Cecillia X. Xie

We’re Sorry, Your Service (Provider) Is Limited: The IAB CCPA Compliance Framework

By Julie O'Neill & Cecillia X. Xie on October 31, 2019

In a move likely welcomed by publishers seeking a solution to honoring “sale” opt-outs in the interest-based advertising space, the Interactive Advertising Bureau last week released the IAB California Consumer Privacy Act Compliance Framework for Publishers and Technology Companies. The IAB is the trade association for the digital media and marketing industries, and it developed the Framework to help publishers (i.e., websites) and the online advertising supply chain comply with the CCPA—and particularly with the CCPA’s right to consumer opt-outs of “sales” of personal information.

The Framework sets up a system in which a consumer opt-out has the result that the parties in the digital advertising supply chain become limited service providers to the publisher, such that there is no longer a “sale” with respect to those consumers’ personal information. A limited service provider may still serve ads on behalf of the publisher, but those ads cannot involve any “sale” of personal information under the CCPA.

IAB is accepting public comments to the Framework until Tuesday, November 5, 2019. Comments should be emailed to privacy@iab.com. The draft Framework and draft technical specifications for the Framework can be accessed here.…
Continue Reading

The Company Who Cried “General Audience”: Google and YouTube to Pay $170 Million for Alleged COPPA Violations

By Cecillia X. Xie & Julie O'Neill on September 11, 2019

Posted in Compliance, COPPA, Data Security, FTC, Privacy

Last week, the Federal Trade Commission made clear that child-directed parts of an otherwise general audience service will subject the operator of the service to the Children’s Online Privacy Protection Act (COPPA).

Just six months after the FTC’s record-setting settlement against TikTok, the FTC announced a $170 million fine against Google and its subsidiary YouTube to settle allegations that YouTube had collected personal information from children without first obtaining parental consent, in violation of the FTC’s rule implementing COPPA. This $170 million fine—$136 million to the FTC and $34 million to the New York Attorney General, with whom the FTC brought the enforcement action—dwarfs the $5.7 million levied against TikTok earlier this year. It is by far the largest amount that the FTC has obtained in a COPPA case since Congress enacted the law in 1998. The settlement puts operators of general-audience websites on notice that they are not automatically excluded from COPPA’s coverage: they are required to comply with COPPA if particular parts of their websites or content (including content uploaded by others) are directed to children under age 13.

Back to School Early: FTC Seeks Comments to COPPA Rule Ahead of Schedule

By Cecillia X. Xie & Julie O'Neill on August 6, 2019

Posted in COPPA, Data Security, Privacy

Advancements in technology appear to have spurred the Federal Trade Commission to initiate a review of its rule promulgated pursuant to the Children’s Online Privacy Protection Act (the “COPPA Rule” or “Rule”) four years ahead of schedule. Last week, the FTC published a Federal Register notice seeking comments on the Rule. Although the FTC typically reviews a rule only once every 10 years and the last COPPA Rule review ended in 2013, the Commission unanimously voted 5-0 to seek comments ahead of its next scheduled review. The Commission cited the education technology sector, voice-enabled connected devices, and general audience platforms hosting third-party, child-directed content as developments warranting reexamination of the Rule at this time.

Background

The COPPA Rule, which first went into effect in 2000, generally requires operators of online services to obtain verifiable parental consent before collecting personal information from children under the age of 13. In 2013, the FTC amended the COPPA Rule to address changes in the way children use and access the internet, including through the increased use of mobile devices and social networking. Its amendments included the expansion of the definition of “personal information” to include persistent identifiers that track online activity, geolocation information, photos, videos, and audio recordings. The new review could result in similarly significant amendments.

Questions for Public Comment

In addition to standard questions about the effectiveness of the COPPA Rule and whether it should be retained, eliminated, or modified, the FTC is seeking comment on all major provisions of the Rule, including its definitions, notice and parental consent requirements, exceptions, and security requirements.…
Continue Reading

About Socially Aware

Social media sites are transforming not only the daily lives of consumers, but also how companies interact with consumers. Here at Morrison & Foerster, across all of our practice groups, we are seeing complex, cutting-edge legal issues arising out of social media. As with the Internet boom during the mid-to-late 1990s, social media is generating new legal questions at a far faster pace than the law’s ability to provide answers to such questions. In an effort to stay on top of these emerging issues, and to keep our clients and friends informed of new developments, Morrison & Foerster publishes this blog devoted to the law and business of social media.