On February 27, 2019, the Federal Trade Commission (“FTC”) announced that it settled with the operators of a video social networking app for a record civil penalty of $5.7 million under the Children’s Online Privacy Protection Act (“COPPA”). This FTC COPPA action was notable not just for the size of the penalty, but also because of the joint statement by the two Democratic Commissioners, Rebecca Slaughter and Rohit Chopra, that future FTC enforcement should seek to hold corporate officers and directors accountable for violations of consumer protection law.
On December 4, 2018, the New York Attorney General (NYAG) announced that Oath Inc., which was known until June 2017 as AOL Inc. (AOL), has agreed to pay a $4.95 million civil penalty to settle allegations that AOL’s ad exchange practices violated the Children’s Online Privacy Protection Act (COPPA). The $4.95 million penalty is the largest ever assessed by any regulator in a COPPA enforcement matter.
The Federal Trade Commission released an updated guidance document for complying with the Children’s Online Privacy Protection Act. The revised guidance, released on June 21, 2017, explicitly identifies connected toys and other Internet of Things devices as being covered under COPPA and adds clarity to web operators’ responsibility for the activities of third parties, such as ad networks and plug-ins, that collect personal information protected under COPPA. It also includes recently approved methods for obtaining verifiable parental consent.
The Federal Trade Commission (FTC) recently approved appropriately implemented “knowledge-based authentication” as a method for obtaining verifiable parental consent (VPC) under the Children’s Online Protection Act (COPPA). To be “appropriately implemented,” operators should assess whether any knowledge-based authentication technology:
•Generates “dynamic, multiple choice questions”;
•Asks “a reasonable number of questions with an adequate number of possible answers” to ensure that “the probability of correctly guessing the answer is low”; and
•Uses “questions of sufficient difficulty that a child age 12 or under in the parent’s household could not reasonably ascertain the answers.”
The FTC’s action provides online operators some welcome flexibility in implementing COPPA-compliant VPC strategies and demonstrates that the FTC will give serious consideration to VPC proposals.
Less than two weeks after providing additional guidance on the recent changes to the Children’s Online Privacy Protection Act (“COPPA”) Rule, in the form of updated Frequently Asked Questions, the Federal Trade Commission (“FTC”) voted unanimously to retain the July 1, 2013 effective date for the changes to the COPPA Rule.
On August 1, the Federal Trade Commission (“FTC”) issued a supplemental notice of proposed rulemaking which proposes several changes to its previously released proposed Children’s Online Privacy Protection Act (“COPPA”) rulemaking. COPPA and the FTC’s COPPA Rule regulate the collection of personal information online from children under the age of thirteen. On September 15, 2012, the FTC released proposed revisions to the COPPA Rule, which contemplated several major changes to the existing COPPA regime.
The FTC is holding a July forum entitled “Stolen Futures”, focusing on children’s identity theft, as described in more detail in this blog entry.