On December 19, 2012, the FTC released its final amendments to the Children’s Online Privacy Protection Act (“COPPA”). With a few exceptions, the final Rules largely track the changes that the FTC proposed in its Notice of Proposed Rulemaking (“NPRM”) released in September 2011, and Supplemental Notice of Proposed Rulemaking (“SNPRM”) released in August 2012.
We provided an initial summary of the amendments when they were released. This alert provides a more detailed analysis and discusses the key changes to the Rules and how they will impact a range of websites and services. These new Rules will go into effect on July 1, 2013.
All Child-Directed Sites and Services Have Strict Liability for Third Parties Collecting Information on their Sites. One of the most significant changes the FTC made is to impose a strict liability standard on child-directed operators that allow third parties (such as plug-ins and ad networks) to collect personal information through their services. Thus, under the new rules, a child-directed website or service that allows a third-party plug-in or an advertising network to collect children’s personal information (including unique identifier) is obligated to provide notice to parents and obtain consent before the child’s information is collected. This requirement applies even if the child’s personal information only is being collected by the third party plug-in or ad network. It also applies to general audience sites that allow third parties to collect personal information from specific users when the sites have actual knowledge that such users are children.
According to the FTC, the child-directed site operator is the entity in the best position to provide parental notice and obtain consent. Thus, imputing strict liability on these operators for the actions of third parties is justified because child-directed sites often benefit from third-party services that provide enhanced site functionality and content, greater publicity, and compensation to site owners. This change is likely to have a significant impact on child-directed sites and services seeking to monetize through behavioral advertising, given that such services will now need to provide notice and obtain consent prior to allowing third-party behavioral, tracking networks to operate on their services. (The Rules exempt “contextual” advertising that only accounts for what site or page an ad appears on.) The notice and consent requirements are burdensome, and many operators have previously avoided such requirements by not directly collecting children’s personal information and only allowing third-party networks to collect unique identifiers and not personal information. We believe the ultimate result of this change will be that many child-directed services will sever their relationships with third-party behavioral ad networks and plug-ins to avoid this new strict liability standard.
Some operators may challenge this rule change. In voting against the COPPA amendments, FTC Commissioner Ohlhausen provided a potential roadmap for such a challenge. Ohlhausen believes that extending COPPA obligations to entities that do not collect personal information from children or have access to or control of such information collected by a third party is not consistent with COPPA’s definition of “operator”: the COPPA statute itself covers only entities “on whose behalf such information is collected and maintained.” Thus, Ohlhausen does “not believe that the fact that a child-directed site or online service receives any kind of benefit from using a plug-in is equivalent to the collection of personal information by the third-party plug-in on behalf of the child-directed site or online service.”
It is also arguable that holding site operators liable for the actions of third parties is not consistent with the Communications Decency Act, which provides broad immunities to a variety of online service providers for conduct by third parties that occurs on or through websites and other online properties.
The Definition of “Personal Information” has been Broadened to Apply to Data that Many Providers Currently Collect Without Seeking Notice and Consent. The FTC has expanded the definition of “personal information” in ways that are likely to have a significant impact on how child-directed sites currently operate. If sites continue to collect such information (outside of exceptions for “internal operations”), they will be required to comply with COPPA.
Persistent Identifiers. While the existing definition covers persistent identifiers associated with individually identifiable information, the new Rule includes other persistent identifiers – notably, unique IDs in cookies, IP addresses, and process or device serial numbers that can “recognize a user over time and across different sites or online services.” “Different websites” captures affiliated sites where the affiliate relationship is not clear to the user. Under the revised Rules, absent parental notice and consent, operators may not gather persistent identifiers to behaviorally target ads to a specific child, nor may they use them to amass a profile on an individual child user based on the collection of such identifiers over time and across different sites.
The FTC has, however, created a separate exception to the Rule’s notice and consent requirements for identifiers used solely for providing support for the internal operations of a site or service. This includes activities “necessary” (loosely speaking) to:
- maintain or analyze the functioning of the site or service;
- perform network communications;
- authenticate users or personalize site content;
- serve contextual advertising on the site or cap the frequency of advertising;
- protect the security or integrity of the user, site, or service; or
- fulfill a request of a child as otherwise provided in the Rule.
The new Rule also applies to third parties collecting persistent identifiers on a site or service. However, entities that collect persistent identifiers, and no other personal information, from users who affirmatively interact with the entity and whose previous registration with such entity indicates that they are over the age of 12, are not subject to COPPA. Thus, third-party plug-ins that collect a persistent identifier from an individual who affirmatively downloads the plug-in on another site and that know from previous dealings with the individual that he/she is over the age of 12 are not required to comply with COPPA’s notice and consent requirements. This exception, however, does not apply if the plug-in otherwise passively collects personal information from the user while the user is on another site or service.
