​COPPA Amendments Bring New Obligations in Seeking to Expand Protections ​

As 2012 came to a close, the Federal Trade Commission ("FTC") unveiled its final amendments to the rules for implementing and enforcing the Children's Online Privacy Protection Act ("COPPA"). When the amendments become effective on July 1, 2013, many online stakeholders will face additional operational obligations to remain compliant with the rules.

The amendments are the culmination of the FTC's process to review and propose amendments to the rules, which began in 2010. In August, we wrote about this rulemaking process and the potential impact that some of the FTC's proposed rules might have. Many of those proposed rules were adopted by the FTC without change. Others were clarified. And in some instances, the FTC jettisoned some of its proposals in the face of public comments. Below is a high-level summary of some of the highlights of the final amendments.

Expanded/Revised Definitions

The new rules revise the definition of "operator" so that an operator of a child-directed site or service will be strictly liable for personal information collected on its site, whether or not the owner of the site itself is doing the collecting or a third party is. Thus, if a site directed at children under 13 does not collect any personal information from users but incorporates, for example, a Facebook plug-in, the site operator will have to comply with COPPA's parental notice and consent requirements since Facebook collects personal information.

Under the prior rules, an entity was deemed an "operator" only if it asserted some ownership, control or access to personal information collected on its site. Therefore, under the example above, the site owner would not be deemed an "operator" under COPPA since did not collect or have access to the personal information on its site, Facebook did.

In amending the definition of "operator", the FTC sought to close this loophole. The FTC noted that child-directed properties integrate plug-ins to enhance the functionality and content on their sites and may receive compensation directly from the plug-in operators. The FTC also noted that the primary-content provider is in the best position to know that its site or service is directed to children, and is appropriately positioned to give notice and obtain consent.

In taking this strict liability approach, the FTC acknowledged the burden faced by small developers of child-directed apps which are now faced with additional compliance costs. It pointed out, however, that in enacting COPPA, Congress imposed absolute requirements on child-directed sites and services regarding restrictions on the collection of personal information; those restrictions could not be avoided by outsourcing the activities to other entities in the online ecosystem.

The amended rule also provides that third-party operators of online services (including, for example, ad networks, operators of software plug-ins, and social media services) will be covered "co-operators" under COPPA if they have actual knowledge that personal information is collected from users of a website that is directed to children. In that case, the third-party operator will be responsible for complying with the rule's notice and consent requirements. The FTC noted that the "actual knowledge" standard will be met when: (1) a child-directed content provider (who will be strictly liable for any collection) directly communicates the child-directed nature of its content to the other online service; or (2) a representative of the online service recognizes the child-directed nature of the content.

The definition of "website or online service directed to children" was revised to make clear that sites and services that target children only as a secondary audience or to a lesser degree may differentiate among users, and will be required to provide notice and obtain parental consent only for those users who identify themselves as being younger than 13.

The definition of "personal information" now includes geo-location information, as well as photos, videos, and audio files that contain a child's image or voice. The definition also covers persistent identifiers including customer numbers held in cookies, IP addresses, processor or device serial numbers, or unique device identifiers. But use and collection of such persistent identifiers trigger the COPPA notice and consent only if they can be used to recognize a user over time and across different websites or online services. No notice and consent requirement will apply if the persistent identifier is used solely to support the internal operations of the site or service, such as contextual advertising, frequency capping, legal compliance, site analysis, and network communications. However, without parental consent, such information may never be used or disclosed to contact a specific individual, including through behavioral advertising, to amass a profile on a specific individual, or for any other purpose.
The definition of "collection" of personal information has been changed so that operators may allow children to participate in interactive communities without parental consent, so long as the operators take reasonable measures to delete all, or virtually all, of a child's personal information before it is made public.

Streamlined Parental Notice

The new amended rules revise the requirements for parental notice to ensure that privacy policies—and the notice provided to parents prior to collecting children's personal information—is concise and timely.

The rules no longer requires a lengthy recitation of an operator's information collection, use, and disclosure practices. Instead, an operator should provide a simple statement of (i) what information is collected from children, including whether the website or online service enables a child to make personal information publicly available, (ii) how the operator uses such information and (iii) the operator's disclosure practices for such information.
The final amendments also provide for "just in time" notices to parents, which are to be sent directly to parents. These notices must include the items of personal information the operator already has obtained from the child, the purpose of the notification, action that the parent must or may take, and what use, if any, the operator will make of the personal information collected.

Methods for Obtaining Verifiable Parental Consent

In addition to the already approved methods, the new rules offer additional methods in which businesses can obtain parental consent for the collection of information, which includes: electronic scans of signed parental consent forms, videoconferencing, use of government-issued ID, and use of electronic or online payment systems (with appropriate direct notice to the parent), including notification of each discrete monetary transaction to the primary account holder. While the FTC declined to add digital or electronic signatures to its list of approved parental consent mechanisms, it noted that the amended rule would not prohibit an operator's acceptance of a digitally signed consent form where the signature provides other indicia of reliability that the signor is an adult, such as an icon, certificate, or seal of authenticity that accompanies the certificate.
Despite having proposed the elimination of the "sliding-scale mechanism of parental consent," otherwise known as "email plus", the FTC retained it for operators that collect personal information only for internal use. Under this method, operators that collect children's personal information for internal use only may obtain verifiable parental consent with an e-mail from the parent, as long as the operator confirms consent by sending a delayed e-mail confirmation to the parent, or calling or sending a letter to the parent.

Additionally, in an effort to ensure continued innovation in connection with consent methods, the rules also establish a voluntary 120-day notice and comment process for businesses in order to obtain FTC approval for other methods.

Strengthening of Confidentiality and Security Requirements

The amended rules require operators to take reasonable steps to ensure that service providers and third parties that receive children's personal information are capable of maintaining the confidentiality, security and integrity of such information.

In addition, the FTC will also require that operators retain children's personal information for only as long as is reasonably necessary and further that when such operators dispose of such information, that they take reasonable measures to protect against unauthorized access.

Increased Monitoring of Safe Harbor Programs

In order to strengthen the oversight of its approved self-regulatory "safe harbor" programs, the FTC will require annual audits of program participants and reporting to the FTC of the aggregated results of those audits.

Implications

Since COPPA's enactment in 2000, the FTC has aggressively enforced its provisions, resulting in the payment of multimillion-dollar penalties by numerous companies as a result of non-compliance. The changes to the COPPA rules are significant and reflect the FTC's continued focus on consumer privacy, particularly with regard to children. In particular, the revised rules impose new compliance obligations on many entities that were previously unaffected by the rule. All companies that collect personal information from children will need to evaluate and, where appropriate, revise not only their policies, but also their overall practices to conform to the amended rules.

The DigitalHHR team routinely works with clients to help them devise strategies and best practices to tailor their operations to ensure compliance with COPPA. We are available to answer any questions you may have.