FTC’s Amended COPPA Rule Seeks to Keep Up with the Internet Revolution

The FTC announced that it had finalized amendments to the Children’s Online Privacy Protection Act (COPPA) Rule, which the FTC originally enacted in 2000.  The original Rule was created with the goal of protecting the online privacy of Children younger than the age of 13 (“Children”) by requiring that websites: 1) obtain parental consent before collecting Children’s personal information; 2) keep Children’s personal information secure; and 3) not condition continued use of a website upon Children entering more personal information than is necessary to reasonably access the website’s services, in addition to other restrictions and requirements.  Acknowledging that the pace of change of technology on websites and other Internet-related services, particularly mobile applications, has been far greater than the original Rule anticipated, the FTC has sought to update the Rule.  The Commission first proposed a series of amendments in 2010, and accepted public comments on the proposed amendments in both 2011 and 2012.  Considering these comments, the FTC adopted several amendments that are sure to have a wide and far-ranging impact on those Internet services that directly target Children or knowingly collect personal information from Children. The amendments can be broadly categorized as:

1) changes and clarifications to key definitions within the original Rule;

2) additions to the acceptable methods of obtaining parental consent, where required by the Rule; and

3) updated requirements and mechanisms regarding contracting with third parties, and self-regulatory measures.

The most controversial amendments, however, are centered on the significant expansion of 1) the Rule’s definitions and 2) compliance obligations beyond websites that directly target or collect personal information from Children, to “co-operators,” which are third party service providers, some of which collect information from users of such websites.

The FTC expanded on the definitions of both “personal information” and “operator” in ways that are likely to have significant impacts on the way site developers and third party ad networks collect information on sites directed towards Children.  In the original Rule, “personal information” included a child’s name, physical address, and certain online contact information (e.g., an email address), which would, together, permit a party to contact a Child, whether in person, by telephone or online.  Acknowledging that there are now several ways that sites track users over time and across websites, the FTC amended the definition of “personal information” to now require parental consent when collecting those “persistent identifiers” that are not only connected to a child’s personally identifiable information, but also to the device from which the child may access the website or mobile application, including unique device identifiers, IP addresses, and any plug-in or cookie that can be tracked across websites.  The FTC specifically rejected the argument “that persistent identifiers only permit the contacting of a device,” and implicitly acknowledged that the ubiquity of mobile devices have made the tracking of such devices tantamount to the tracking of the devices’ users.

This change is particularly important in light of the broadened definition of the term “operator.”  The original Rule defined an “operator” as a first party website that directly targets Children or knowingly collects personal information from Children.  The FTC has amended the definition to now include certain service providers, including third party ad networks, which operate on such websites and knowingly collect information from users of those websites.

The FTC adopts a “totality of the circumstances” standard when determining whether a website is “directed toward children.”  This means that the FTC will not consider the subjective intent of the operator when making this determination, but instead will look at multiple factors and make a case-by-case determination of applicability of the COPPA Rule to service providers.  According to the FTC, Congress was clear that any COPPA Rule should cover “a website or online service that has the attributes, look, and feel of a property targeted to Children under 13 [and such websites or online service providers] will be deemed to be a site or service directed to Children, even if the operator were to claim that was not its intent.”

In order to alleviate some pressure on sites and service providers who may secondarily attract Children in addition to their primary users who are over the age of 13, the FTC permits operators to include “age screening” mechanisms on such websites.  These mechanisms may include, for example, confirming the user’s date of birth, prior to collecting any information through plug-ins or cookies.  This age verification mechanism is only available to those sites that consider Children as a secondary audience, as opposed to a primary audience.  The FTC uses the example of a website that prominently features child star actors as those that would have Children that would be considered a primary audience, and therefore the age screening mechanism would not be available to such a website.