If a company believes that an additional activity should be added to the list, the FTC created a new voluntary process by which parties can seek approval of such other internal operations, and the FTC will respond within 120 days after a public notice and comment period.
Photos, Videos, and Audio. “Personal Information” now includes photographs, videos, and audio files when they contain a child’s image or voice. The FTC included this change given technology that allows such information to be geo-tagged or recognized via facial recognition software. However, the new Rule would not apply to uploading photos or videos on general audience sites such as Facebook, absent actual knowledge that the person uploading is a child.
Geolocation Information. The final Rules expressly include “geo-location information sufficient to identify street name and name of a city or town” as “personal information.” The FTC does not believe this is a significant change given that the current Rule already covers address information precise enough to identify the name of a street and city/town; it does not require information at the household address level.
Screen or User Names. “Personal Information” now includes a “screen or user name” where it functions in the same manner as online contact information – that is, it can be used to directly contact a child online. Screen names are included in the definition regardless of whether they contain an actual email address. Companies, however, will still be able to use anonymous screen names in place of individually identifiable information, including for content personalization, filtered chat, public display on a site, or operator-to-user communications.
Online Contact Information. The FTC also expanded the definition of “online contact information” beyond email addresses to cover all identifiers that permit direct contact with a person online, including instant messenger IDs, VoIP IDs, video chat user IDs, and any other substantially similar identifiers that permit direct contact with a person online. (The FTC declined to extend the definition to mobile phone numbers.)
Third-Party Ad Networks and Social Plug-Ins that Collect Personal Information from Children on Other Sites Must Comply with COPPA. In the supplemental rulemaking, the FTC had proposed holding responsible as a “co-operator” subject to COPPA any online service that “knows or has reason to know” it is collecting personal information through a child-directed site. After heavy criticism that this “reason to know” standard was too vague, in the final Rules, third parties are covered by COPPA only where they have “actual knowledge” that they are collecting personal information directly from users of a child-directed site. A third party will be deemed to have “actual knowledge” when either an operator directly communicates the child-directed nature of its site to the third party or when the third party recognizes the child-directed nature of the site.
This Rule change marks the first time that COPPA’s reach has extended to third parties. According to the FTC, third parties that collect personal information from children need to be subject to the same rules, and even if a third-party service is aimed at a general audience, it should comply with COPPA when its service reaches another site primarily directed to children.
The actual knowledge standard raises concerns because it involves a highly fact-specific inquiry as to when, from a third party’s vantage point, a site is directed to children – an inquiry about which the FTC has provided little guidance. For example, if a third-party ad network or plug-in does not conduct a review of a particular site, it may not have any information as to whether the site is directed to children. Likewise, if a third party learns that it has been collecting children’s information, it is not clear what its legal obligation would be. Like with the new strict liability standard, we believe many third party ad networks and plug-ins will sever their relationships with child-directed services to avoid having to comply with COPPA.
Not all third parties that offer access to child-directed content are affected by the new rule. The FTC included specific language that operators of platforms, such as Google Play or the App Store, that merely offer access to someone else’s child-directed content are not required to comply with COPPA. Instead, the Rule only covers entities that design and control content, such as an app developer or site owner. Platform providers that wear multiple hats must still comply with COPPA if they themselves collect personal information directly from children.
Some Sites Directed at Children May Differentiate Among their Child and Adult Users. Under the existing Rule, sites “directed to children” must treat all users as children under COPPA, whereas general audience sites are only required to comply with the Rule when they have actual knowledge of users under the age of 13. The FTC has developed a new, hybrid compliance approach for such sites whereby a site that is directed to children, but that does not target children as its “primary” audience, will not be deemed directed to children if it: (1) does not collect personal information from any users prior to age-screening; and (2) obtains parental consent before collecting personal information from users who self-identify as under 13.
The FTC will use its “totality of the circumstances” test to assess whether a site’s content is “primarily” intended for a child audience. In addition to the (non-exhaustive) list of factors in the existing Rule, the FTC has added the presence of child celebrities, celebrities who appeal to children, and musical content as factors that would render a site directed to children. Once this assessment is complete, the FTC will then determine whether the site’s “primary” audience is children under 13. If the site is directed to children but does not primarily target children under 13, the site may age-screen and apply COPPA to those that self-identify as under 13. If a site is primarily targeted to children under 13, the site must continue to apply COPPA to all users.
While this new provision may allow certain sites to avoid applying COPPA to all of their visitors, determining whether a site directed to children is also “primarily targeted” to children will often be difficult. Absent further guidance, such sites must either play it safe and continue to apply COPPA’s protections to all users, or accept elevated risk – and/or develop qualitative or quantitative rationale as to why they are not “targeted” to children. Currently, many general audience websites and services that do appeal to children – and employ behavioral advertising and personal identifiers – do not age screen; those sites therefore should consider age screening prior to the collection of any personal information.
