The Children’s Online Privacy Protection Act of 1998 (“COPPA”), which became effective in April 2000, has long served as the primary regulatory tool of the Federal Trade Commission (the “FTC”) to police online privacy issues concerning children under 13. The COPPA Rule (the “Rule”), promulgated by the FTC pursuant to COPPA, in general requires the operator of a website or online service that is directed to children or that knowingly collects personal information from children to obtain verifiable parental consent before collecting personal information from a child under the age of 13. In September 2011, after the Act had been on the books for over a decade, the FTC announced that change was coming and proposed for public comment certain amendments to the Rule, as we explained last year. After all, when the Act first passed in 1998, Mark Zuckerberg was just 14 years old, and social media giants like Facebook, YouTube and Twitter would not launch until well into the next decade. Google had just been founded and operated out of a garage in Silicon Valley. Pets.com was the next big thing. Change was long overdue.
On August 1, 2012, after reviewing over 350 comments to its proposed amendments, the FTC announced that it was seeking further proposed modifications to the Rule. So what’s new this time?
Network Advertisers and Other Third-Party Information Collectors Potentially Responsible for COPPA Compliance
Although COPPA applies only to websites or online services, the FTC’s proposed new modifications seek to expressly hold certain third-party plug-in, software download, and advertising networks accountable for COPPA compliance when they collect personal information through a website or online service that they know is child-directed. Does this mean that such third parties are going to be held strictly liable for COPPA compliance when they are integrated into a website or online service? No. Although it considered this option, the FTC instead proposes to apply the Rule only if the third party “knows or has reason to know” it is collecting personal information through a host site or service that is directed to children. Thus, if credible information that such use is occurring is brought to the attention of a plug-in or ad network, for example, it ignores this information at its peril.
Mixed Approach to Mixed Audience Sites
Historically, the FTC has not charged mixed audience websites that contain content appealing to both children and adults as “directed to children,” given the burden that this can impose on providers and users alike. Instead, the FTC has charged such websites under COPPA only where they had actual knowledge that they were collecting personal information from children. The FTC now seeks to codify this approach. Under its proposed revisions, a website or service that has child-oriented content appealing to a mixed audience, where children under 13 are likely to be over-represented, will not be deemed “directed to children” if the site or service age-screens all users before personal information is collected. Then, once the site learns who self-identifies as under 13, it must obtain appropriate parental consent before collecting any personal information and otherwise comply with the Rule with respect to them. Websites or services that knowingly target, or have content likely to attract, children under 13 as its primary audience must still treat all users as children for COPPA compliance purposes.
Information collected by “persistent identifiers,” including in connection with behaviorally-targeted ads, counts as “personal information” for COPPA purposes
The FTC announcement also included certain modifications and clarifications to some of its earlier, more controversial 2011 proposals. Last fall, for instance, the FTC expanded the definition of “personal information” (the collection of which generally triggers a parental consent obligation) to include information collected by “persistent identifiers” that track a devise’s use over time and across different platforms. This expansion met considerable resistance from some quarters because commentators felt that “persistent identifiers” track devise use, not personal use, and therefore should not count as collecting “personal information,” but the FTC did not alter its stance. An exception, however, exists for information collected by persistent identifiers if it is used as support for internal operations.
So what counts as “support for internal operations”? The FTC now proposes to expressly define those operations as including “site maintenance and analysis, performing network communications, use of persistent identifiers for authenticating users, maintaining user preferences, serving contextual advertisements, and protecting against fraud and theft.” Thus persistent identifiers can be used for these express purposes without regard to any COPPA compliance consequences. But for all other uses, COPPA may become an issue. Use of a persistent identifier for purposes outside of these operations, including for behaviorally-targeted advertising (specifically addressed in the recent commentary) will likely trigger the Rule’s obligations. Because of this expanded definition, and the fact that age cannot be determined from a persistent identifier, sites directed to children may be well advised to engage in such activities only after first obtaining verifiable parental consent. In fact, given the breadth of this potential rule, operators of sites wholly unrelated to children should take notice as this change may well portend a broader shift in policy within the FTC toward these issues.
The FTC is accepting comments on the proposals until September 10, 2012. The FTC expects to publish a final Rule this year. A more detailed explanation of these proposed changes, including analysis of important commentary, can also be found here.