Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Consumer Privacy

FTC Proposes Significant Changes to COPPA Rule

On September 15, the Federal Trade Commission (“FTC”) released its proposed revisions to the Children’s Online Privacy Protection Act (“COPPA”) Regulation. COPPA and the FTC’s COPPA Rule regulate the collection of personal information online from children under the age of thirteen. This proposed rule arises from an FTC COPPA Rule Review, through which the FTC solicited comments about every aspect of the COPPA Rule and held a public roundtable to discuss whether and how technological advances – such as the proliferation of social media, mobile computing, and mobile commerce – necessitated revisions to the COPPA Rule. After reviewing comments from stakeholders – including industry, advocacy groups, and academics – the FTC has proposed significant changes to the COPPA Rule that will have a marked effect on the operation of websites and other online services, including mobile applications, that collect personal information from children.

This is the first major revision to the COPPA Rule, and as the FTC wrote in the preamble to the proposed rule, “[t]he Commission remains deeply committed to helping to create a safer, more secure online experience for children and takes seriously the challenge to ensure that COPPA continues to meet its originally stated goals, even as online technologies, and children’s uses of such technologies, evolve.” While the proposed changes may help create a better online experience for children, the changes will also create significant regulatory hurdles for companies that will have to make changes to their current information practices to comply with any revised rule.

The proposed rule contemplates several major changes to the existing COPPA regime, which include:

  • clarification by the FTC that the COPPA Rule applies not only to websites, but also to other technologies that can be considered “online services,” such as mobile apps, network-connected games, and some text messages; 
  • a more expansive definition of “personal information” to include IP addresses, customer numbers held in cookies, device identifiers, the linking of information across websites, and geolocation information — all of which may impact companies’ behavioral advertising activities;
  • streamlining and clarifying the notices that operators must provide to parents about their information collection practices;
  • changing the existing parental consent mechanism by removing the popular “email plus” verification method and adding several new methods;
  • enhancing security provisions and requiring operators to ensure that third-party service providers to whom an operator discloses a child’s personal information have reasonable privacy and security procedures in place; and
  • changing the existing COPPA Safe Harbor program to require “safe harbor programs” to exercise more oversight.

Applicability of COPPA to Evolving Technologies

The FTC used this proposed rule to clarify its position that the COPPA Rule applies to a host of current technologies that could be considered “online services.” This includes “mobile applications that allow children to play network-connected games, engage in social networking activities, purchase goods or services online, receive behaviorally targeted advertisements or interact with other content or services[;] . . . Internet-enabled gaming platforms, voice-over-Internet protocol services, and Internet-enabled location based services.” The FTC concedes that some SMS and MMS text messages would not constitute “online services” as they do not cross the public Internet, however there is technology that allows users to send text messages utilizing “online services,” and these message would be covered by the COPPA Rule.

The FTC has already begun enforcing the COPPA Rule more broadly to account for developing technologies. Just last month, the FTC reached a settlement with a mobile app developer for violations of the COPPA Rule. That settlement, coupled with the FTC’s express recognition of the need for rule changes to address new technologies and services, suggests that the FTC will likely enforce the COPPA Rule much more broadly than it has in the past. This means that any media that is targeted at children under the age of thirteen will have to analyze whether it can be considered an “online service” and take appropriate steps to comply with COPPA if necessary.

Definition of “Personal Information"

One of the most significant proposed changes to the COPPA Rule is to the definition of “personal information.” The definition of “personal information” is important as the COPPA Rule only applies to operators whose websites or online service are directed to children or who have actual knowledge that they are collecting personal information from a child under the age of thirteen. The proposed definition of “personal information” adds or changes the following categories of information:

  • Online contact information – the FTC proposes to include not only a child’s email address but also “any other substantially similar identifier that permits direct contact with a person online,” such as an instant messenger name, a video chat name or a VOIP identifier.
  • Screen names or user names – however, the FTC would not consider screen or user names that are only used to support internal operations to be “personal information."
  • Persistent identifiers, including Internet Protocol (IP) addresses, customer numbers held in cookies, processor or device serial numbers, or unique device identifiers – however, the FTC would not consider these persistent identifiers that are only used to support internal operations to be “personal information.” This is a major change from the current COPPA Rule, which requires that a persistent identifier be associated with individually identifiable information to be considered “personal information.”
  • Identifiers that link activities of a child across different websites or online services – this category is “intended to serve as a catch-all category covering the online gathering of information about a child over time for the purposes of either profiling or delivering behavioral advertising to that child.”
  • Photographs, videos, or audio files that contain a child’s image or voice – the FTC proposes this change from the current standard which includes photographs only when they are combined with “other information such that the combination permits physical or online contacting.”
  • Geolocation information sufficient to identify a street name and name of a city or town.