Revisions to the Definition of “Collect” May Impact Some Operators’ Practices. The definition of “collect” in the new Rule has been expanded to include “requesting, prompting, or encouraging” a child to submit personal information online. This occurs, for instance, where the operator provides an open field or forum through which a child can submit personal information – even if the submission of that information is not mandatory.
Under the existing Rule, the word “collect” also covers a situation where an operator allows children to publicly post personal information, such as on a social network or blog, unless the operator has deleted all individually identifiable information from both the posting and its own records before the information is made public. Under the new Rule, the deletion will be judged under a “reasonable measures” standard focused on whether the operator has deleted “all or virtually all” personal information from a child’s posting and its own records.
Operators Must Review their Notices to Ensure Compliance with the FTC’s Revised Requirements. The FTC has made revisions to its “just-in-time” notice requirements and its site notice requirements, and has implemented a voluntary notice procedure for sites that have child users, yet do not collect any personal information.
Direct Notice. Under the new Rules, the FTC refined the requirements for the “just-in-time” direct notice that operators send to parents in connection with obtaining parental consent by providing a more specific list of information that must be contained in the notice, including:
(1) the personal information already obtained from the child (usually parents’ contact information together with the child’s online contact information); (2) the purpose of the notice; (3) actions the parent must or may take; (4) what use, if any, the operator will make of the information; and (5) a link to the operator’s full notice.
Streamlined Site Notice. Recognizing that privacy disclosures have become lengthy and difficult to understand, the FTC has streamlined what must be provided in an operator’s site notice. In addition to contact information for the operator and information on how a parent can access and delete children’s personal information, the new Rule calls for a simple statement of: (1) what information the operator collects from children, including whether a child can make such information publicly available; (2) how the operator uses such information; and (3) the operator’s disclosure practices. Operators should review their notices to determine how they can be simplified and made more user-friendly.
Voluntary Notice. The new Rules contain a voluntary notice mechanism by which operators can provide parents with notice about a child’s participation in a site that does not otherwise collect, use, or disclose the child’s personal information. To provide such notice, operators can collect a parent’s online contact information, provided that such information is not used for any other purpose, disclosed, or combined with any other information collected from the child.
Operators Can Still Use E-Mail Plus for Internal Purposes, and the FTC Has Added Further Consent Mechanisms. In a concession to operators, the FTC (after considering otherwise) decided to keep the popular “Email Plus” mechanism for parental consent when personal information will be used solely for internal purposes. Under this approach, an operator, when collecting personal information only for its internal use, may obtain verifiable parental consent through an email from the parent, so long as the email is coupled with an additional step to confirm the parent’s identity.
The new Rules also provide for a number of new parental consent mechanisms, including:
- scanned versions of signed parental consent forms;
- video conference verification methods; and
- use of government-issued IDs, provided that the operator deletes the ID information immediately upon verification.
The new Rules also allow providers to obtain consent through alternative payment methods such as debit cards and electronic payment systems (in addition to credit cards) in connection with a monetary transaction, provided the operator provides notification of each discrete transaction to the primary account holder.
On the other hand, the FTC declined to allow operators to obtain consent through parental control features in game consoles and other devices, or through the use of electronic or digital signatures. The FTC also created a streamlined approval process whereby operators can submit a detailed proposal of an alternative method together with an analysis of how it meets the requirements of the Rules. The FTC will publish the proposal for public comment, and approve or deny it within 120 days.
Operators Must Take Reasonable Steps in Disclosing Information to Service Providers and Third Parties. The existing Rule is silent regarding an operator’s obligations in disclosing information to third parties. While the FTC’s original proposal would have required providers to “ensure” that third parties to whom they disclose information have reasonable security measures in place, based on feedback from commenters, the final Rules only require that operators take “reasonable steps” to release children’s personal information only to service providers and third parties who are capable of maintaining the confidentiality, security, and integrity of such information, and who provide assurances that they will maintain the information in such manner. Practically speaking, this change helps to mitigate potential operator liability concerning the disclosure of information to third parties; however, operators still need to carefully vet and perform due diligence on all third parties with whom they share personal information and ensure that contracts with those parties include appropriate privacy, data security breach and indemnification provisions.
Operators Must Have Retention Limits in Place for Children’s Information. Under the new Rule, operators must retain children’s personal information only as long as is reasonably necessary to fulfill the purpose for which the information was collected. Operators must delete such information using reasonable measures to protect against unauthorized access to, or use of, the information. As explained by the FTC, this new “reasonableness” standard permits operators to determine their own data retention needs and capabilities, without the FTC dictating specific time-frames or data destruction practices.
If you have any questions about the Rule changes or how they may impact you, please do not hesitate to contact us with questions.