Posted on November 18, 2011 by Bret Cohen

FTC Extends Deadline for COPPA Comments from Nov. 28 to Dec. 23

The FTC today extended to December 23 the deadline for public comments to its proposed revisions to the Children’s Online Privacy Protection Rule, which regulates the collection of personal information online from children under 13 under the Children’s Online Privacy Protection Act (“COPPA”). Back in September, we extensively summarized the FTC’s announcement of the proposed revisions, which contemplate several major changes to the existing COPPA regime including:

  • clarifying that the COPPA Rule applies not only to websites, but also to other technologies that can be considered “online services,” such as mobile apps, network-connected games, and some text messages; 
  • a more expansive definition of “personal information” to include IP addresses, customer numbers held in cookies, device identifiers, the linking of information across websites, and geolocation information – all of which may impact companies’ behavioral advertising activities;
  • streamlining and clarifying the notices that operators must provide to parents about their information collection practices;
  • changing the existing parental consent mechanism by removing the popular “email plus” verification method and adding several new methods;
  • enhancing security provisions and requiring operators to ensure that third-party service providers to whom an operator discloses a child’s personal information have reasonable privacy and security procedures in place; and
  • changing the existing COPPA enforcement program to require “safe harbor programs” to exercise more oversight.

The previous deadline for the submission of comments was November 28.

Tags: , ,
Posted on November 9, 2011 by HL Chronicle of Data Protection

FTC Announces First Flash Cookie Enforcement and Settlement with Child Social Network

This blog entry was contributed by Steven Spagnolo, an associate in the Privacy and Information Management group in Hogan Lovells' Washington, DC office

The Federal Trade Commission (FTC) yesterday announced settlements with two online companies for deceptively collecting personal information from consumers.  In the first enforcement action against the use of Flash cookies, the FTC alleged that ScanScout, an online behavioral advertiser that was recently acquired by Tremor Video, circumvented user choice by collecting information through Flash cookies even while telling consumers they could opt out of this collection through other means. In the case of Skid-e-Kids, a social networking website that targets children, the FTC alleged violations of both the FTC Act and Children’s Online Privacy Protection Act (“COPPA”) for the collection of personal information from children without parental consent. 

ScanScout

ScanScout, which claims it is the “web’s largest in-stream video ad network,” agreed to settle FTC charges that it violated Section 5 of the FTC Act by failing to live up to representations made in its website privacy policy. The FTC’s complaint states that ScanScout’s privacy policy claimed that users could “opt out of receiving a cookie by changing [their] browser settings to prevent the receipt of cookies.”  Despite this representation, ScanScout used Flash cookies—which are locally stored files associated with the Adobe Flash Player—to track user behavior, which could not be blocked by changing browser settings as indicated in the privacy policy. The FTC deemed ScanScout’s inaccurate description of the ways that consumers could opt out of tracking to be a deceptive act or practice that violated Section 5 of the FTC Act.  The privacy policies of many websites and Internet-based applications state that consumers can opt out of tracking by disabling cookies, so these companies should reexamine whether they (or their web vendors) also use Flash cookies, HTML5, ETags, or any other methods to track website users that would not cease when users disable traditional HTML cookies.

Under the consent decree (PDF), the FTC barred ScanScout from misrepresenting its online information practices, including how consumers’ data is collected, used, shared, and disclosed, and required ScanScout to implement measures aimed at providing consumers with more effective notice of how their data is used and simplified methods by which consumers may opt out of such use. 

As a corollary, the FTC yesterday released a consumer education article, entitled “Cookies: Leaving a Trail on the Web (PDF),” which explains how cookies can monitor online activity and how users can control this monitoring, including a section on controlling Flash cookies.

Skid-e-Kids

Skid-e-Kids, the self-proclaimed “Facebook and Myspace for kids,” agreed to settle FTC charges that it violated the COPPA Rule and made deceptive claims in violation of Section 5 of the FTC Act. 

The COPPA Rule requires that any collection, use, or disclosure of personally identifiable information of a child under 13 be preceded by verifiable parental consent. The FTC’s complaint (PDF) alleges that Skid-e-Kids collected personally identifiable information from approximately 5,600 underage users without first obtaining parental consent, a violation of the COPPA Rule. This enforcement action comes on the heels of the FTC’s recent proposal to amend the COPPA Rule aimed at keeping pace with developments in the online world, including the advent of social networks and the development of smartphone and geolocation technology.

The complaint also alleges that Skid-e-Kids represented in its privacy policy that a child’s account would not be activated until it received parental consent. Nevertheless, Skid-e-Kids registered children and activated their accounts without parental consent, and subsequently collected personally identifiable information from those registered child users. The FTC found that Skid-e-Kids’ failure to live up to the representations made in its privacy policy constituted a deceptive act or practice that violated Section 5 of the FTC Act.   

