The FTC’s new revisions to the COPPA Rule (16 CFR 312) have extended COPPA’s requirements beyond websites and conventional “operators” to include third parties such as advertising networks. Between now and July 1, 2013 – the effective date of the revisions – ad networks must evaluate their new duties under COPPA, new (and quite real) enforcement risks, and what strategies to employ to escape FTC investigation or penalties.
This is part of a ZwillGen series on how the new COPPA Rule affects the online industry – focusing here on ad networks in particular For further in-depth analysis of the new COPPA Rule in general, please follow this blog.
FTC Has Expanded What Is “Personally Identifiable Information”
COPPA’s application to online ad networks is new. This is because ad networks do not generally use the type of conventional personal identifiers — email address, name, address, or telephone number — currently covered by COPPA, but instead use anonymous, unique cookie-based browser identifiers. But the new Rule expands COPPA significantly to cover unique IDs in cookies, along with IP addresses and device identifiers, that can “recognize a user over time and across different sites or online services.”
Websites themselves may freely use unique IDs to support “internal operations” (such as anti-fraud, site operations or content customization) as well as for “contextual advertising.” But (as explained below), absent parental consent websites may not collect and share with ad networks their unique IDs, nor may ad networks themselves directly collect unique IDs or, for that matter, device IDs. (In the context of cookie-based advertising, parental consent, such as via email consent, is of course cumbersome if not practically impossible.)
Ad Networks as COPPA “Co-Operators”
The new COPPA Rule reaches ad networks by expanding the definitions of both Operator and website or online service directed to children. First, the FTC clarifies that an ad network is itself a “Co-Operator” (effectively, an “Operator”) under COPPA if it “has actual knowledge that it is collecting information through a child-directed site.”
The FTC concedes that determining actual knowledge is a “highly fact-specific inquiry.” It offers this guidance: An ad network has actual knowledge that it is collecting personal information from children when (1) a child-directed content provider . . . directly communicates the child-directed nature of its content to the [ad network]; or (2) a representative of the [ad network] recognizes the child-directed nature of the content. (I’ve added that emphasis.) Or — far more cryptic– an “accumulation of other facts” could be sufficient. The FTC’s Tech Blog post (January 2, 2013) suggests, on the other hand, that without more, the mere indication in referrer code of a child-directed site is “unlikely” to be actual knowledge.
General Audience Sites
Further complicating ad networks’ new duties – and their ability to “know” what data they receive — COPPA’s obligations (by statute) apply not only to child-directed sites, but also to “that portion of an otherwise general audience service could be deemed directed to children.” Thus, an ad network’s use of tracking cookies (and unique IDs) on the kids’ section of a general audience site could implicate COPPA just the same as if the tracking occurred on a site exclusively targeted to children.
Websites Are Responsible for Ad Networks’ Data Collection
Notwithstanding the relatively high “actual knowledge” standard applied to ad networks, it will be hard for networks that use unique or device IDs to ignore the new Rule, because the FTC has also made their web publisher (and app) partners responsible for the information the networks collect. Thus, child-directed publishers themselves are likely to curtail their use of ad networks that use tracking cookies.
Specifically, the FTC has added this proviso to the definition of “Operator”: “Personal information is collected or maintained on behalf of an operator where it is collected in the interest of, as a representative of, or for the benefit of, the operator.” This is aimed squarely at behavioral ad networks’ — the FTC emphasizes in its guidance that a website “benefits” when an ad network “collect[s] personal information directly from users of such operator’s site or service.” In other words, when a child-directed website lets an ad network collect a unique ID (such as through an i-frame and ad tag), that website has effectively shared (and/or permitted an ad network to collect and share) a child’s PI – which COPPA prohibits absent parental consent.
Compliance Strategies for the New COPPA Rule
Ad networks thus face several real practical challenges under the new COPPA Rule — requiring new compliance strategies and decisions:
- Many ad networks are currently using tracking cookies (and thus unique IDs) – knowingly or not – on either kids sites or pages of teen and general audience sites targeted to children under 13. Given the “actual knowledge” standard, ad networks may be tempted to do nothing – thus avoiding knowledge and theoretically avoiding COPPA. But this approach also increases the practical risk of an FTC inquiry – and inquiries are likely to come – along with (as the FTC puts it) a “highly fact-specific inquiry.
- On the other hand, auditing their publisher networks can earn ad networks credibility and reduce their likelihood of investigation. But those audits must be complete and accurate, and weighed against the FTC’s guidance as to when a web publisher is “child-directed” under COPPA.
- Further complicating these strategies is the application of COPPA to cookie-tracking occurring on kids’ portions of general audience sites. Those portions, too, can be identified and audited, to avoid risk.
- Not least, it is very important that ad networks maintain accurate disclosures about their PI collection practices. Some ad networks currently state (on their websites, in agreements, and elsewhere) that they do not collect personal information from children. But the FTC’s new COPPA Rule calls those statements into question – and exposes those ad networks to investigation and penalty if the statements are shown to be false. Indeed, when choosing among multiple targets who have engaged in a similar practice, the FTC (like state AGs) has shown itself to be more inclined to target companies whose disclosures they found wanting.
The FTC has made very clear – through multiple rounds of comments and guidance – that it wants to curtail behavioral tracking of children. Its current policy agenda is likely to give way to an enforcement agenda – which means investigations and, for the unlucky or careless, penalties. Ad networks that implement a credible, well-intentioned, and documented compliance strategy will be best positioned to avoid becoming guinea pigs for this new enforcement agenda.