On February 27, 2019, the Federal Trade Commission (“FTC”) announced that it settled with the operators of a video social networking app for a record civil penalty of $5.7 million under the Children’s Online Privacy Protection Act (“COPPA”). This FTC COPPA action was notable not just for the size of the penalty, but also because of the joint statement by the two Democratic Commissioners, Rebecca Slaughter and Rohit Chopra, that future FTC enforcement should seek to hold corporate officers and directors accountable for violations of consumer protection law.
On December 4, 2018, the New York Attorney General (NYAG) announced that Oath Inc., which was known until June 2017 as AOL Inc. (AOL), has agreed to pay a $4.95 million civil penalty to settle allegations that AOL’s ad exchange practices violated the Children’s Online Privacy Protection Act (COPPA). The $4.95 million penalty is the largest ever assessed by any regulator in a COPPA enforcement matter.
Join us this month as we will discuss how to protect student educational data as well as considerations to weigh in deciding whether to pay the ransom for a cyber attack or not.
The Federal Trade Commission released an updated guidance document for complying with the Children’s Online Privacy Protection Act. The revised guidance, released on June 21, 2017, explicitly identifies connected toys and other Internet of Things devices as being covered under COPPA and adds clarity to web operators’ responsibility for the activities of third parties, such as ad networks and plug-ins, that collect personal information protected under COPPA. It also includes recently approved methods for obtaining verifiable parental consent.
On February 26, the U.S. Department of Education issued guidance aimed at assisting schools and school districts when considering whether the use of online educational services and mobile applications complies with student privacy laws. The guidance consisted of two main components. First, the Department published a document entitled Protecting Student Privacy While Using Online Educational Services: Model Terms of Service, which evaluates common privacy-related provisions in online Terms of Service and analyzes how they comply with student privacy requirements. Second, the Department produced a user-friendly, 10-minute training video directed to K-12 administrators, teachers, and staff about schools’ privacy obligations when using online educational services and applications. Finally, the guidance encourages school administrators to check the Student Privacy Pledge when considering whether to use online educational services in the classroom.
In 2014, the Internet of Things and big data were two of the hottest buzz words among privacy professionals. This year, “robotics” may be one of our oft-spoken words. In this post, we look at two of the challenges that robotics brings. One challenge facing privacy professionals is how to address potential privacy issues as autonomous robots powered by big data and network connectivity are brought into our personal spaces. Another, often equally challenging issue, is how to implement robotics in a legal and regulatory landscape that was designed, in many cases, for the relatively slow-paced technologies of the Internet where the chirps of dial-up modems broadcast our connections.
The FTC denied AgeCheq’s application for approval of a proposed verifiable parental consent (VPC) method under COPPA. Under COPPA, operators of online services that are directed to children are required, except for limited situations, to obtain VPC prior to collecting personal information from children. Specifically, COPPA requires operators to obtain verifiable parental consent, taking into consideration available technology and any method must be reasonable calculated in light of available technology, to ensure that the person providing consent is the child’s parent. COPPA further provides a non-exhaustive list of acceptable methods that include (i) obtaining a form signed by a parent; (ii) receiving a credit/debit card or certain other online payment mechanisms if associated with a monetary transaction; (iii) a parent calling a toll-free number; (iv) parental consent by videoconference; (v) verifying parental identity against a form of government-issued identification; and (vi) traditional “email plus” where children’s personal information will be used for internal purposes only.
The Federal Trade Commission (FTC) recently approved appropriately implemented “knowledge-based authentication” as a method for obtaining verifiable parental consent (VPC) under the Children’s Online Protection Act (COPPA). To be “appropriately implemented,” operators should assess whether any knowledge-based authentication technology:
•Generates “dynamic, multiple choice questions”;
•Asks “a reasonable number of questions with an adequate number of possible answers” to ensure that “the probability of correctly guessing the answer is low”; and
•Uses “questions of sufficient difficulty that a child age 12 or under in the parent’s household could not reasonably ascertain the answers.”
The FTC’s action provides online operators some welcome flexibility in implementing COPPA-compliant VPC strategies and demonstrates that the FTC will give serious consideration to VPC proposals.
Less than two weeks after providing additional guidance on the recent changes to the Children’s Online Privacy Protection Act (“COPPA”) Rule, in the form of updated Frequently Asked Questions, the Federal Trade Commission (“FTC”) voted unanimously to retain the July 1, 2013 effective date for the changes to the COPPA Rule.
Yesterday saw dozens of instant summaries of the Federal Trade Commission’s long- awaited revision to the Children’s Online Privacy Protection Act (COPPA) Rule, which becomes effective on July 1, 2013. We took a night “to sleep on it,” in order provide not just a summary, but some focused comments about the impact of yesterday’s rule […]
Eric Bukstein, who is in the Privacy and Information Management Practice at Hogan Lovells recenly gave a video interview to Colin O’Keefe of LXBN (Lexblog Network) TV to discuss the FTC’s supplemental proposed changes to the COPPA Rule. The video can be viewed in this blog entry.
On August 1, the Federal Trade Commission (“FTC”) issued a supplemental notice of proposed rulemaking which proposes several changes to its previously released proposed Children’s Online Privacy Protection Act (“COPPA”) rulemaking. COPPA and the FTC’s COPPA Rule regulate the collection of personal information online from children under the age of thirteen. On September 15, 2012, the FTC released proposed revisions to the COPPA Rule, which contemplated several major changes to the existing COPPA regime.
The FTC yesterday issued a staff report calling upon members of the mobile app ecosystem to provide better privacy notices to parents about mobile apps directed to children. The report is described in this blog entry.
The FTC today extended the deadline for public comments to its proposed revisions to the Children’s Online Privacy Protection Rule, which regulates the collection of personal information from children under 13, from November 28 to December 23.
The Federal Trade Commission yesterday announced settlements with two online companies for deceptively collecting personal information from consumers, including its first enforcement action against the use of “Flash cookies” and an enforcement action against a social network that collected children’s information without parental consent. As a result, businesses whose websites (or vendors) utilize Flash cookies, HTML5, or ETags to track user browsing should reexamine their privacy disclosures.
The FTC has released proposed revisions to the Children’s Online Privacy Protection Act (“COPPA”) Regulation. These proposed regulatory changes may create significant compliance challenges for companies that maintain websites or other online services directed at children under the age of thirteen.
Data stored in the cloud will be subject to numerous data security laws, explains Hogan Lovells partner Phil Porter in a recent article. Specific types of data will trigger different security regulations, ranging from HIPAA rules for health data, to Gramm-Leach-Bliley Act rules for financial service data, to COPPA for data about children. Data hosted in the cloud in the U.S. might also subject the data to U.S. national security rules, including USA Patriot Act. Cloud service providers and customers need to tailor their contractual provisions to match these regulatory imperatives.
The FTC is holding a July forum entitled “Stolen Futures”, focusing on children’s identity theft, as described in more detail in this blog entry.
On October 20, 2009, the FTC announced a settlement with Iconix Brand Group, Inc., pursuant to which Iconix will pay a $250,000 penalty to settle the FTC’s charges that it violated the Children’s Online Privacy Protection Act (COPPA) and the COPPA Rule by knowingly collecting, using, and disclosing personal information from children online without first […]