United States: Federal Trade Commission Updates Children’s Online Privacy Protection Rules: First Update In 12 Years

Shortly before the end of the year, the Federal Trade Commission (the "Commission") published revisions to the COPPA Rule (the "Final Rule"),¹ issued pursuant to the Children's Online Privacy Protection Act of 1998 ("COPPA").² The COPPA Rule "seeks to put parents in control of what information commercial sites collect from their children online,"³ and applies to "operators" of a "website or online service directed to children," as well as to general audience websites that have "actual knowledge" that they are "collecting or maintaining personal information from a child."⁴

Since April 2000, when the COPPA Rule first went into effect, the Commission has required covered website operators to post privacy policies, provide notice and get verifiable consent from a parent or guardian before collecting personal information from children.⁵ The December revisions include modifications to key definitional provisions contained in the COPPA Rule, requirements related to notice, parental consent, confidentiality and security, and the COPPA Rule's safe harbor provisions. The new requirements take effect July 1, 2013.

The 2012 modifications to the rule are intended to bring the COPPA Rule up-to-date in light of significant technological changes that have occurred in the ten-plus years since the original rule was promulgated. While the heart of the COPPA Rule remains relatively unchanged, the rule does expand the scope of businesses and activities subject to its requirements and makes several notable changes to what is required. In light of the increased focus of state and federal regulatory agencies on privacy issues affecting all consumers, businesses would be prudent to take careful note of these changes to ensure compliance.

Revised Definitional Provisions

• Expansion of Scope of "Operator" and "Website or Online Service Directed to Children." These core terms of the COPPA Rule were revised to "allocate and clarify the responsibilities under COPPA when independent entities or third parties, e.g., advertising networks or downloadable plug-ins, collect information from users through child-directed sites and services."⁶ The revised rule includes a proviso along with the definition of "operator" that clarifies that personal information is "collected or maintained on behalf of" an operator when "(a) it is collected or maintained by an agent or service provider of the operator; or (b) the operator benefits by allowing another person to collect personal information directly from users of such operator's website or online service."⁷ The revised rule holds the "child directed content provider" "strictly liable" for the personal information of children collected by third parties through its site⁸ and clarifies that platforms like Google play and the App Store are not covered by the term.⁹
  
  In addition, the term "website or online service directed to children" is revised to include plug-in or advertising networks that have "actual knowledge" that they are collecting personal information through a child-directed website or service.¹⁰ The Commission also revised the definition of "website or online service directed to children" to include "musical content, the presence of child celebrities, and celebrities that appeal to children" as factors considered by the Commission in determining whether a site or service is directed to children.¹¹
  
