Posted on September 15, 2011 by Eric Bukstein

FTC Proposes Significant Changes to COPPA Rule

On September 15, the Federal Trade Commission (“FTC”) released its proposed revisions to the Children’s Online Privacy Protection Act (“COPPA”) Regulation. COPPA and the FTC’s COPPA Rule regulate the collection of personal information online from children under the age of thirteen. This proposed rule arises from an FTC COPPA Rule Review, through which the FTC solicited comments about every aspect of the COPPA Rule and held a public roundtable to discuss whether and how technological advances – such as the proliferation of social media, mobile computing, and mobile commerce – necessitated revisions to the COPPA Rule. After reviewing comments from stakeholders – including industry, advocacy groups, and academics – the FTC has proposed significant changes to the COPPA Rule that will have a marked effect on the operation of websites and other online services, including mobile applications, that collect personal information from children.

This is the first major revision to the COPPA Rule, and as the FTC wrote in the preamble to the proposed rule, “[t]he Commission remains deeply committed to helping to create a safer, more secure online experience for children and takes seriously the challenge to ensure that COPPA continues to meet its originally stated goals, even as online technologies, and children’s uses of such technologies, evolve.” While the proposed changes may help create a better online experience for children, the changes will also create significant regulatory hurdles for companies that will have to make changes to their current information practices to comply with any revised rule.

The proposed rule contemplates several major changes to the existing COPPA regime, which include:

  • clarification by the FTC that the COPPA Rule applies not only to websites, but also to other technologies that can be considered “online services,” such as mobile apps, network-connected games, and some text messages; 
  • a more expansive definition of “personal information” to include IP addresses, customer numbers held in cookies, device identifiers, the linking of information across websites, and geolocation information -- all of which may impact companies’ behavioral advertising activities;
  • streamlining and clarifying the notices that operators must provide to parents about their information collection practices;
  • changing the existing parental consent mechanism by removing the popular “email plus” verification method and adding several new methods;
  • enhancing security provisions and requiring operators to ensure that third-party service providers to whom an operator discloses a child’s personal information have reasonable privacy and security procedures in place; and
  • changing the existing COPPA Safe Harbor program to require “safe harbor programs” to exercise more oversight.

Applicability of COPPA to Evolving Technologies

The FTC used this proposed rule to clarify its position that the COPPA Rule applies to a host of current technologies that could be considered “online services.” This includes “mobile applications that allow children to play network-connected games, engage in social networking activities, purchase goods or services online, receive behaviorally targeted advertisements or interact with other content or services[;] . . . Internet-enabled gaming platforms, voice-over-Internet protocol services, and Internet-enabled location based services.” The FTC concedes that some SMS and MMS text messages would not constitute “online services” as they do not cross the public Internet, however there is technology that allows users to send text messages utilizing “online services,” and these message would be covered by the COPPA Rule.

The FTC has already begun enforcing the COPPA Rule more broadly to account for developing technologies. Just last month, the FTC reached a settlement with a mobile app developer for violations of the COPPA Rule. That settlement, coupled with the FTC’s express recognition of the need for rule changes to address new technologies and services, suggests that the FTC will likely enforce the COPPA Rule much more broadly than it has in the past. This means that any media that is targeted at children under the age of thirteen will have to analyze whether it can be considered an “online service” and take appropriate steps to comply with COPPA if necessary.

Definition of “Personal Information"

One of the most significant proposed changes to the COPPA Rule is to the definition of “personal information.” The definition of “personal information” is important as the COPPA Rule only applies to operators whose websites or online service are directed to children or who have actual knowledge that they are collecting personal information from a child under the age of thirteen. The proposed definition of “personal information” adds or changes the following categories of information:

  • Online contact information – the FTC proposes to include not only a child’s email address but also “any other substantially similar identifier that permits direct contact with a person online,” such as an instant messenger name, a video chat name or a VOIP identifier.
  • Screen names or user names – however, the FTC would not consider screen or user names that are only used to support internal operations to be “personal information."
  • Persistent identifiers, including Internet Protocol (IP) addresses, customer numbers held in cookies, processor or device serial numbers, or unique device identifiers – however, the FTC would not consider these persistent identifiers that are only used to support internal operations to be “personal information.” This is a major change from the current COPPA Rule, which requires that a persistent identifier be associated with individually identifiable information to be considered “personal information.”
  • Identifiers that link activities of a child across different websites or online services – this category is “intended to serve as a catch-all category covering the online gathering of information about a child over time for the purposes of either profiling or delivering behavioral advertising to that child.”
  • Photographs, videos, or audio files that contain a child’s image or voice – the FTC proposes this change from the current standard which includes photographs only when they are combined with “other information such that the combination permits physical or online contacting.”
  • Geolocation information sufficient to identify a street name and name of a city or town.