Under the consent decree (PDF), the FTC barred Skid-e-Kids from misrepresenting the details of its collection, use, and disclosure of children’s personal information. The settlement also required Skid-e-Kids to delete the information collected; provide links to a government website that educates consumers on children’s privacy issues on the Skid-e-Kids website, in notices sent to parents, and in its privacy policy; and employ a third-party oversight mechanism that will ensure future compliance with COPPA. In addition, the settlement imposed a civil penalty of $100,000 on the operator of the website, though all but $1,000 of which was suspended.
Tags: , , , , , , , , ,
Posted on September 15, 2011 by Eric Bukstein

FTC Proposes Significant Changes to COPPA Rule

On September 15, the Federal Trade Commission (“FTC”) released its proposed revisions to the Children’s Online Privacy Protection Act (“COPPA”) Regulation. COPPA and the FTC’s COPPA Rule regulate the collection of personal information online from children under the age of thirteen. This proposed rule arises from an FTC COPPA Rule Review, through which the FTC solicited comments about every aspect of the COPPA Rule and held a public roundtable to discuss whether and how technological advances – such as the proliferation of social media, mobile computing, and mobile commerce – necessitated revisions to the COPPA Rule. After reviewing comments from stakeholders – including industry, advocacy groups, and academics – the FTC has proposed significant changes to the COPPA Rule that will have a marked effect on the operation of websites and other online services, including mobile applications, that collect personal information from children.

This is the first major revision to the COPPA Rule, and as the FTC wrote in the preamble to the proposed rule, “[t]he Commission remains deeply committed to helping to create a safer, more secure online experience for children and takes seriously the challenge to ensure that COPPA continues to meet its originally stated goals, even as online technologies, and children’s uses of such technologies, evolve.” While the proposed changes may help create a better online experience for children, the changes will also create significant regulatory hurdles for companies that will have to make changes to their current information practices to comply with any revised rule.

The proposed rule contemplates several major changes to the existing COPPA regime, which include:

  • clarification by the FTC that the COPPA Rule applies not only to websites, but also to other technologies that can be considered “online services,” such as mobile apps, network-connected games, and some text messages; 
  • a more expansive definition of “personal information” to include IP addresses, customer numbers held in cookies, device identifiers, the linking of information across websites, and geolocation information -- all of which may impact companies’ behavioral advertising activities;
  • streamlining and clarifying the notices that operators must provide to parents about their information collection practices;
  • changing the existing parental consent mechanism by removing the popular “email plus” verification method and adding several new methods;
  • enhancing security provisions and requiring operators to ensure that third-party service providers to whom an operator discloses a child’s personal information have reasonable privacy and security procedures in place; and
  • changing the existing COPPA Safe Harbor program to require “safe harbor programs” to exercise more oversight.

Applicability of COPPA to Evolving Technologies

The FTC used this proposed rule to clarify its position that the COPPA Rule applies to a host of current technologies that could be considered “online services.” This includes “mobile applications that allow children to play network-connected games, engage in social networking activities, purchase goods or services online, receive behaviorally targeted advertisements or interact with other content or services[;] . . . Internet-enabled gaming platforms, voice-over-Internet protocol services, and Internet-enabled location based services.” The FTC concedes that some SMS and MMS text messages would not constitute “online services” as they do not cross the public Internet, however there is technology that allows users to send text messages utilizing “online services,” and these message would be covered by the COPPA Rule.

The FTC has already begun enforcing the COPPA Rule more broadly to account for developing technologies. Just last month, the FTC reached a settlement with a mobile app developer for violations of the COPPA Rule. That settlement, coupled with the FTC’s express recognition of the need for rule changes to address new technologies and services, suggests that the FTC will likely enforce the COPPA Rule much more broadly than it has in the past. This means that any media that is targeted at children under the age of thirteen will have to analyze whether it can be considered an “online service” and take appropriate steps to comply with COPPA if necessary.

Definition of “Personal Information"

One of the most significant proposed changes to the COPPA Rule is to the definition of “personal information.” The definition of “personal information” is important as the COPPA Rule only applies to operators whose websites or online service are directed to children or who have actual knowledge that they are collecting personal information from a child under the age of thirteen. The proposed definition of “personal information” adds or changes the following categories of information:

  • Online contact information – the FTC proposes to include not only a child’s email address but also “any other substantially similar identifier that permits direct contact with a person online,” such as an instant messenger name, a video chat name or a VOIP identifier.
  • Screen names or user names – however, the FTC would not consider screen or user names that are only used to support internal operations to be “personal information."
  • Persistent identifiers, including Internet Protocol (IP) addresses, customer numbers held in cookies, processor or device serial numbers, or unique device identifiers – however, the FTC would not consider these persistent identifiers that are only used to support internal operations to be “personal information.” This is a major change from the current COPPA Rule, which requires that a persistent identifier be associated with individually identifiable information to be considered “personal information.”
  • Identifiers that link activities of a child across different websites or online services – this category is “intended to serve as a catch-all category covering the online gathering of information about a child over time for the purposes of either profiling or delivering behavioral advertising to that child.”
  • Photographs, videos, or audio files that contain a child’s image or voice – the FTC proposes this change from the current standard which includes photographs only when they are combined with “other information such that the combination permits physical or online contacting.”
  • Geolocation information sufficient to identify a street name and name of a city or town.

Taken together, these proposed changes will significantly expand the scope of the COPPA Rule to operators that were not previously subject to the Rule. For one, the requirement that persistent identifiers only be used for internal operations or be considered “personal information” will force any operator having services directed to children or having knowledge that it is collecting information from children under 13 that wishes to provide targeted advertising to children to receive parental consent, even where such advertising is not based on what has been traditionally considered personally identifying information. The proposal also brings geolocation data into the definition of “personal information,” which will similarly require mobile apps or operators offering mobile apps to comply with the COPPA Rule. This proposed change will likely have the most significant effect on businesses as it would not only subject a wider array of entities to the COPPA Rule, but also may make it more difficult for a website or online service to determine whether it is subject to the COPPA Rule. 

Parental Notice

In the proposed rule, the FTC attempts to streamline the process by which operators are required to provide parents with notice of their privacy practices and the FTC tries to make the process easier for both operators and parents to understand. This change aligns with the FTC’s recent efforts to encourage businesses to provide consumers with more straightforward, understandable notice and choice about information practices. The proposed rule requires that a link to a notice of information practices must be prominently and clearly labeled and placed on a website’s homepage and at each page where personal information is collected in close proximity to the information request. The FTC both simplifies and expands the requirements for what must be included in the privacy policy, requiring they include:

  • Contact information for each operator – the current Rule allows multiple operators to select one operator to have their contact information listed.
  • What information is collected from children, and whether the website allows children to make this information publicly available.
  • How the operator uses the collected information.
  • The operator’s disclosure practices for collected information.
  • The fact that parents can review and delete or refuse the further collection of a child’s personal information, and the procedures for doing so.

The current COPPA Rule requires operators to send parents a direct notice, which informs the parent of a website’s information practices. The proposed rule reorganizes these provisions and includes specific information that an operator must address in different circumstances, including:

  • when affirmative parental consent is needed for the collection, use, or disclosure of a child’s personal information;
  • when a child’s online activities do not involve the collection, use, or disclosure of personal information;
  • when an operator intends to communicate with a child multiple times; and
  • when an operator collects a child’s personal information in order to protect a child’s safety.

While these proposed provisions may ultimately make compliance with the notice provisions easier for covered operators, these changes could require operators to expend time and resources to adjust current practices to comply with any new requirements. 

Parental Consent Mechanisms

The FTC proposes taking away one of the most popular parental consent mechanism under the current COPPA Rule – email plus. Currently, operators who collect personal information and do not disclose this information to external parties can utilize this consent mechanism by sending a parent an email and then using another step – such as another email at a later date – to confirm the consent. However, in the proposed rule, the FTC suggests that this consent mechanism is prone to abuse (such as when a child simply provides his or her own email address) and has inhibited the development of better, more reliable parental consent mechanisms. Therefore, the FTC has proposed the elimination of the email plus method of parental consent.

The FTC has also proposed new methods of parental consent, including allowing parents to send electronic scans of signed consent forms, using video-conferencing to signal consent, and providing government-issued ID numbers that the operator can check against a database. If an operator collects government-issued ID numbers, the FTC proposes that this information must be promptly deleted after the verification is complete.

The FTC also hopes to spur industry to develop new methods of obtaining parental consent. To this end, the FTC has proposed creating a procedure by which an operator can seek FTC approval of a consent mechanism through a notice and comment process. The FTC also proposes to allow FTC-approved Safe Harbor programs to create consent mechanism that their members can utilize.

The changes proposed by the FTC to the parental consent process could have a major impact on operators. Many websites currently rely on email plus to obtain consent from parents when the website will only be using the personal information collected from a child for internal purposes. The email plus method is often preferred as it is the easiest parental verification method to implement and it is also the least costly. The FTC proposal would require all operators to implement more robust parental verification methods. This change could mean that all of the operators currently using email plus will have to overhaul their parental verification practices. 

Confidentiality and Security Requirements

The current COPPA Rule requires operators to “establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.” The proposed rule would require operators to also ensure that their service providers and any third parties to whom they disclose personal information have reasonable procedures in place.