  Finally, the Commission amended paragraph (c) of the definition to clarify when a child-directed site is permitted to age-screen to differentiate among users.¹² Thus, under the Final Rule a "site or service that is directed at children, but that does not target children as its primary audience, [may] use an age screen in order to apply all of COPPA's protections only to visitors who self-identify as under age 13."¹³ Other child-directed sites or services whose primary target audience is children must continue to presume that all users are children and provide COPPA protections accordingly.¹⁴
• Expansion of Scope of "Personal Information" (and a New Exception). The Final Rule revised the definition of "personal information" to include photographs, video and audio files where such files contain a child's image or voice, as well as making "geolocation information sufficient to identify street name and name of a city or town" a standalone category within the definition of personal information. The definition of "personal information" is further revised to include "persistent identifiers that can be used to recognize a user over time and across different websites or online services."¹⁵ However, the Commission also adopted a new exception to the Rule's requirements "where an operator collects only a persistent identifier for the sole purpose of providing support for its internal operations."¹⁶
• "Collects or Collection." The Final Rule also makes three primary changes to the term "collects or collection." First, the 2012 revisions clarify that the COPPA Rule applies both when the collection of personal information is required to participate in a particular online activity and when an operator "merely prompts or encourages a child to provide such information."¹⁷ Second, the Final Rule makes certain changes to the standards governing when a social networking site or blog that permits children to post personal information will be deemed to "collect" personal information. Previously, the definition excluded such practices from the definition of "collects" (and thus from the COPPA Rule's parental notice and consent requirements) only if the "operator delete[d] all individually identifiable information from postings by children before they [were] made public, and also delete[d] such information from the operator's records."¹⁸ Recognizing that the "100% Deletion Standard" set an "unrealistic hurdle" that impeded automated filtering technologies, the Commission revised the rule to include a "reasonable measures" standard that requires operators to take "reasonable measures to delete all or virtually all personal information from a child's postings before they are made public, and also to delete such information from its records."¹⁹ Finally, the final rule further amends the definition of "collects or collection" to remove the specific reference to "cookies" in order to clarify that the term covers all means of passively collecting information, regardless of the technology used.
• "Online Contact Information." The Final Rule revised the definition of "online contact information" used to contact a child's parent in order to obtain consent to include, in addition to email addresses, instant messaging user identifiers, voice over internet protocol identifiers and video chat user identifiers. While the list is intended to be non-exhaustive, the Commission noted that COPPA "did not contemplate the use of mobile telephone numbers as a form of online contact information, and the Commission therefore has determined not to include mobile phone numbers within the definition."²⁰
• "Support for Internal Operations." The Final Rule also expands the definition of "support for internal operations" to include additional, specified activities. This modification is important, as it expands the list of activities that are excluded from the definition of "disclosure," so long as the information is not used or disclosed in order to contact a specific individual (including through behavioral advertising) or to amass a profile on a specific individual or for any purpose not listed.²¹ "Support for internal operations" now includes activities necessary to maintain or to analyze the functioning of a website, to perform network communications, to authenticate users, to personalize content, to serve contextualized advertising, to cap the frequency of advertising, to protect the security or integrity of the user or website, to ensure legal or regulatory compliance and to fulfill other requirements of the COPPA Rule.²²
• Revised Notice Provisions. Section 312.4 of the COPPA Rule is amended to specify, when direct notice is required, "the precise information that operators must provide to parents regarding the items of personal information the operator already has obtained from the child...; the purpose of the notification; action that the parent must or may take; and what use, if any, the operator will make of the information collected."²³ The revisions also eliminate the requirement that operators include a recitation in their online privacy notices that a child's participation is not conditioned on the provision of more information than necessary.²⁴ The Commission otherwise declined to adopt other proposed changes regarding online privacy notices, including a proposal that would mandate the posting of information at the point of purchase²⁵ and that would require the primary operator to provide specific, current contact information for every operator that collections information on or through the website (rather than contact information for a single, consolidated operator).²⁶
• Parental Consent Provisions. The Final Rule adopts several newly recognized mechanisms for obtaining parental consent and adds a new process for evaluating and pre-clearing parental consent mechanisms.²⁷ Specifically, the Commission adopted electronic scans and video verification as acceptable consent mechanisms, and accepted the use of government-issued identification as a "reliable and simple means of verifying that a person providing consent is likely to be a parent" if operators delete such data immediately upon verification.²⁸ The Final Rule further amends the parental consent provisions to permit the use of "a credit card, debit card or other online payment system that provides notification of each discrete transaction to the primary account holder" as verifiable parental consent with "monetary transactions."²⁹ The Commission declined, however, to include any form of "electronic or digital signatures" within the list of acceptable consent mechanisms, reasoning that the term is somewhat vague and could encompass mechanisms that are not sufficiently reliable to afford the protections required by COPPA.³⁰ For instance, the Commission noted that a "simple digital signature," i.e., one that requires only the use of a finger or stylus to complete a consent form, is too easy for children to bypass.³¹ Nevertheless, importantly, the Final Rule retains "email plus" as an acceptable consent method for operators collecting personal information only for internal use.³² "Email plus" permits an operator to obtain verifiable parental consent through email if accompanied by one additional step, e.g., confirming parental consent by letter or telephone call or by sending a delayed confirmatory email.
• Approval Process for New Methods of Parental Consent. Additionally, in an effort to spur the development of new methods of consent, the Commission added a new section that establishes a voluntary approval process for future consent mechanisms.³³ The COPPA Rule always has permitted operators to take "reasonably calculated" methods to obtain parental consent, but the Commission's rulemaking process revealed that operators typically use only those mechanisms that are specifically enumerated as acceptable in the COPPA Rule.³⁴ The new approval process, which also includes public review and comment procedures, allows for prior review of new consent mechanisms. The Commission will approve or deny a request for review of a new mechanism within 180 days of its filing.³⁵
• Confidentiality, Security and Integrity of Personal Information Collected from Children. The Final Rule contains additional confidentiality and security requirements, requiring operators to "take reasonable steps to release children's personal information only to service providers and third parties who are capable of maintaining the confidentiality, security and integrity of such information, and who provide assurances that they will maintain the information in such manner."³⁶ Additionally, the Commission added data retention and deletion requirements to the Rule, requiring an operator of a website or online service to "retain personal information collected online from a child for only as long as is reasonably necessary to fulfill the purpose for which the information was collected."³⁷ The operator must also delete such information "using reasonable measures to protect against unauthorized access to, or use of, the information in connection with its deletion."³⁸
• Safe Harbor Program. The 2000 COPPA Rule created a "safe harbor" program that permitted industry groups and other persons to apply for approval of a self-regulatory program to adjudicate complaints by consumers. If approved by the Commission, compliance with the self-regulatory program then served as a "safe harbor" in any enforcement action for violations of the COPPA Rule. In the Final Rule, the Commission modified its safe harbor program in several important ways. First, the rule permits an operator to use any parental consent mechanism approved by a safe harbor program. This, like the voluntary approval process initiated by the Commission, is designed to help spur innovation.³⁹ The Final Rule also stiffened the requirements for approval, recordkeeping and reporting. The rule requires "detailed explanations of the applicant's business model, and the technological capabilities and mechanisms that will be used for initial and continuing assessment of subject operators' fitness for membership in the safe harbor program."⁴⁰ Approved safe harbor programs also are now required to conduct annual audits "of each subject operator's information policies, practices, and representations,"⁴¹ and must now submit an annual, aggregated report to the Commission containing the results of these independent assessments, a description of any disciplinary action taken against any operator and a description of any approvals of member operators' use of a parental consent mechanism.⁴²