Taken together, these proposed changes will significantly expand the scope of the COPPA Rule to operators that were not previously subject to the Rule. For one, the requirement that persistent identifiers only be used for internal operations or be considered “personal information” will force any operator having services directed to children or having knowledge that it is collecting information from children under 13 that wishes to provide targeted advertising to children to receive parental consent, even where such advertising is not based on what has been traditionally considered personally identifying information. The proposal also brings geolocation data into the definition of “personal information,” which will similarly require mobile apps or operators offering mobile apps to comply with the COPPA Rule. This proposed change will likely have the most significant effect on businesses as it would not only subject a wider array of entities to the COPPA Rule, but also may make it more difficult for a website or online service to determine whether it is subject to the COPPA Rule. 

Parental Notice

In the proposed rule, the FTC attempts to streamline the process by which operators are required to provide parents with notice of their privacy practices and the FTC tries to make the process easier for both operators and parents to understand. This change aligns with the FTC’s recent efforts to encourage businesses to provide consumers with more straightforward, understandable notice and choice about information practices. The proposed rule requires that a link to a notice of information practices must be prominently and clearly labeled and placed on a website’s homepage and at each page where personal information is collected in close proximity to the information request. The FTC both simplifies and expands the requirements for what must be included in the privacy policy, requiring they include:

  • Contact information for each operator – the current Rule allows multiple operators to select one operator to have their contact information listed.
  • What information is collected from children, and whether the website allows children to make this information publicly available.
  • How the operator uses the collected information.
  • The operator’s disclosure practices for collected information.
  • The fact that parents can review and delete or refuse the further collection of a child’s personal information, and the procedures for doing so.

The current COPPA Rule requires operators to send parents a direct notice, which informs the parent of a website’s information practices. The proposed rule reorganizes these provisions and includes specific information that an operator must address in different circumstances, including:

  • when affirmative parental consent is needed for the collection, use, or disclosure of a child’s personal information;
  • when a child’s online activities do not involve the collection, use, or disclosure of personal information;
  • when an operator intends to communicate with a child multiple times; and
  • when an operator collects a child’s personal information in order to protect a child’s safety.

While these proposed provisions may ultimately make compliance with the notice provisions easier for covered operators, these changes could require operators to expend time and resources to adjust current practices to comply with any new requirements. 

Parental Consent Mechanisms

The FTC proposes taking away one of the most popular parental consent mechanism under the current COPPA Rule – email plus. Currently, operators who collect personal information and do not disclose this information to external parties can utilize this consent mechanism by sending a parent an email and then using another step – such as another email at a later date – to confirm the consent. However, in the proposed rule, the FTC suggests that this consent mechanism is prone to abuse (such as when a child simply provides his or her own email address) and has inhibited the development of better, more reliable parental consent mechanisms. Therefore, the FTC has proposed the elimination of the email plus method of parental consent.

The FTC has also proposed new methods of parental consent, including allowing parents to send electronic scans of signed consent forms, using video-conferencing to signal consent, and providing government-issued ID numbers that the operator can check against a database. If an operator collects government-issued ID numbers, the FTC proposes that this information must be promptly deleted after the verification is complete.

The FTC also hopes to spur industry to develop new methods of obtaining parental consent. To this end, the FTC has proposed creating a procedure by which an operator can seek FTC approval of a consent mechanism through a notice and comment process. The FTC also proposes to allow FTC-approved Safe Harbor programs to create consent mechanism that their members can utilize.

The changes proposed by the FTC to the parental consent process could have a major impact on operators. Many websites currently rely on email plus to obtain consent from parents when the website will only be using the personal information collected from a child for internal purposes. The email plus method is often preferred as it is the easiest parental verification method to implement and it is also the least costly. The FTC proposal would require all operators to implement more robust parental verification methods. This change could mean that all of the operators currently using email plus will have to overhaul their parental verification practices. 