Taken together, these proposed changes will significantly expand the scope of the COPPA Rule to operators that were not previously subject to the Rule. For one, the requirement that persistent identifiers only be used for internal operations or be considered “personal information” will force any operator having services directed to children or having knowledge that it is collecting information from children under 13 that wishes to provide targeted advertising to children to receive parental consent, even where such advertising is not based on what has been traditionally considered personally identifying information. The proposal also brings geolocation data into the definition of “personal information,” which will similarly require mobile apps or operators offering mobile apps to comply with the COPPA Rule. This proposed change will likely have the most significant effect on businesses as it would not only subject a wider array of entities to the COPPA Rule, but also may make it more difficult for a website or online service to determine whether it is subject to the COPPA Rule. 

Parental Notice

In the proposed rule, the FTC attempts to streamline the process by which operators are required to provide parents with notice of their privacy practices and the FTC tries to make the process easier for both operators and parents to understand. This change aligns with the FTC’s recent efforts to encourage businesses to provide consumers with more straightforward, understandable notice and choice about information practices. The proposed rule requires that a link to a notice of information practices must be prominently and clearly labeled and placed on a website’s homepage and at each page where personal information is collected in close proximity to the information request. The FTC both simplifies and expands the requirements for what must be included in the privacy policy, requiring they include:

  • Contact information for each operator – the current Rule allows multiple operators to select one operator to have their contact information listed.
  • What information is collected from children, and whether the website allows children to make this information publicly available.
  • How the operator uses the collected information.
  • The operator’s disclosure practices for collected information.
  • The fact that parents can review and delete or refuse the further collection of a child’s personal information, and the procedures for doing so.

The current COPPA Rule requires operators to send parents a direct notice, which informs the parent of a website’s information practices. The proposed rule reorganizes these provisions and includes specific information that an operator must address in different circumstances, including:

  • when affirmative parental consent is needed for the collection, use, or disclosure of a child’s personal information;
  • when a child’s online activities do not involve the collection, use, or disclosure of personal information;
  • when an operator intends to communicate with a child multiple times; and
  • when an operator collects a child’s personal information in order to protect a child’s safety.

While these proposed provisions may ultimately make compliance with the notice provisions easier for covered operators, these changes could require operators to expend time and resources to adjust current practices to comply with any new requirements. 

Parental Consent Mechanisms

The FTC proposes taking away one of the most popular parental consent mechanism under the current COPPA Rule – email plus. Currently, operators who collect personal information and do not disclose this information to external parties can utilize this consent mechanism by sending a parent an email and then using another step – such as another email at a later date – to confirm the consent. However, in the proposed rule, the FTC suggests that this consent mechanism is prone to abuse (such as when a child simply provides his or her own email address) and has inhibited the development of better, more reliable parental consent mechanisms. Therefore, the FTC has proposed the elimination of the email plus method of parental consent.

The FTC has also proposed new methods of parental consent, including allowing parents to send electronic scans of signed consent forms, using video-conferencing to signal consent, and providing government-issued ID numbers that the operator can check against a database. If an operator collects government-issued ID numbers, the FTC proposes that this information must be promptly deleted after the verification is complete.

The FTC also hopes to spur industry to develop new methods of obtaining parental consent. To this end, the FTC has proposed creating a procedure by which an operator can seek FTC approval of a consent mechanism through a notice and comment process. The FTC also proposes to allow FTC-approved Safe Harbor programs to create consent mechanism that their members can utilize.

The changes proposed by the FTC to the parental consent process could have a major impact on operators. Many websites currently rely on email plus to obtain consent from parents when the website will only be using the personal information collected from a child for internal purposes. The email plus method is often preferred as it is the easiest parental verification method to implement and it is also the least costly. The FTC proposal would require all operators to implement more robust parental verification methods. This change could mean that all of the operators currently using email plus will have to overhaul their parental verification practices. 

Confidentiality and Security Requirements

The current COPPA Rule requires operators to “establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.” The proposed rule would require operators to also ensure that their service providers and any third parties to whom they disclose personal information have reasonable procedures in place.

Safe Harbor Program

The FTC has proposed some changes to the COPPA Safe Harbor program. These changes include:

  • requiring that entities that apply to be Safe Harbor self-regulatory bodies submit comprehensive information to the FTC about their ability to run an effective safe harbor program;
  • establishing more rigorous oversight of operators by Safe Harbor self-regulatory bodies, including annual, comprehensive reviews of operators’ information practices;
  • requiring Safe Harbor self-regulatory bodies to submit regular reports to the FTC, including the results of annual operator reviews.

As discussed above, the proposed changes to the COPPA Rule are far-reaching and may have significant impacts on businesses current practices. Comments on the proposed rule must be submitted to the FTC by November 28, 2011.