Therefore, for example, where an ad network has actual knowledge that it is collecting information from users of websites that directly target Children as a primary audience, that ad network would be required to obtain parental consent prior to serving behavioral advertisements to the users of such websites.  As discussed below, the same restrictions do not apply to contextual advertisements served by websites. Because ad networks routinely place cookies and other such mechanisms on user devices for the purposes of collecting information for targeted advertising, ad networks are now potentially liable under COPPA for engaging in behavioral advertising on websites without obtaining parental consent.  These ad networks are under the same strict liability standard to which first party websites are subject.  Importantly, operators, including app developers, are also directly liable for the actions of any third party service providers that collect information from Children on their sites.

Some commentators have argued that making third party ad networks strictly liable for the collection of Children’s personal information -- as if they were a first party website collecting the information directly from Children -- will have a chilling effect on the use of such ad networks by websites that target Children.  While the FTC acknowledges this concern, the Commission also notes that the COPPA Rule has now been amended for the first time to distinguish between “contextual” and “behavioral” advertising.  According to the FTC, if cookies or other such mechanisms are placed on a user’s device solely “to support an operator’s internal operations,” then parental consent is not required.  “Internal operations” include “contextual advertising,” which is defined as “the delivery of advertisements based upon a consumer’s current visit to a web page or a single search query, without the collection and retention of data about the consumer’s online activities over time.”  The FTC acknowledges that online advertising may become much more difficult to serve to Children under the amended Rule; however, the agency also acknowledges that the task of protecting Children’s online privacy is paramount to such concerns from third party ad networks.

The “support for internal operations” exception to obtaining parental consent for the collection of Children’s personal information also applies to the following services deemed “necessary” for the operation of a website, in addition to contextual advertising, such as to: “(a) maintain or analyze the functioning of the Web site or online service; (b) perform network communications; (c) authenticate users of, or personalize the content on, the Web site or online service [including such services as providing a “high score leader board”]; … [and] (e) protect the security or integrity of the user, Web site, or online service.”  Importantly, websites still may never use Children’s personal information collected to support internal operations for the purposes of directly contacting a Child, without prior parental consent.

Certainly this issue will be one to watch moving forward, particularly as websites and mobile apps continue to evolve and market themselves directly to Children, either through app stores, online marketing or other types of advertising.  We will be sure to keep you updated as the situation develops and the FTC clarifies how it will enforce violations of these new aspects of the Rule.

Some other key aspects of the amended Rule are:

  • Revising the definition of “personal information” to include geolocation data, which is defined as any location data that can identify the street name and city/town where the Child is located; and photos, videos and audio files uploaded and posted by Children on websites that offer Children the ability to conduct such activity, as the FTC considers those files in themselves to permit the online or physical contacting of the Child;
  • Strengthening data security requirements and protections for service providers that receive Children’s personal information, including requiring that service providers acknowledge that they are capable of maintaining the confidentiality, security and integrity of the personal information;
  • Expanding the ways in which websites may obtain parental consent prior to collecting Children’s personal information, including through the use of video chat and credit cards and by allowing websites to submit their own mechanisms for public comment, 120 days after which the FTC may approve the mechanism on a case-by-case basis;
  • Keeping the “email plus” mechanism for parental consent, where websites may obtain parental consent for the collection of Children’s personal information, where such information will be used for internal use only, by emailing the parent coupled with an additional step, such as obtaining the physical mailing address of the parent, sending a delayed confirmatory email, or obtaining and verifying the parent’s telephone number;
  • Adopting a “reasonable measures” standard for data deletion and retention, as opposed to the “100% deletion” standard as required by the original COPPA Rule; and
  • Specifically exempting application stores, such as the Apple App Store and Google Play, from the requirements of the amended COPPA Rule, as those services “merely offer the public access to someone else’s child-directed content.”

In some instances, these amendments will present significant impact to websites, mobile applications, and third party services that collect and use information from Children.  Any organization that may be impacted by these amendments should conduct a careful assessment of any changes that may be required to its business practices.