Since the Federal Trade Commission (“FTC”) first issued its Children’s Online Privacy Protection Rule (“COPPA Rule”) in 2000, there have been significant changes in technology. Prompted by these changes, the FTC has proposed revisions that could result in the first amendments to the COPPA Rule in its 11-year history.
COPPA requires operators of websites or online services directed to children under 13, or those who have actual knowledge that they are collecting personal information from children under 13 (collectively, “Operators”), to obtain verifiable parental consent before collecting, using, or disclosing such information.
We have summarized below the FTC’s key proposed changes to the existing COPPA Rule (the “Proposed Rule”). The FTC will accept comments on its Notice of Proposed Rulemaking (“NPRM”) through November 28, 2011.
Personal information: the FTC proposes to significantly expand this definition. Under the current COPPA Rule, screen names are only “personal information” when coupled with an individual’s email address, but the Proposed Rule would deem screen names to be “personal information” even when not linked to additional information (unless the screen name is used for the technical functioning of a website or online service). The Proposed Rule also would expand the definition of “persistent identifier” to broadly mean IP addresses, cookies, instant messenger names, video chat names and other identifiers, unless used solely for internal site administration, and would include any “identifier that links the activities of a child across different websites or online services.” Video and audio files as well as geolocation data also would be specifically brought within the definition of “personal information,” and the FTC has sought comment on whether a combination of items (e.g., gender, birthdate and zip code) could together be considered “personal information” within the meaning of the Proposed Rule.
Collects or Collection: this definition would be broadened to add prompting or encouraging (not just requesting) a child to provide personal information. The FTC also suggests modifications to this definition to enable children to participate in interactive communities more easily, without parental consent, as long as reasonable technologies are used to prevent public postings of their personal information.
Online contact information: the FTC proposes broadening the term “online contact information” to encompass all identifiers that permit direct contact with a person online. The revised definition would add commonly used forms of online identifiers, including instant messaging user identifiers, voice over internet protocol (VOIP) identifiers, and video chat user identifiers. The FTC makes clear, however, that the list of identifiers is not intended to be exhaustive.
Website or online service “directed to children”: the new rule would add criteria for evaluating whether websites and online services are subject to COPPA. As factors for determining whether websites and online services are “directed to children,” the term “audio content” would now explicitly include musical content, and the presence of child celebrities and celebrities who appeal to children will now be considered.
The Proposed Rule suggests that key information about an Operator’s information practices would have to be presented to parents “just-in-time.” It also proposes changes regarding the placement and content of the notice that an Operator must provide on its website and specifies the precise information that an Operator must provide to parents. Finally, it sets out requirements for providing direct notice to a parent about a child’s participation in a website that does not otherwise collect, use or disclose children’s personal information.
Parental Consent Mechanisms
The FTC proposes to add new methods for obtaining verifiable parental consent, including electronic scans of parental consent forms, video-conferencing, and use of government issued identification checked against a database, as long as the ID is subject to deletion. Additionally, the proposed revisions will eliminate the less reliable “e-mail plus” method of consent, which currently can be used to obtain consent only when a child’s personal information will be used internally. Furthermore, the FTC’s new rules would allow an Operator to submit descriptions of its proposed consent mechanisms for FTC pre-approval.
Confidentiality and Security Requirements
The FTC proposes to: 1) add a requirement that an Operator only disclose a child’s personal information to service providers or third parties who have reasonable procedures in place to protect the information, 2) allow an Operator to retain the information for only as long as reasonably necessary, and 3) ensure that an Operator properly deletes the information.
The potential revisions include strengthening the requirements for self-regulatory programs to qualify for the COPPA “Safe Harbor,” so that applicants who seek approval of their self-regulatory guidelines would have to submit comprehensive information. The FTC would establish “more rigorous baseline oversight” and would add reporting requirements for entities that follow self-regulatory programs.
This is the second time in recent history that the FTC has expanded its COPPA reach due to new technology. In August 2011, the Commission settled its first case involving mobile applications (“Apps”), specifically children’s games for the iPhone and iPod touch, over child privacy concerns. The Commission charged W3 Innovations, LLC, doing business as Broken Thumbs Apps, and owner Justin Maples with violating COPPA and the COPPA Rule by illegally collecting and disclosing personal information regarding tens of thousands of children under age 13 without their parents’ prior consent.
According to the Commission, several of the “Emily Apps,” including Emily’s Girl World, Emily’s Dress Up, Emily’s Dress Up & Shop, and Emily’s Runway High Fashion, were aimed at children and caused children to share information online. The interactive Emily Apps encouraged children to email “Emily” their comments, and send shout-outs, share embarrassing stories, or post inspirational quotes to “Emily’s blog” through emailing “Emily.” Through the Apps, the defendants collected and maintained 30,000 user email addresses, including those of children, and collected, maintained and/or disclosed personal information from hundreds of App users. There were more than 50,000 downloads of these Apps.
The Commission charged Broken Thumbs Apps with violating the COPPA Rule both by not obtaining verifiable parental consent before collecting, using or disclosing children’s personal information online and by not providing notice of its information collection practices on its Apps. To settle the case, the defendants agreed to pay $50,000 and to delete all personal information collected in violation of the Rule. Greenberg Traurig will continue to monitor the proposed COPPA amendments and FTC rulings.