The Federal Trade Commission (“FTC”) recently released proposed amendments to its rule (“Rule”) implementing the Children’s Online Privacy Protection Act (“COPPA”). The Rule requires the operator of a website or online service to obtain verifiable parental consent before collecting personal information from a child under the age of 13. If adopted as drafted, the revised Rule would not only make it even more difficult for operators to collect information from children online, but it would also sweep into the Rule’s coverage sites and online services that are currently outside of it. Moreover, the proposed changes would codify the erasure of the traditional distinctions between “personal” and “non-personal” information – an outcome that raises issues even for companies that are not subject to COPPA.
Among the most significant changes proposed by the FTC are the elimination of the widely used “email plus” method of obtaining verifiable parental consent and a considerable expansion of the Rule’s definition of “personal information.”
Elimination of the “email plus” method of obtaining consent. The existing Rule has a two-tiered system for obtaining verifiable parental consent: An operator that uses a child’s information only internally may use the so-called “email plus” mechanism, while more foolproof measures, such as a print, sign, and send back form or a phone call, are required if the operator will disclose the child’s information to third parties. Asserting that “all collections of children’s information merit strong verifiable parental consent,” the FTC has proposed to eliminate the distinction. “Email plus” – currently the most common way of obtaining consent – would no longer be an option.
Expansion of the definition of “personal information.” At the same time that it proposes to make obtaining verifiable parental consent more difficult and costly, the FTC also proposes to extend the Rule’s reach to a far wider swath of information collection practices, by expanding its definition of “personal information.” Perhaps most notably, the FTC would include within the definition a persistent identifier, when it is used for functions other than support for the internal operations of the site or service. “Persistent identifiers” include a customer number held in a cookie, an IP address, a device serial number, and a unique device identifier. In its commentary accompanying the proposed revisions, the FTC explains that consent would not be required when persistent identifiers are used for purposes such as user authentication, improving navigation, maintaining user preferences, serving contextual advertising, and protecting against fraud or theft, as these are functions that support the internal operations of the site or service.
On the other hand, the “personal information” definition would be triggered by – and verifiable parental consent would therefore be required for – other, non-support uses, presumably including online profiling, the delivery of personalized content, behavioral advertising, retargeting, and analytics. This is significant because there is no way to determine age from a persistent identifier – meaning, for instance, that sites directed to children could not deliver personalized content without first obtaining verifiable parental consent. For sites not directed to children but that are still subject to the Rule (because they knowingly collect personal information from children under 13), it is not clear how this restriction would apply in practice. As companies facing similar consent requirements in the EU can attest, obtaining consent prior to the use of a persistent identifier can be a costly and disruptive obligation. The FTC does not provide guidance in its commentary, but the issues are ripe for comment.
The FTC’s proposals reflect its oft-stated position that the line between what has traditionally been considered “personal” and “non-personal” information is increasingly blurred, such that protections historically afforded to personal information should be extended to certain non-personal information as well. If the FTC takes this approach with respect to COPPA, it is logical that it will take a similar approach in all contexts. Therefore, even companies not subject to COPPA are advised to consider the potential ramifications of the proposed changes and to consider submitting comments. The FTC is accepting comments until December 23, 2011.