FTC Clarifies COPPA Standards for Ad Networks, Questions Remain
The FTC (via email blast) provided further clarification of the standards that third party ad networks and platforms would be held to, under the new COPPA Rule.
To recap recent history: when the FTC announced last December that ad networks, exchanges and other platforms could be liable as “co-operators” for publishers that violated COPPA (and expanded the definition of what a children’s site is), it send tremors through the online third party ecosystem. The FTC’s assurance that third parties would not be liable under COPPA absent their “knowledge” of a violation did not fully allay concerns, because the FTC offered little guidance about what type of facts or disclosures would amount to “knowledge” – and what if any safe harbors might exist for them.
In its initial set of FAQs (and in line with its 2012 “Statement of Purpose”), the FTC offered that an ad platform has actual knowledge that it is collecting personal information from children when (1) a child-directed content provider . . . directly communicates the child-directed nature of its content to the [ad network]; or (2) a representative of the [ad network] recognizes the child-directed nature of the content. Or — more cryptic — an “accumulation of other facts” could be sufficient. As some comfort, a January FTC’s Tech Blog post suggested that without more, the mere indication in referrer code of a child-directed site is “unlikely” to be actual knowledge. (See our prior blog post for more analysis.) But the FTC conceded such knowledge was a “highly fact-specific inquiry” (and for that matter, one without a safe harbor).
The FTC offered a set of expanded FAQs (particularly, new FAQs D11 and D12, and a revised K2), which attempt to clarify what ad platforms must do to establish COPPA compliance — and when they have “actual knowledge” they are receiving data from a childrens’ site. The FTC offered guidance for the following situations (the bolded language is mine, not theirs):
You Receive A Complaint that Certain Websites (or Apps) on Your Platform are Directed to Kids Under 13. Privacy Advocates Demand That You Remove Your Tags, Scripts, etc. Must You Act?
No. Your “receipt of a list of purportedly child-directed Web sites” does not in itself constitute actual knowledge, and you have “no duty to investigate” those sites’ or apps’ COPPA compliance. Thus, you needn’t take any action — though doing so may avoid further inquiries from advocates and regulators and thus be prudent. In addition, if you do any investigation, that may establish your “knowledge” — so once you start investigation, a duty may arise. Likewise, if the complaint you’ve received contains screen shots or other more detailed information, this may trigger “knowledge” as well.
Your Publisher Agreement Requires a Rep and Warranty that Your Scipt/Tags Will Not Be Placed on a Childrens’ Site. Can You Rely On That?
It depends. The FTC warns that a “specific affirmative representation” — i.e., a rep and warranty — contained as “a standard provision in your Terms of Service” is not sufficiently reliable to protect you, if it “stat[es] that, by incorporating your code, the first party agrees that it is not child directed.” The gyst of the FTC’s guidance appears to be that an ad platform should not rely on boilerplate reps in a standard form. But this guidance raises as many questions as it answers. For instance:
- What if the “standard provision in your Terms of Service” (or other Publisher Agreement) is a signed agreement — executed by company officers — rather than a click-through form? Shouldn’t a third party platform be allowed to rely on a signed representation from a counterparty’s officer?
- For that matter, what if the “Terms of Service” at issue is not a “standard provision” — but is sometimes in a Publisher Agreement and sometimes not. Does the fact that it’s “non-standard” help? (It’s unclear why it should, as a policy matter.)
- What if you receive a “specific affirmative representation” not as part of “your Terms of Service” but rather as a standalone representation?Say, an email sent to all publishers that requires them to confirm back that they are not placing tags/scripts on a childrens’ site of app? The new FAQs suggest that this would be of greater reliability that a mere “standard provision in your Terms of Service.” But from a legal standpoint, that seems counter-intuitive: the FTC is essentially deeming a Terms of Service provision –which is actually legally enforceable — to be less reliable than a standalone representation — which may have no legal effect at all given the likely existence of a merger clause in a Terms of Service or Publisher Agreement.
You’ve learned that despite your best efforts, you collected personal information from childrens sites after July 1, 2013. Assuming it’s impractical to get parental consent now, do you now have to delete that data and/or stop using the anonymous identifiers from that site/app?
Yes, you do. However, this doesn’t extend to data segments you’ve created that may have had many sources, including the childrens’ site/app in question. So according to the FTC, if you have “converted the data about websites visited into interest categories (e.g., sports enthusiast) and no longer have any indication about where the data originally came from, you can continue to use those interest categories without providing notice or obtaining verifiable parental consent.” This apparently applies even where, say, a majority of the data comprising the segments came from childrens’ sites (so long as you had no actual knowledge they were childrens’ sites at the time of collection). As a practical matter, sites that tag and source their data segments will not be able to take advantage of this, and will have to delete that data.
A Do-Not-Track-Children Signal?
The FTC appeared to signal a desire to develop a “formal industry standard or convention . . . through which a site or service could signal its child-directed status to [an ad platform], that would give rise to actual knowledge.” The FTC did not indicate whether there would be any Safe Harbor for ad platforms that engage in such an industry effort — in other words, removing any presumption or finding of knowledge from third parties that respect such a COPPA flag.” Such a Safe Harbor — were it proposed — might be welcomed by some industry advocates and provide a way through the thicket of fog that COPPA’s remaining uncertainties still pose for the online ad industry.
We will continue to closely follow all developments, and report on further clarifications.