FTC Aims to Catch Up to Ongoing Tech Advances–Proposes Additional Changes to COPPA


HHR Advisories & Publications

In 2000, long before the launch of Twitter and Facebook, and the explosion of smartphones, tablets and other Internet-connected devices, the Children's Online Privacy Protection Act, or COPPA, was enacted to provide parents of children under the age of 13 with more visibility into, and control over, online publishers' information collection and processing practices. COPPA requires, among other things, that certain web site operators and other online service providers obtain parental consent prior to collecting personal information from children under the age of 13 on or through their respective web sites/online services.

However, in 2011, it became abundantly clear to the Federal Trade Commission ("FTC"), the federal agency charged with enforcing COPPA, that the law failed to adequately address emerging technological innovation and methodologies routinely employed by web site operators and online service providers to collect and process end user information, including the integration of social networking and other forms of "plug-ins" and tools into their respective web sites, apps and online services. Aiming to catch up with such technological advances, in September 2011, the FTC proposed long-awaited changes to the rules for implementing and enforcing COPPA, which included, among other things, a more streamlined parental notice process and a proposal for new parental consent mechanisms. These revisions were met with substantial criticisms and public comment. In response, the FTC announced last week that, rather than publishing its final revisions to the rules, it was once again seeking public comment on additional proposed changes.

What additional changes are the FTC proposing to the current Rule?

In order to clarify the scope of the Rule, the FTC proposes to modify certain key definitions, as follows:

Under its current iteration, web site operators and online service providers that integrate social networking, plug-ins or ad networks, which allow third parties to collect personal information from their respective end users (e.g., tracking mechanisms used by third party advertising networks, etc.), are not responsible for complying with COPPA mandates. Instead, the compliance responsibility lies solely with the applicable third party collecting such information. The child-directed web site/online service does not own and/or have control of the information being collected by the applicable third-party, and therefore, the FTC stated in the 1999 Statement of Basis and Purpose to the COPPA Rule that "where the Web site or online service merely acts as the conduit through which the personal information collected flows to another person or to another's Web site or online service, and the Web site or online service does not have access to the information, then it is not an operator under the proposed Rule."  However, in light of the fact that each web site operator or online service provider unilaterally elects to integrate such third party plug-ins, tools and/or services and receives a direct benefit from the use thereof, the FTC is now proposing that such web site operator or online service provider, as applicable, must also be responsible for complying with the requirements of COPPA regarding the collection of personal information from children under the age of 13 via the use of such third party plug-ins, tools and/or services. Therefore, the amended Rule would revise the current definition of "operator," to add that personal information is "collected or maintained on behalf of an operator where it is collected in the interest of, as a representative of, or for the benefit of, the operator." In addition, in order to further accentuate the concept of equal responsibility between the child-directed web site operator or online service provider and the applicable third party collecting the personal information (i.e., plug-in, advertising network, etc.), the current definition of "web site or online service directed to children," would be further modified accordingly to include that any such third party who "knows or has reason to know that it is collecting personal informationthrough any Web site or online service covered"  under COPPA, must also comply with all applicable requirements.

  • Additionally, the current version of COPPA requires web sites and services that publish content that are directed at both children and adults, to treat all end users as if they were under the age of 13. In contrast, the FTC's newest proposal would revise the definition of "web site or online service directed to children," in effect modifying such requirement. For those web sites or online services that are "likely to attract an audience that includes a disproportionately large percentage of children under age 13 as compared to the percentage of such children in the general population," the FTC now provides that end users may be age-screened. As a result, such web sites or online services would only be responsible for compliance with COPPA requirements with respect to those end users who represent themselves as under the age of 13. However, the FTC further reiterates that those web sites or online services that continue to "knowingly target, or have content likely to draw, children under 13 as their primary audience" must continue to treat all end users as if they were under the age of 13.
  • Lastly, additional changes in the Rule address the current definition of "personal information" under COPPA, the scope of which would be expanded to include (i) screen or user names to the extent that such screen or user name "rises to the level of online contact information" and (ii) persistent identifiers (e.g., Internet Protocol address, unique device identifiers, etc.) used "to recognize a user over time, or across different Web sites or online services, where such persistent identifier is used for functions other than or in addition to support for the internal operations of the Web site or online service." Similarly, the definition of "support for internal operations" would be modified to expressly identify certain activities that would not be considered a collection of personal information, provided that such information is not "used or disclosed to contact a specific individual, including through the use of behaviorally-targeted advertising, or for any other purpose."

What is the potential impact of the proposed Rule changes?

Generally, the FTC's proposal reflects the continued heated debate and spotlight surrounding the protection of individuals' privacy, particularly children, in a rapidly evolving digital world. If adopted, the FTC's proposed changes would impose more restrictive requirements on companies that interact and/or target children through online, digital and mobile platforms. For example, companies that once had the ability to consider their properties passive conduits under COPPA, would now assume the risk and be held responsible for obtaining all necessary consents to enable the collection of personal information of children under the age of 13 on or through their web sites or online services by third parties. Moving forward, it will be imperative for all entities to assess the potential legal and operational implications that may arise from such changes. Public comments on the FTC's proposed changes will be accepted until September 10, 2012. In the coming months, the DigitalHHR team will continue to monitor the ongoing developments of this evolving discussion and will be available to answer any questions that you might have.