The Federal Trade Commission has released its long anticipated proposed revisions to its rule implementing the Children’s Online Privacy Protection Act (“COPPA”). COPPA governs (1) operators of websites and online services that are directed to children under the age of 13 and (2) operators of general audience websites or online services that have actual knowledge that a user is under 13. This is the first major revision to COPPA since its enactment and is the result of an FTC COPPA Review and a public roundtable to discuss whether the rapid changes in technology, such as social media and mobile applications, necessitated revisions to COPPA. The result: the FTC has proposed significant changes to COPPA that will have major effects on how these services interact with the personal information of children. Comments on the proposed revisions are due by November 28, 2011.
Politico reported today that the House Energy and Commerce Committee’s Subcommittee on Commerce, Manufacturing and Trade has scheduled a hearing on the COPPA revisions for October 5.
Applicability of COPPA to Evolving Technologies
The FTC used this proposed rule to clarify its position that COPPA applies to a host of current technologies that could be considered “online services.” This includes “mobile applications that allow children to play network-connected games, engage in social networking activities, purchase goods or services online, receive behaviorally targeted advertisements or interact with other content or services[;] . . . Internet-enabled gaming platforms, voice-over-Internet protocol services, and Internet-enabled location based services.” The FTC concedes that some SMS and MMS text messages would not constitute “online services” as they do not cross the public Internet, however there is technology that allows users to send text messages utilizing “online services,” and these message would be covered by COPPA.
Other key changes:
• “Child.” The FTC declined to extend COPPA to teens, retaining the “under 13” threshold. The FTC noted that COPPA’s requirements would be less effective for teenagers and that, as children get older, their First Amendment rights become stronger.
• “Actual Knowledge.” The FTC retained the “actual knowledge” standard for general audience websites, refusing to adopt a more stringent “constructive knowledge” approach.
• “Online Service.” The FTC clarified that an “online service” is any services that are available over the Internet, or that connect to the Internet or a Wide Area Network.
• “Collects” and Filtering Mechanisms. The FTC relaxed its deletion exception, so that it is clearer that the use of reasonable filtering technologies to delete or prevent the sharing of Personal Information is an acceptable compliance method.
• “Personal Information.”
o The FTC expanded the definition to include “screen or user names” and “persistent identifiers,” but only to the extent they are not used to support the internal operations of the website. The FTC emphasized that the use of such identifiers across multiple websites is covered by the rule. However, the FTC also noted that website operators may continue to use these identifiers for contextual advertising within the operator’s own website without triggering COPPA.
o The FTC expanded the definition to include photos, videos, and audio to the extent that the file contains the child’s image or voice.
o The FTC expanded the definition to include geolocation information.
o The FTC refused to expand the definition to include the combination of DOB, gender, and zip code.
• “Online Contact Information.” The FTC clarified that this term covers all identifiers that permit direct contacting online, including video chat IDs.
• “Directed to Kids.” The FTC added the following factors to its current multi-factor test for determining whether a website or online service is directed to children: musical content that is kids-oriented, the presence of kid celebrities, and using celebrities that appeal to kids.
Notice
• Website Privacy Notice.
o Multiple Operator Exception. The FTC deleted the multiple operator exception. The contact information for all operators who collect personal information through the site, including ad networks, must now be provided in the website privacy notice.
o The FTC streamlined what information must be included to encourage shorter website privacy notices.
• Direct Notice To the Parent. The FTC shifted course on its position that direct notices to parents could contain minimal information, as long as a link to the privacy policy was provided. Instead, the FTC stated that the following information must be included in the direct notice:
o What information has already been collected
o The purpose of the notice
o The actions the parent must take
o A description of how the information will be used
o A hyperlink to the website privacy notice
Parental Consent
• E-mail Plus. The FTC eliminated the “e-mail plus” parental consent method, arguing that it discouraged the development of more robust methods.
• New Recognized Methods:
o “Scan and Send” forms
o Video conferencing consent
o Collection of government-issued IDs, such as drivers’ license number or last four digits of the parent’s SSN, which are then checked against an available database. Due to the sensitivity of government-issued IDs, the information should be deleted after the check is complete.
• Methods Still under Consideration:
o Parental controls in video game systems
o “Sign and Send” systems using electronic signatures
• Rejected Methods:
o SMS or text message consent
o Online payment systems in lieu of credit card information
• New Clearance Procedures for Obtaining Approval of New Parental Consent Methods:
o Companies may now submit detailed descriptions of proposed parental consent methods to the FTC for their approval. The proposals will be published in the Federal Register for public comment. If approved, the company will benefit from a parental consent “safe harbor.”
• Changes To the Parental Consent Exceptions:
o The FTC added a new exception that allows website operators who do not collect any personal information to collect the parent’s online contact information for the sole purpose of notifying the parent of the child’s online activities.
o The FTC clarified that only the parent’s e-mail address, and not the child’s e-mail address, may be collected in addition to the parent and/or the child’s name in order to contact the parent to obtain parental consent.
Confidentiality, Security, and Data Integrity
• The FTC proposes to require website operators to take “reasonable measures” to ensure that any service provider or third party to whom the child’s personal information is disclosed also has reasonable steps in place to protect the confidentiality, security, and integrity of the information.
• Data Retention Limits. The FTC added a new requirement that website operators only retain data for as long as reasonably necessary to fulfill the purpose for which it was collected.
Safe Harbor
• The FTC added three new components for entities that offer FTC-approved COPPA Safe Harbor programs:
o Applicants must submit information about their capability to run an effective Safe Harbor program.
o There will be more rigorous FTC enforcement
o Approved Safe Harbor programs must submit periodic reports on the program