Erika Brown Lee, Susan Linda Ross and Pamela Jones Harbour
October 11, 2011
Does your company offer mobile apps with animated characters? Does your website have a section aimed at students, explaining your goods or services in a fun and educational way? Does your company run a contest for students to submit artwork or essays on your web site? Your company may be involved in healthcare or financial services or manufacturing, but these offerings could bring your company within the scope of the Children's Online Privacy Protection Act (COPPA) and the Federal Trade Commission's regulation.
On September 27, 2011, the FTC proposed updates to its COPPA regulation, which initially went into effect in 2000. The current regulation imposes restrictions on companies that operate websites or provide online services directed at children under the age of 13, and those companies that have actual knowledge that they are collecting personal information online from children under 13. The major changes proposed by the FTC affect: (1) the definition of personal information and what it means to "collect" it; (2) the requirements for parental notice; (3) the forms of parental consent; (4) confidentiality, security and data retention requirements; and (5) safe harbor programs. Left unchanged is the definition of "actual knowledge." As a result, companies that seek or collect age-identifying information directly or indirectly from online users could trigger a potential COPPA violation by such activity.
The FTC has significantly expanded the definition of "personal information" in its proposed amendments to COPPA. The changes reflect the growing consensus that, in light of evolving technologies, it has become harder to distinguish between personal information and non-personal information. Specifically, the definition of "personal information" has been revised to include, as separate categories: geolocation data; screen names; and photographs and audio/video files that contain a child's image or voice. This expansion is particularly noteworthy because in the existing definition, audio and video files are not mentioned, and photos and screen names are subject to COPPA requirements only if they contain contact information such as an email address. The current definition of "personal information" also incorporates persistent identifiers such as a customer number held in a cookie if it is associated with individually identifiable information. The amendments extend the scope of persistent identifiers to include all cookies, IP addresses, and unique device identifiers, unless website operators can demonstrate that the identifiers are collected solely for the purpose of internal operations.
Although the FTC did not propose changes to the definition of "online services," it explained that mobile technologies were generally considered within the scope of COPPA. Specifically, the FTC considers all of the following to be "online services" under COPPA: "mobile applications that allow children to play network-connected games, engage in social networking activities, purchase goods or services online, receive behaviorally targeted advertisements, or interact with other content or services. Likewise, Internet-enabled gaming platforms, voice-over-Internet protocol services, and Internet-enabled location-based services, also are online services covered by COPPA and the Rule." (76 Fed. Reg. 59807 (footnotes omitted)) The proposed amendments however, do not expand COPPA within one portion of the mobile realm. Specifically, the FTC notes: "The Commission agrees that where mobile services do not traverse the Internet or a wide-area network, COPPA will not apply." (76 Fed. Reg. 59807)
The FTC has also redefined what it means by the online "collection" of personal information. In its present form, COPPA applies only to websites that request information. The FTC now proposes to broaden the definition to include the passive tracking of children online, as well as the "prompting" and "encouraging" of children to disclose personal information. Notwithstanding the wider applicability of the revised definition however, the FTC also proposes to lower the threshold for an exemption. Currently, COPPA exempts website operators if 100% of the information collected from children online is deleted before it is made public. Under the amendments, the agency would require the operator to take "reasonable measures" to delete all or "virtually all" of the information collected.
Requirements for Parental Notice
Once COPPA provisions are triggered, website operators are required to provide parents with clear and complete notice of the operator's information practices. COPPA requires both online notice on the operator's website and direct notice delivered to the parents. The proposed amendments shorten and clarify the instructions regarding the placement of the online notice. The FTC also proposes to make changes to content requirements for the online notice. The revisions require more complete contact information for the website operator, including name, street address, telephone number, and email. More significantly, the FTC intends to expand the potential number of entities that would be required to provide notice. The existing regulation imposes the notice requirements on the website operator. In contrast, the proposed changes impose notice requirements on all of companies that operate on the website (e.g., an advertising network that has permission to use the operator's website and collects user information). The FTC has also indicated a preference to move away from posted privacy policies and towards notice delivered directly to a parent whose child seeks to register on the site or service ("direct notice"). In refining the requirements for direct notice, the FTC's stated goal of the proposed amendments is to ensure that direct notice functions as a "just-in-time" message to parents that would vary depending on the information practices of the website operator.
Forms of Parental Consent
In order to collect, use or disclose personal information collected online from children, COPPA requires website operators to obtain verifiable consent from parents. Among the current methods for securing parental consent are a signed consent form, digital certificates, and having the parent use a credit card in connection with the transaction. The FTC also uses a sliding scale mechanism (often referred to as "email-plus") for parental consent, which enables an operator to obtain verifiable consent through an email, so long as it is coupled with additional information such as a telephone number or postal address. In comments to the proposed changes, the FTC has rejected the sliding scale approach, concluding that it "has outlived its usefulness and should no longer be a recognized approach to parental consent under the Rule." (76 Fed Reg. 59819) With the goal of promoting innovation and development of more reliable forms of consent, the proposed amendments embrace new technologies, including electronic scans of parental consent forms and videoconferences. The revised language also permits verification by cross-checking government-issued identification against "databases of such information." The comments to the proposed changes do not elaborate on the types of databases.
Confidentiality, Security, and Data Retention Requirements
Existing COPPA provisions require website operators to "establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children." The FTC now proposes to extend the confidentiality, security, and integrity requirements to third parties. As a result, operators will not only have to use reasonable procedures to protect the security of their own systems, but operators must also take reasonable measures to ensure that any third party, to whom they release children's personal information, also has in place reasonable procedures to safeguard that personal information.
The proposed amendments also add a new data retention and deletion provision regarding the information collected from children. The provision requires that website operators retain personal information only as long "as is reasonably necessary to fulfill the purpose for which the personal information was collected." In deleting information, the operator must use "reasonable measures" to prevent unauthorized access to, or use of, the information in connection with its deletion.
Safe Harbor Programs
Safe harbor programs under COPPA were created in order to encourage self-regulatory compliance with the Act's requirements. Operators that fully comply with an FTC-approved safe harbor program are subject to program review and disciplinary procedures rather than formal enforcement. Several entities, including TRUSTe, which has been approved to operate a COPPA safe harbor program, have called for additional FTC oversight of the program. In response, the FTC proposes to require, among other things, that: (1) safe harbor program applicants submit more comprehensive information in order to secure FTC approval; (2) approved safe harbor programs establish more rigorous baseline oversight of their members; and (3) safe harbor programs conduct annual reviews and independent assessments every 18 months and submit the reports to the FTC. With respect to the third requirement, the rule would maintain the requirement that a safe harbor program include "an effective, mandatory mechanism for the independent assessment of subject operators' compliance with the self-regulatory program guidelines." The FTC proposes to require that, at a minimum, safe harbor programs conduct annual, comprehensive reviews of each of their members' information practices. Within one year after the effective date of the Final Rule amendments, and every eighteen months thereafter, each safe harbor program would be required to submit a report to the FTC. That report would contain, at a minimum, the results of the independent assessment conducted, a description of any disciplinary action taken against any web site operator, and a description of any approvals of member operators' use of parental consent mechanism.
The deadline for comments on the proposed changes to COPPA is Monday, November 28, 2011.
This article was prepared by Erika Brown Lee (email@example.com or 202 662 0398), Sue Ross (firstname.lastname@example.org or 212 318 3280), and Pamela Jones Harbour (email@example.com, 202 662 4505 or 212 318 3324) from Fulbright's Privacy, Competition, and Data Protection Practice Group.
Erika Brown Lee
Susan Linda Ross
Pamela Jones Harbour