Safe Harbor Program

The FTC has proposed some changes to the COPPA Safe Harbor program. These changes include:

  • requiring that entities that apply to be Safe Harbor self-regulatory bodies submit comprehensive information to the FTC about their ability to run an effective safe harbor program;
  • establishing more rigorous oversight of operators by Safe Harbor self-regulatory bodies, including annual, comprehensive reviews of operators’ information practices;
  • requiring Safe Harbor self-regulatory bodies to submit regular reports to the FTC, including the results of annual operator reviews.

As discussed above, the proposed changes to the COPPA Rule are far-reaching and may have significant impacts on businesses current practices. Comments on the proposed rule must be submitted to the FTC by November 28, 2011.
Tags: , , , ,
Posted on July 27, 2011 by Winston Maxwell

Cloud Computing for Regulated Industries: Security Requirements Differ

Data stored in the cloud will be subject to numerous data security laws, explains Hogan Lovells partner Phil Porter in a recent article.   Specific types of data will trigger different security regulations, ranging from HIPAA rules for health data, to Gramm-Leach-Bliley Act rules for financial service data, to COPPA for data about children.  Data hosted in the cloud in the U.S. might also subject the data to U.S. national security rules, including USA Patriot Act.  Cloud service providers and customers need to tailor their contractual provisions to match these regulatory imperatives.

Tags: , , , , , ,
Posted on June 15, 2011 by Timothy Tobin

FTC Focusing on Child Identity Theft, Holding Forum on July 12

Stolen Futures logoEmblematic of the increasing attention to children’s privacy, on July 12, 2011, the Federal Trade Commission (FTC) and the Department of Justice’s Office for Victims of Crime (OVC) are jointly hosting a day-long forum about child identity theft. The forum, entitled “Stolen Futures: A Forum on Child Identity Theft,” will discuss foster care and familial identity theft, which is a growing problem in these difficult economic times. Identity thieves often utilize their children’s or young relatives information to obtain credit cards and other credit and children’s sensitive personal information is also vulnerable to misuse for other reasons as well. This forum follows the FTC’s roundtable last year on its Children’s Online Privacy Protection Act (COPPA) rule. 

The FTC has noted that businesses may have a particular interest in children’s identity theft for a couple of reasons, which include raising awareness about this important issue and helping to stop an activity that can have significant economic consequences to businesses.

The forum will be held at the FTC’s Conference Center at 601 New Jersey Avenue in Washington, DC. Additional information including a tentative agenda, is available on the FTC's website.
Tags: , , , , , , , , , ,
Posted on November 2, 2009 by Tulasi Leonard

FTC Announces COPPA Enforcement Action

On October 20, 2009, the FTC announced a settlement with Iconix Brand Group, Inc., pursuant to which Iconix will pay a $250,000 penalty to settle the FTC’s charges that it violated the Children’s Online Privacy Protection Act (COPPA) and the COPPA Rule by knowingly collecting, using, and disclosing personal information from children online without first obtaining their parents’ consent.

Iconix, which owns, licenses, and markets several popular apparel brands, including Mudd, Candie’s, Bongo, and OP, required consumers on many of its websites to provide personal information, including full name, email address, mailing address, and phone number, in order to receive brand updates, enter sweepstakes, and participate in other website features.  According to the FTC, one of the websites allowed consumers to share photos and personal stories online.  In connection with the collection of personal information, the websites required that consumers provide their date of birth. 

 

The FTC alleged that since 2006, Iconix knowingly collected, maintained, and/or disclosed personal information of approximately 1,000 children under the age of 13 without first notifying their parents or obtaining parental consent, in violation of COPPA.  Additionally, the FTC alleged that Iconix’s statements in its online privacy policy that it would not seek to collect personal information from children under 13 without prior parental consent and that it would delete any such information about which it became aware, were misrepresentations, constituting deceptive acts or practices in violation of Section 5 of the FTC Act.

 

The settlement order requires Iconix to pay a $250,000 civil penalty, delete all personal information collected and maintained in violation of COPPA, and comply with certain consumer education, record-keeping, and reporting requirements.

 

Interestingly, this appears to be a fairly large settlement amount for a relatively small number of children whose information was allegedly collected in violation of COPPA.  Previous recent FTC COPPA settlements include the 2008 Sony BMG Music settlement, which involved a $1 million civil penalty and the collection of personal information from over 30,000 children; the 2008 imbee.com settlement, involving a $130,000 civil penalty and the collection of personal information from 10,500 children; and the 2006 Xanga.com settlement, which imposed a $1 million civil penalty and involved the collection of personal information from 1.7 million children.

Tags: , , , ,