• FTC Issues Final COPPA Rule Amendments
  • January 17, 2013 | Authors: Louis J. Levy; S. Jenell Trigg
  • Law Firm: Lerman Senter PLLC - Washington Office
  • The Federal Trade Commission has issued final rules amending in a broad, sweeping manner its regulations under the Children’s Online Privacy Protection Act (“COPPA”). COPPA prohibits the online collection of personal information from children under age 13 without prior verifiable parental consent. The final rules, which are designed to bring social media, online advertising networks, mobile apps, and other new technology within COPPA’s jurisdiction, affect the way radio, television, and other media companies interact with their audiences and users online. The amended rules go into effect on July 1, 2013.

    Among the changes adopted, the FTC amended the following definitions to clarify COPPA’s application to social media and other new technology:

    Operator. The definition of an operator was revised to encompass not only the entity that operates the primary website or online service directed to children, but also any third party that collects personal information through the third party’s own services and technology on behalf of or for the benefit of the primary operator, such as downloadable plug-ins (for example, the Facebook “Like” button) or behavioral advertising networks. Accordingly, primary operators of child-directed websites and online services which integrate a third party plug-in or allow a third party service to collect personal information from children on behalf or for the benefit of the primary operator without first obtaining parental consent are subject to a strict liability standard under COPPA for the actions of those third parties, even if the primary operator does not own, control, or have access to the information collected.

    All third party operators must be identified in the privacy policy for the primary website or the online service. However, the FTC retained its “single operator designee” practice, in which the primary operator is required to list the names of all other operators, but needs to list only the contact information for the one operator who will be responsible for responding to parents’ inquiries. As proposed, contact information for all operators would have needed to be included in the privacy policy.

    Website or Online Service Directed to Children. The definition of a website or online service directed to children has been expanded to include plug-ins or advertising networks that have “actual knowledge” they are collecting information from a child-directed website or online service. Although musical content or the presence of child celebrities and celebrities who appeal to children are additional criteria for determining whether a website or online service is directed to children, the FTC retained its “totality of the circumstances” analysis for evaluating the appeal of a website or online service to children. However, the rule differentiates between websites or online services for which the primary target audience is children, and those for which children are only a secondary audience. A website or online service that does not target children as a primary audience will not be deemed “directed to children” if it: (i) does not collect personal information from any visitor prior to collecting age information; and (ii) prevents the collection, use, or disclosure of personal information from visitors who identify themselves as under age 13 without first complying with COPPA’s notice and parental consent requirement.

    Personal Information. The definition of personal information has been revised to include geolocation information (which the FTC considers to be as little as a street name and city designation), as well as photographs, videos, and audio files that contain a child’s image or voice submitted by a child without any other identifier, such as a name or email address. This was not the case under the previous rules. Note also that this definition includes persistent identifiers that can be used to recognize a user over time and across different websites and online services, such as a customer number held in a cookie, an Internet Protocol (“IP”) address, a processor or device serial number, or a unique device identifier contained in smartphones and in mobile apps. However, prior parental consent will not be required for persistent identifiers used to “support the internal operations” of a website or online service, such as: (a) maintaining or analyzing the functioning of the website or online service; (b) performing network communications; (c) authenticating users of, or personalizing the content on, the website or online service; (d) serving contextual advertising on the website or online service or capping the frequency of advertising; (e) protecting the security or integrity of the user, website or online service; (f) ensuring legal or regulatory compliance; or (g) fulfilling a specific request of a child as permitted under specific exceptions to the COPPA rules. Screen or user names are also included in the revised definition of personal information when they function in the same manner as online contact information, the definition of which has been revised to include a non-exhaustive list of identifiers that would permit direct online contact with a child, such as instant messaging (IM), Voice over Internet Protocol (VoIP), and video chat, in addition to a standard or wireless email address.

    Collection of Personal Information. The definition of collects or collection of personal information has been expanded to include “requesting, prompting, or encouraging a child to submit personal information online.” This new definition also includes information that is optional in a registration or contest registration field, or collected in any public forum such as blogs or chat rooms. Operators can allow children to participate in interactive communities without prior parental consent provided that the operators take “reasonable measures to delete all or virtually all personal information from a child’s postings before they are made public” and “delete such information from their records.” The previous rule required 100% deletion of a child’s personal information to avoid COPPA liability.

    Other Amendments. The final rule also adds several new methods that operators can use to obtain verifiable parental consent, including electronic scans of signed parental consent forms, video-conferencing, use of government-issued identification, and alternative payment systems such as debit cards and electronic payment systems. The method commonly called “Email Plus” - where the operator can seek consent by notifying a parent via email with a follow-up confirmation via email, phone, or other method - remains sufficient for operators that collect personal information for internal use only. All operators will be required to “take reasonable steps to release children’s personal information only to service providers and third parties who are capable of maintaining the confidentiality, security and integrity requirements of such information.” This new obligation requires some due diligence on the part of the operator before engaging a service provider or sharing personal information with an advertiser. The amendments also strengthen the FTC’s oversight of approved self-regulatory safe harbor programs by requiring them to conduct annual audits of their members and report the aggregated audit results to the FTC.

    In view of these amendments, all companies that maintain child-directed websites or online services, or maintain general audience websites or online services with a section targeted to children, will need to monitor the data collection practices of all third party plug-ins they install on their websites, in their apps, or on other online services to ensure that third parties fully comply with COPPA’s parental notice and consent requirements. Each such third party should also be required to represent and warrant that it will comply with the FTC’s amended COPPA regulations, and to provide indemnification with respect to any liability arising from COPPA violations by the third party. Further, companies should review and, if necessary, revise their own privacy policies to ensure that those policies are fully compliant with the requirements of the amended rules.