Children's Online Privacy Protection Act

On December 19, 2012, the Federal Trade Commission (“Commission”) announced long-awaited amendments to its rule implementing the Children’s Online Privacy Protection Act (“Rule”). The changes—which take effect on July 1, 2013—are significant. They alter the scope and obligations of the Rule in a number of ways. We discuss the revisions in greater detail below.

  • The Commission revised the Rule’s definition of “personal information” to include more types of data that trigger the Rule’s notice, consent, and other obligations. These include persistent identifiers when used for online behavioral advertising and other purposes not necessary to support the internal operations of the site or online service.
  • The Commission expanded the Rule’s coverage to third-party services—such as ad networks and social plug-ins—that collect personal information through a site or service that is subject to COPPA. The host site or service is strictly liable for the third party’s compliance, while the third party must comply only if it has actual knowledge that it is collecting personal information through a child-directed site or from a child.
  • The Commission streamlined the content of the parental notice and simplified the privacy policy.
  • The Commission retained the “email plus” method of obtaining parental consent. It also added new methods of obtaining consent and established a process for pre-clearance of other consent mechanisms.
  • The Commission imposed new data security pass-through requirements, as well as data retention obligations.
  • The Commission revised the Rule to permit certain sites that are “directed to children” to comply only with respect to those users who self-identify as under 13.

To continue reading this post, click here.

The Federal Trade Commission (“FTC”) recently released proposed amendments to its rule (“Rule”) implementing the Children’s Online Privacy Protection Act (“COPPA”). The Rule requires the operator of a website or online service to obtain verifiable parental consent before collecting personal information from a child under the age of 13. If adopted as drafted, the revised Rule would not only make it even more difficult for operators to collect information from children online, but it would also sweep into the Rule’s coverage sites and online services that are currently outside of it. Moreover, the proposed changes would codify the erasure of the traditional distinctions between “personal” and “non-personal” information – an outcome that raises issues even for companies that are not subject to COPPA.

Among the most significant changes proposed by the FTC are the elimination of the widely used “email plus” method of obtaining verifiable parental consent and a considerable expansion of the Rule’s definition of “personal information.”

Elimination of the “email plus” method of obtaining consent. The existing Rule has a two-tiered system for obtaining verifiable parental consent:  An operator that uses a child’s information only internally may use the so-called “email plus” mechanism, while more foolproof measures, such as a print, sign, and send back form or a phone call, are required if the operator will disclose the child’s information to third parties. Asserting that “all collections of children’s information merit strong verifiable parental consent,” the FTC has proposed to eliminate the distinction. “Email plus” – currently the most common way of obtaining consent – would no longer be an option.

Expansion of the definition of “personal information.” At the same time that it proposes to make obtaining verifiable parental consent more difficult and costly, the FTC also proposes to extend the Rule’s reach to a far wider swath of information collection practices, by expanding its definition of “personal information.” Perhaps most notably, the FTC would include within the definition a persistent identifier, when it is used for functions other than support for the internal operations of the site or service. “Persistent identifiers” include a customer number held in a cookie, an IP address, a device serial number, and a unique device identifier. In its commentary accompanying the proposed revisions, the FTC explains that consent would not be required when persistent identifiers are used for purposes such as user authentication, improving navigation, maintaining user preferences, serving contextual advertising, and protecting against fraud or theft, as these are functions that support the internal operations of the site or service.

On the other hand, the “personal information” definition would be triggered by – and verifiable parental consent would therefore be required for – other, non-support uses, presumably including online profiling, the delivery of personalized content, behavioral advertising, retargeting, and analytics. This is significant because there is no way to determine age from a persistent identifier – meaning, for instance, that sites directed to children could not deliver personalized content without first obtaining verifiable parental consent. For sites not directed to children but that are still subject to the Rule (because they knowingly collect personal information from children under 13), it is not clear how this restriction would apply in practice. As companies facing similar consent requirements in the EU can attest, obtaining consent prior to the use of a persistent identifier can be a costly and disruptive obligation. The FTC does not provide guidance in its commentary, but the issues are ripe for comment.

The FTC’s proposals reflect its oft-stated position that the line between what has traditionally been considered “personal” and “non-personal” information is increasingly blurred, such that protections historically afforded to personal information should be extended to certain non-personal information as well. If the FTC takes this approach with respect to COPPA, it is logical that it will take a similar approach in all contexts. Therefore, even companies not subject to COPPA are advised to consider the potential ramifications of the proposed changes and to consider submitting comments.  The FTC is accepting comments until December 23, 2011.