FTC Releases Long-Awaited COPPA Amendments
At a press conference hosted by Sen. Rockefeller, FTC Chairman Jon Leibowitz today announced the release of the FTC’s long-awaited final amendments to the Children’s Online Privacy Protection Act (“COPPA”). The FTC believes the new Rules will further strengthen children’s privacy and parents’ control over their children’s information while at the same time guarding Internet innovation. Others, however, have expressed that, to some extent, the new Rules sacrifice Internet innovation. The amendments to will go into effect on July 1, 2013.
During the press conference, Sen. Rockefeller emphasized the need to update the current COPPA Rule given that it was enacted over 10 years ago, the changes in the way the Internet functions, and the growth of mobile devices and applications. Sen. Rockefeller also highlighted his concerns over the rise of third party companies that surreptitiously track consumers on the Internet noting that the new rule “puts all online companies on notice no matter who they are that they must comply with the law.” He also noted that the FTC’s efforts to revise the Rule went as far as the FTC could go within the bounds of its legal authority. However, at least one FTC Commissioner dissented from that view.
Leibowitz then introduced the new Rules by explaining that COPPA represents Congress’s mandate that parents should be the gatekeepers of their children’s information online, and that it is the FTC’s duty to ensure that the right tools exist for parents to fulfill this important role.
Leibowitz then announced some changes to the Rule:
- Expanding the definition of “personal information” to include geolocation information, photos, videos, and audio files that contain a child’s image or voice. The inclusion of such data in the definition is essential to protect children from physical harm, Leibowitz emphasized.
- Expanding the definition of “personal information” to include persistent identifiers, including items previously considered non-personal information, such as IP addresses and device identifiers, which can recognize users over time and across different websites, and which could be used to build extensive online profiles about children. This includes using persistent identifiers for behavioral advertising purposes. No parental notice and consent, however, is required when an operator collects a persistent identifier solely for internal purposes, such as contextual advertising, frequency capping, legal compliance, site analysis, and network communications.
- Applying the Rule to kid-directed websites that permit third parties, such as plug-ins and advertisers, to collect personal information from children without parental notice and consent. This even covers websites that do not directly collect any information from children. The Rule also covers the third parties, but the FTC narrowed the provision to extend only to third parties with actual knowledge that site from which they collect information is directed to children. The FTC also clarified that the new Rule does not extend liability to platforms, such as Google Play or the Apple App Store, when such platforms merely offer the public access to child-directed apps.
- Providing new methods for obtaining parental consent, such as through video conferencing technologies. The new Rule implements a streamlined 120-day mechanism by which companies can seek approval of alternative parental consent mechanisms.
In addition to the announced revisions, the new Rules:
- revise the definition of personal information so that operators may allow children to participate in interactive communities without parental consent, so long as such communities take reasonable steps to delete all or virtually all children’s personal information before it is made public;
- strengthen data security protections by requiring covered entities to take reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential;
- retain the “email plus” parental consent mechanism whereby operators may obtain parental consent with an email from the parent followed by a confirmation email or letter, provided the personal information is collected solely for internal use (as noted above, this does not apply to the collection of persistent identifiers for internal purposes where no consent is necessary).
- require covered companies to adopt reasonable procedures for data retention and deletion; and
- strengthen the FTC’s oversight of self-regulatory safe harbor programs.
The FTC vote to issue the amendments was 3-1-1, with Commissioner J. Thomas Rosch abstaining. Commissioner Ohlhausen voted against the new Rule given her belief that parts of the amendments exceed the scope of the authority granted to the FTC by Congress. The full text of the new Rules and the FTC’s press release can be found here. Check back in for a more detailed analysis of the Rules in the coming weeks.