Confidentiality and Security Requirements

The current COPPA Rule requires operators to “establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.” The proposed rule would require operators to also ensure that their service providers and any third parties to whom they disclose personal information have reasonable procedures in place.

Safe Harbor Program

The FTC has proposed some changes to the COPPA Safe Harbor program. These changes include:

  • requiring that entities that apply to be Safe Harbor self-regulatory bodies submit comprehensive information to the FTC about their ability to run an effective safe harbor program;
  • establishing more rigorous oversight of operators by Safe Harbor self-regulatory bodies, including annual, comprehensive reviews of operators’ information practices;
  • requiring Safe Harbor self-regulatory bodies to submit regular reports to the FTC, including the results of annual operator reviews.

As discussed above, the proposed changes to the COPPA Rule are far-reaching and may have significant impacts on businesses current practices. Comments on the proposed rule must be submitted to the FTC by November 28, 2011.
Tags: , , , ,
Posted on June 15, 2011 by Timothy Tobin

FTC Focusing on Child Identity Theft, Holding Forum on July 12

Stolen Futures logoEmblematic of the increasing attention to children’s privacy, on July 12, 2011, the Federal Trade Commission (FTC) and the Department of Justice’s Office for Victims of Crime (OVC) are jointly hosting a day-long forum about child identity theft. The forum, entitled “Stolen Futures: A Forum on Child Identity Theft,” will discuss foster care and familial identity theft, which is a growing problem in these difficult economic times. Identity thieves often utilize their children’s or young relatives information to obtain credit cards and other credit and children’s sensitive personal information is also vulnerable to misuse for other reasons as well. This forum follows the FTC’s roundtable last year on its Children’s Online Privacy Protection Act (COPPA) rule. 

The FTC has noted that businesses may have a particular interest in children’s identity theft for a couple of reasons, which include raising awareness about this important issue and helping to stop an activity that can have significant economic consequences to businesses.

The forum will be held at the FTC’s Conference Center at 601 New Jersey Avenue in Washington, DC. Additional information including a tentative agenda, is available on the FTC's website.
Tags: , , , , , , , , , ,
Posted on November 2, 2009 by Tulasi Leonard

FTC Announces COPPA Enforcement Action

On October 20, 2009, the FTC announced a settlement with Iconix Brand Group, Inc., pursuant to which Iconix will pay a $250,000 penalty to settle the FTC’s charges that it violated the Children’s Online Privacy Protection Act (COPPA) and the COPPA Rule by knowingly collecting, using, and disclosing personal information from children online without first obtaining their parents’ consent.

Iconix, which owns, licenses, and markets several popular apparel brands, including Mudd, Candie’s, Bongo, and OP, required consumers on many of its websites to provide personal information, including full name, email address, mailing address, and phone number, in order to receive brand updates, enter sweepstakes, and participate in other website features.  According to the FTC, one of the websites allowed consumers to share photos and personal stories online.  In connection with the collection of personal information, the websites required that consumers provide their date of birth. 

 

The FTC alleged that since 2006, Iconix knowingly collected, maintained, and/or disclosed personal information of approximately 1,000 children under the age of 13 without first notifying their parents or obtaining parental consent, in violation of COPPA.  Additionally, the FTC alleged that Iconix’s statements in its online privacy policy that it would not seek to collect personal information from children under 13 without prior parental consent and that it would delete any such information about which it became aware, were misrepresentations, constituting deceptive acts or practices in violation of Section 5 of the FTC Act.

 

The settlement order requires Iconix to pay a $250,000 civil penalty, delete all personal information collected and maintained in violation of COPPA, and comply with certain consumer education, record-keeping, and reporting requirements.

 

Interestingly, this appears to be a fairly large settlement amount for a relatively small number of children whose information was allegedly collected in violation of COPPA.  Previous recent FTC COPPA settlements include the 2008 Sony BMG Music settlement, which involved a $1 million civil penalty and the collection of personal information from over 30,000 children; the 2008 imbee.com settlement, involving a $130,000 civil penalty and the collection of personal information from 10,500 children; and the 2006 Xanga.com settlement, which imposed a $1 million civil penalty and involved the collection of personal information from 1.7 million children.