Implications

The Commission's publication of revisions to the COPPA Rule comes in the same month as two additional actions related to privacy concerns in the online marketplace and shows the increasing and continued focus of federal and state regulators on these issues. First, on December 6, 2012, California's Attorney General filed suit against Delta Air Lines alleging that Delta violated the California Online Privacy Protection Act and California's Unfair Competition Law by collecting personally identifiable information from consumers through its "Fly Delta" mobile application while failing to post conspicuously a privacy policy application to the app and failing to comply with the privacy policy posted on the Delta website with respect to the Fly Delta app. Four days later, the Commission published its second "Kids' App Report," noting that apps offered for children in the Google play and Apple App stores had made "little progress toward giving parents the information they need to determine what data is being collected from their children, how it is being shared or who will have access to it" since the Commission's first survey in 2011.⁴³ The report also indicated that FTC staff is launching "non-public investigations to determine whether certain entities in the mobile app marketplace are violating the Children's Online Privacy Protection Act or engaging in unfair or deceptive practices in violation of the Federal Trade Commission Act."⁴⁴ Accordingly, providers of mobile applications and websites should take note and review their practices to ensure that they are complying with recently revised federal law and all other applicable privacy requirements.

Footnotes

1 16 C.F.R. Part 312.

2 15 U.S.C. §§ 6501 et seq.

3 See Federal Trade Commission, Children's Online Privacy Protection Rule: Not Just for Kids' Sites (Feb. 2004) available at http://business.ftc.gov/documents/alt046-childrens-online-privacy-protection-rule-not-just-kids-sites (last visited Jan. 1, 2013).

4 See 16 C.F.R. § 312.3. See also Federal Trade Commission, supra note 3.

5 See 16 C.F.R. § 312.3(a)-(e).

6 See Federal Trade Commission, Children's Online Privacy Protection Rule, 16 C.F.R. Part 312, Final Rule at 15 available at http://ftc.gov/os/2012/12/121219copparulefrn.pdf (last visited Jan. 1, 2013).

7 Id. at 24.

8 Id. at 17-24.

9 Id. at 24.

10 Id. at 25-27.

11 Id. at 53.

12 Id.

13 Id. at 53.

14 Id.

15 Id. at 37.

16 Id.

17 Id. at 6.

18 Id. at 8.

19 Id. at 9-10.

20 Id. at 13-15.

21 Id. at 155.

22 Id.

23 Id. at 54.

24 Id. at 59.

25 Id.

26 Id. at 57-58.

27 Id. at 62-63.

28 Id. at 63, 66.

29 Id. at 66-69.

30 Id. at 70.

31 Id. at 69-70.

32 Id. at 81.

33 Id. at 84-85.

34 Id. at 81-82.

35 Id. at 82.

36 Id. at 96.

37 Id. at 164.

38 Id.

39 Id. at 85-86.

40 Id. at 165.

41 Id. at 164.

42 Id. at 165.

43 See Federal Trade Commission, FTC's Second Kids' App Report Finds Little Progress in Addressing Privacy Concerns Surrounding Mobile Applications for Children (Dec. 10, 2012) available at http://www.ftc.gov/opa/2012/12/kidsapp.shtm (last visited Jan. 1, 2013).

44 Id.

The content of this article does not constitute legal advice and should not be relied on in that way. Specific advice should be sought about your specific circumstances.