Photo of Cecillia X. Xie

Cecillia X. Xie

Subscribe to Cecillia X. Xie's Posts
Follow: Read more about Cecillia X. Xie

In the wake of the COVID-19 pandemic, children are spending more of their lives in the digital realm, both for education and entertainment purposes—but that doesn’t mean the Federal Trade Commission (FTC) is cutting online operators slack for not complying with the Children’s Online Privacy Protection Act (COPPA). Last week, the FTC levied a $4 million penalty against HyperBeard, Inc., a popular mobile app developer, to settle allegations that HyperBeard integrated third-party ad networks into its child-directed apps in violation of COPPA.(Due to HyperBeard’s inability to pay the full amount, the $4 million penalty will be suspended upon payment of $150,000 by HyperBeard).

The complaint is notable in that the FTC did not allege that HyperBeard itself collected any personal information from children—rather, the alleged violations centered around the company enabling third parties to collect personal information from children through its service. The fine serves as a warning to online operators that they are strictly responsible for their third-party integrations, even if they themselves do not collect personal information from children. Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, emphasized, “If your app or website is directed to kids, you’ve got to make sure parents are in the loop before you collect children’s personal information. This includes allowing someone else, such as an ad network, to collect persistent identifiers, like advertising IDs or cookies, in order to serve behavioral advertising.”
Continue Reading It’s 10 p.m. Do You Know What Your Third-Party Integrations Are Doing?

In a move likely welcomed by publishers seeking a solution to honoring “sale” opt-outs in the interest-based advertising space, the Interactive Advertising Bureau last week released the IAB California Consumer Privacy Act Compliance Framework for Publishers and Technology Companies. The IAB is the trade association for the digital media and marketing industries, and it developed the Framework to help publishers (i.e., websites) and the online advertising supply chain comply with the CCPA—and particularly with the CCPA’s right to consumer opt-outs of “sales” of personal information.

The Framework sets up a system in which a consumer opt-out has the result that the parties in the digital advertising supply chain become limited service providers to the publisher, such that there is no longer a “sale” with respect to those consumers’ personal information. A limited service provider may still serve ads on behalf of the publisher, but those ads cannot involve any “sale” of personal information under the CCPA.

IAB is accepting public comments to the Framework until Tuesday, November 5, 2019. Comments should be emailed to privacy@iab.com. The draft Framework and draft technical specifications for the Framework can be accessed here.
Continue Reading We’re Sorry, Your Service (Provider) Is Limited: The IAB CCPA Compliance Framework

Last week, the Federal Trade Commission made clear that child-directed parts of an otherwise general audience service will subject the operator of the service to the Children’s Online Privacy Protection Act (COPPA).

Just six months after the FTC’s record-setting settlement against TikTok, the FTC announced a $170 million fine against Google and its subsidiary YouTube to settle allegations that YouTube had collected personal information from children without first obtaining parental consent, in violation of the FTC’s rule implementing COPPA. This $170 million fine—$136 million to the FTC and $34 million to the New York Attorney General, with whom the FTC brought the enforcement action—dwarfs the $5.7 million levied against TikTok earlier this year. It is by far the largest amount that the FTC has obtained in a COPPA case since Congress enacted the law in 1998. The settlement puts operators of general-audience websites on notice that they are not automatically excluded from COPPA’s coverage: they are required to comply with COPPA if particular parts of their websites or content (including content uploaded by others) are directed to children under age 13.


Continue Reading The Company Who Cried “General Audience”: Google and YouTube to Pay $170 Million for Alleged COPPA Violations

Advancements in technology appear to have spurred the Federal Trade Commission to initiate a review of its rule promulgated pursuant to the Children’s Online Privacy Protection Act (the “COPPA Rule” or “Rule”) four years ahead of schedule. Last week, the FTC published a Federal Register notice seeking comments on the Rule. Although the FTC typically reviews a rule only once every 10 years and the last COPPA Rule review ended in 2013, the Commission unanimously voted 5-0 to seek comments ahead of its next scheduled review. The Commission cited the education technology sector, voice-enabled connected devices, and general audience platforms hosting third-party, child-directed content as developments warranting reexamination of the Rule at this time.

Background

The COPPA Rule, which first went into effect in 2000, generally requires operators of online services to obtain verifiable parental consent before collecting personal information from children under the age of 13.  In 2013, the FTC amended the COPPA Rule to address changes in the way children use and access the internet, including through the increased use of mobile devices and social networking.  Its amendments included the expansion of the definition of “personal information” to include persistent identifiers that track online activity, geolocation information, photos, videos, and audio recordings. The new review could result in similarly significant amendments.

Questions for Public Comment

In addition to standard questions about the effectiveness of the COPPA Rule and whether it should be retained, eliminated, or modified, the FTC is seeking comment on all major provisions of the Rule, including its definitions, notice and parental consent requirements, exceptions, and security requirements.
Continue Reading Back to School Early: FTC Seeks Comments to COPPA Rule Ahead of Schedule