d) protect the integrity and security of a child’s information; (d) post a COPPA-compliant privacy policy; and (e) cooperate with the kidSAFE Seal Program’s oversight and enforcement mechanisms.
The kidSAFE Seal Program was submitted to the FTC for approval on August 15, 2013. The Commission announced kidSAFE’s application in the Federal Register on September 18, 2013 and received public comment on the application through November 4, 2013. During the notice and comment period, some concerns were raised regarding certain aspects of the kidSAFE Seal Program, including the potential for consumer confusion regarding the meaning of the different kidSAFE self-regulatory programs (i.e., kidSAFE vs kidSAFE+) and the ability to evaluate and enforce member compliance. To address these and other concerns raised by the Commission, kidSAFE agreed to modify certain aspects of its program.
]]>Peter Swire, a professor at The Ohio State University Michael E. Moritz College of Law and a Senior Fellow with the Center for American Progress, opened the seminar with a keynote address that gave historical context to the most recent regulatory efforts addressing consumer privacy. Professor Swire’s remarks were followed by two panel sessions that included six experts representing key industry representatives and the federal agencies integral to recent privacy initiatives. The first panel discussed children's online privacy and the Federal Trade Commission’s proposed revisions to the Children's Online Privacy Protection Rule. The second panel discussed various consumer privacy enforcement and regulatory initiatives relating to mobile apps.
For more on the seminar, including a synopsis of key takeaways, see the Kelley Drye client advisory. An audio recording of the full program is also available.
]]>On February 16, Kelley Drye will gather government leaders from the FTC and FCC, and thought leaders in the industry, for a discussion about new regulations, enforcement trends, and best practices to avoid consumer privacy risks. Please join us for "Privacy in 2012: What to Watch Regarding COPPA, Mobile Apps, and Evolving Law Enforcement and Public Policy Trends."
Email [email protected] to register for the live seminar or teleconference.
KEYNOTE SPEAKER
Peter Swire, Professor of Law, Ohio State University; former Clinton Administration Chief Counselor for Privacy, U.S. Office of Management and Budget
PANEL 1: COPING WITH COPPA: CHILDREN'S PRIVACY AND PROPOSED REVISIONS TO THE COPPA RULE
Ellen Blackler, Vice President - Global Public Policy, The Walt Disney Company
Mamie Kresses, Senior Attorney, Division of Advertising Practices, Federal Trade Commission
Saira Nayak, Director of Policy, TRUSTe
Moderated by partners Dana Rosenfeld and Alysa Hutnik of Kelley Drye & Warren LLP
PANEL 2: MOBILE APPS: A PRIVACY AND CONSUMER PROTECTION HOT SPOT
Michael Altschul, Senior Vice President and General Counsel, CTIA
Jessica Rich, Associate Director, Division of Financial Practices, Federal Trade Commission
Jennifer Tatel, Associate General Counsel, Federal Communications Commission (invited)
Moderated by partners John Heitmann and Gonzalo Mon of Kelley Drye & Warren LLP
When:
February 16, 2012, 2:30 PM - 5:30 PM EST
Location:
Kelley Drye & Warren LLP
3050 K Street, NW, Suite 400
Washington, DC 20007-5108
And via audio webcast
RSVP:
Email [email protected] or contact Cassidy Russell at 202.342.8400.
This seminar is free of charge, but space is limited. Reserve your place today.
CLE and CPE credit may be available in certain jurisdictions.
]]>Kelley Drye prepared an advisory that outlines the proposed revisions to the Rule and describes what the new requirements would mean for businesses that have an online presence with respect to obtaining parental notice and consent, what data they can collect from children, and corresponding safeguards and data minimization requirements, to avoid incurring civil penalties of up to $16,000 per violation.
]]>W3 Innovations, which does business as Broken Thumbs Apps, develops and distributes apps including Emily’s Girl World and Emily’s Runway High Fashion (the “Emily Apps”), which are sold through the “Games-Kids” section of Apple, Inc.’s App Store. According to the FTC Complaint, the Emily Apps encouraged children to submit emails, including messages to friends and requests for advice, that were then posted as publicly-available blog entries to the “Emily’s blog” feature available on all Emily Apps sites. Children also could submit comments in response to the blog entries using a standard comment form that required users to provide their name and email address.
The FTC’s COPPA Rule (16 C.F.R. Part 312) is triggered when companies collect online personal information about children under the age of 13. The Rule requires website operators to notify parents and obtain their express consent before they collect, use, or disclose such children’s personal information. The Rule also requires website operators to post a clear and conspicuous privacy policy at each area of an online site that collects personal information from children. The FTC alleged that W3 violated COPPA when it did not obtain parental consent before it (1) collected and maintained at least 30,000 email addresses from children who participated in the “Emily’s blog” feature; and (2) allowed children to publicly post information, including personal information, to the blog and comments section of the app.
As this case demonstrates, the FTC is following through on statements that it made earlier this year that it was actively investigating a number of privacy issues associated with mobile devices, including features targeting children. Given the FTC’s interest in this area, companies seeking to enter the mobile app market or engage a younger audience using games or other online features should be aware of the key considerations and best practices (see here and here) that can help reduce risks resulting from increased legal and regulatory scrutiny.
This post was written by Alysa Z. Hutnik.
]]>Playdom owns and operates a number of online “virtual world” websites, including sites geared for children such as Pony Stars, where users can play online games, post profile pages and engage in other online activities. In the process, between 2006 and 2010, Playdom’s websites collected personal information on over 400,000 children under the age of 13. In July 2010, Playdom was acquired by a subsidiary of The Walt Disney Company.
COPPA requires website operators to maintain clear privacy policies and obtain parental consent prior to the collection, use or disclosure of personal information – such as name, address, email, and telephone number – for children under the age of 13. Playdom allegedly violated COPPA by collecting children’s ages and email addresses during online registration and enabling children-users to post personal information – their names, email addresses, instant messenger names and location information – on profile pages without first obtaining parental consent. Further, Playdom allegedly violated the FTC Act by misrepresenting on their privacy policies that children could not post profile pages, when in fact they could.
On May 11, 2011, the Department of Justice (on behalf of the FTC) formally filed a Complaint and entered the proposed $3 million Consent Decree and Order in the U.S. District Court for the Central District of California in Los Angeles. The $3 million Consent Decree marks the largest civil penalty doled out by the FTC under COPPA. This case and the growing list of cases involving online consumer privacy rights highlight the due diligence required when website operators and other companies collect, use and disclose consumer information (or acquire a company that does).
Christopher S. Koves contributed to this post.
]]>