Advisory: FTC Proposes Revisions to COPPA Rule, Imposes New Requirements on Website Operators/Services and Children’s Privacy
In September 2011, the Federal Trade Commission (“FTC”) released for public comment a Notice of Proposed Rulemaking detailing its proposed amendments to the Children’s Online Privacy Protection Act-implementing rule (“COPPA Rule”). Comments are due on November 28, 2011. The COPPA Rule notably requires operators of websites or online services that are directed to and/or collect information from children under 13 years old to obtain verifiable parental consent before collecting personal information from those children. The FTC’s proposed amendments seek to ensure that the Rule continues to protect children’s privacy in light of rapidly evolving technology and changes in the way children use and access the Internet. Specifically, the proposed Rule seeks to provide continued privacy protection to children as they engage in social networking and interactive gaming activity. The proposed amendments would modify or expand the Rule in the following areas:
- Definitions, including “personal information” and “collection”;
- Parental notice;
- Parental consent;
- Confidentiality and security of children’s personal information; and
- Self-regulatory “safe harbor” programs.
Each of these proposed modifications may have a significant impact on a company’s online practices.
The COPPA Rule requires covered operators to obtain verifiable parental consent before collecting personal information from children. The FTC proposal would modify and expand the definition of “personal information” to reach online screen and user names as well as “online contact information” (including data permitting direct contact with a child online, such as VoIP identifiers, an instant messaging user identifier, or video chat user name). The definition also would cover photographs, videos and audio files containing the child’s voice.
In addition, the FTC proposes to extend “personal information” to include geolocation information, including information published by the child’s mobile device, IP addresses, and certain types of persistent identifiers used for functions other than the website’s internal operations, such as tracking cookies used for behavioral advertising. The FTC proposal modifies the definition of “collection” to clarify that website operators may allow children to participate in interactive communities without parental consent, provided the operators take reasonable measures to delete “all or virtually all” children’s personal information before it is made public, and to delete such information from their records.
The FTC also proposes adding new methods for website operators to obtain verifiable parental consent, including electronic scans of signed parental consent forms, video-conferencing, and use of government-issued identification checked against a database. The FTC proposal would eliminate the current method of “E-mail plus” parental consent, where an operator obtains consent through an email to a parent, following by a delayed email confirmation notice to the parent after receiving consent.
Confidentiality and Security Requirements
The proposed rule would strengthen current confidentiality and security requirements. Specifically, the Commission proposes adding a requirement that operators ensure that any service providers or third-parties to whom they disclose a child’s personal information have in place reasonable procedures to protect it. Additionally, the FTC would introduce a data retention limit and impose a deletion requirement, permitting operators to retain the information only as long as is reasonably necessary, and requiring them to properly delete that information, including taking reasonable measures to protect against unauthorized access to, or use of, the information in connection with its disposal.
Under COPPA, website operators may participate in self-regulatory safe harbor programs that include privacy protections equal to or greater than those required under COPPA and that include some kind of compliance procedure. The FTC now proposes to strengthen these safe harbor programs. Specifically, the revised COPPA Rule would require safe harbor programs, at a minimum, to conduct annual, comprehensive reviews of each of their members’ information to improve transparency and accountability of such programs. Additionally, the FTC would require safe harbor programs seeking Commission approval to provide detailed information about their business model and technological capabilities for assessing website operators’ fitness for membership as a way to enhance the reliability and sustainability of approved safe harbor programs. The FTC also proposes to change the safe harbor program recordkeeping requirements to require for the first time that safe harbor programs must submit reports to the FTC every eighteen months, detailing the results of independent audits and reporting any disciplinary action taken against any member during the relevant reporting period.
Certain key concepts remain unchanged under the proposed new COPPA Rule. The proposed COPPA Rule would not change the definition of a “child.” A “child” will continue to be defined as a minor under 13 years and, despite requests from some advocates, will not expand to include teens. Additionally, the revised rule would not modify or clarify the definition of “actual knowledge” that a site is collecting personal information from children.
Implications of Revised COPPA Rule
In the last two years, the FTC has taken an increasingly vocal role in protecting children’s online privacy in light of children’s increasing consumption of online services and Internet access. The Commission also has expressed concern about children’s use of mobile devices and apps, including announcing in August 2011 a settlement in its first case involving mobile applications, over charges that certain children’s games for the iPhone and iPod touch violated the COPPA Rule.
The amended COPPA Rule would impose significant new requirements on website operators regarding the types of information an operator may collect from children, how such information must be protected, and parental notice and consent requirements. The FTC can levy fines of up to $16,000 per violation for non-compliance.
The FTC has invited public comments on the proposed rulemaking. Written comments must be received on or before November 28, 2011. For more information or to discuss filing comments in this proceeding, or for information regarding Wiltshire & Grannis’ privacy practice, please contact John Nakahata, Brita Strandberg, Rob Carter or Madeleine Findley.
This advisory is not intended to convey legal advice. It is circulated as a convenience and is not intended to reflect or create an attorney-client relationship as to its subject matter.