Tags: , , , ,
Posted on September 9, 2009 by Christopher Wolf

Maine Law to Protect Kids from Predatory Marketing Effectively On Hold

When the State of Maine enjoyed a reputation as a bellwether for presidential elections, this expression was in common parlance:

As Maine goes, so goes the nation?

A host of businesses and colleges are hoping that old adage has no relevance when it comes to new laws to protect kids online.  Maine's  “Act To Prevent Predatory Marketing Practices Against Minors,” effective September 12, 2009, was the source of major controversy and litigation over the Summer because of the law's extreme overbreadth.  See, e.g.  "Child-Proofing Your Ads: New Maine Law restricts Marketing to Minors", National Law Journal (August 4, 2009)   

A lawsuit brought to enjoin the law from going into effect resulted in the plaintiffs and Maine's Attorney General agreeing that the law could violate the First Amendment to the United States Constitution because of its overbreadth.  U.S. District Judge John A. Woodcock dismissed the lawsuit without prejudice, observing that "[t]he Attorney General has acknowledged her concerns over the substantial overbreadth of the statute and the implications ... and accordingly has committed not to enforce it.”  The Order goes on to say any private suits brought under the law “could suffer from the same constitutional infirmities.”   Thus, most observers believe that businesses run little risk from non-compliance with the law in light of the Judge's observations even though they are dicta.

Even the sponsor of  the law now recognizes that it has problems, but according to press reports blames that on the fact that no one raised any issues during the public hearings on the legislation leading to the law. The law is expected to be revised when the Maine legislature reconvenes in January 2010.

It was over the course of the Summer when Maine’s leaders came to recognize that the hastily-passed law, although bearing a laudable pro-kids/anti-predation title, may not have been exactly what they thought it was. The closer look prompted serious second thoughts and the lawsuit that effectively stays enforcement of the law.

  • To start with, the Maine law goes well beyond predatory practices because it covers all marketing to people under 18 in Maine, whether you know they are under 18 or not. And it greatly exceeds the scope of the federal Children’s Online Privacy Protection Act of 1998  (“COPPA”). 
    • On a national level, COPPA requires web site operators to obtain verifiable parental consent before collecting personal information online from children.  While COPPA applies to children under13 years old, the Maine law includes anyone under age18 and makes no distinction between information collection online or offline – it all is covered whether the business has a commercial web site or not. And unlike COPPA, which does not provide for a private cause of action, the Maine law allows individuals to bring civil suits and to seek punitive damages, equitable relief and attorney costs.
  • Section 9552 of the Maine law prohibits knowingly collecting orreceiving "health-related information or personal information for marketing purposes from a minor without first obtaining verifiable parental consent." It also prohibits selling, offering to sell or otherwise transferring to another "health-related information or personal information about a minor."
  • Section 9553 flatly prohibits using health-related or personal information about a minor for "marketing a product or service to that minor or promoting any course of action for the minor relating to a product." There is no parental consent exception.   So, while businesses may be able to collect, receive and sell a minor's information, as long the is verifiable parental consent, they may not use that information for marketing regardless of parental consent prior to collecting the data.

Like many state privacy laws, the coverage of the law extends to those wherever located who collect information from state residents.  Thus, businesses nationwide are covered. And those businesses appear to be prohibited from sending to those under 18 in Maine any marketing information, even materials requested by Maine kinds like college information and volunteer service brochures. No provision is made in the law for non-profit or educational institutions.  And, again, notably, the law does not require knowledge that the person to whom marketing information is sent is under 18, making compliance even more difficult.

At web sites where kids have signed up legally, the sites are banned from communicating with those people if there is a marketing message, even where there is a bona fide request for information.  

And so, businesses of all types would have a hard time figuring out how to exclude Maine’s minors from their marketing efforts without thwarting their legal right to send information to people in the 49 other states, DC and the territories.  That is why the lawsuit seeking an injunction against the law going into effect was brought.  The judge's order avoided an injunction against the State but made it clear that the law had Constitutional deficiencies. 

States often are heralded as incubators of our nation’s privacy laws, but in Maine, the “baby” may not be exactly what the parents expected.

Tags: ,