• FTC Proposes Supplemental Revisions to Children’s Online Privacy Protection Rule - Proposed Rules Have Potential Consequences for Media Companies
  • September 4, 2012 | Authors: Louis J. Levy; S. Jenell Trigg
  • Law Firm: Lerman Senter PLLC - Washington Office
  • The Federal Trade Commission (“FTC”) recently issued a Supplemental Notice of Proposed Rulemaking (“SNPRM”) designed to bring new technologies, such as online advertising networks, mobile apps, and downloadable software kits, widgets and buttons (collectively, “plug-ins”) firmly within the jurisdiction of the Children’s Online Privacy Protection Act (“COPPA”).  The proposed rules, which supplement an initial NPRM published in September 2011, are intended to limit the ability of third parties such as Facebook, Twitter, or online advertising networks to collect personal information from children without verifiable parental consent through host websites that utilize their plug-ins.  The proposed rules will also make host websites and online services directly liable for data collected through such third-party plug-ins under certain circumstances.

    The most significant element of the SNPRM is the proposed modification of the definition of an “operator” for purposes of COPPA.  Under the current rules, host websites that act as a conduit for integrated third party plug-ins but do not have access to personal information collected by the third party are not considered an operator.  The proposed rule expands this definition to provide that an operator is responsible not only for the information it collects directly, but also for information collected in its interest or for its benefit.  If adopted, the rule would hold the owner of a child-directed website or online service liable for violations of COPPA rules committed by the owners of plug-ins that have been integrated into its website, even when the host operator does not own, control or have access to personal information collected through the plug-ins on its site.  The FTC believes that information collected through plug-ins offering enhanced functionality, content, and/or advertising revenue to the site or online service owner makes the owner responsible under COPPA.

    The FTC also proposes to clarify that persistent identifiers - such as cookies, IP addresses, and unique IDs for mobile devices - will be considered “personal information” only if they can be used to recognize a user over time or across different websites or online services, and only when they are used for purposes other than providing support for the internal operations of the site or online service.  Information collected for website maintenance and analysis, performance of network communication, user authentication or content personalization, serving contextual advertising, protection of website and user security, and fulfillment of a child’s request as provided in the current rules, would not give rise to a violation under COPPA.  However, information collected through these activities cannot be used or disclosed to contact a specific individual or for any other purpose.

    In light of the enhanced potential for COPPA liability now proposed, we recommend that all parties who integrate social networking buttons and other plug-ins, and online network advertising into their websites and online services directed to children or into the child-directed features of a general website, review the SNPRM to:

    • Understand the nature of the user personal information collected by the plug-ins on their websites, online services, and mobile apps;

    • Make sure that the data collection practices of the owners of the plug-ins integrated into the website or online services are COPPA-compliant before their integration;

    • Monitor the practices of the third party providers following integration to ensure continued compliance with COPPA; and

    • Remain alert to possible violations of these rules and adjust website and online service functions as appropriate.

    Comments to the SNPRM are due no later than September 24, 2012.