Final amendments to the Children's Online Privacy Protection Rule, released Dec. 19 by the Federal Trade Commission, add geolocation information, photos, videos, and persistent identifiers, such as internet protocol addresses, to the definition of “personal information,” among other changes.
The amendments will strengthen children's privacy online and keep the rule in tune with changing technology, the commission said in a statement announcing the rule.
The FTC's rule, which implements the Children's Online Privacy Protection Act, 15 U.S.C. §§ 6501-6506, should give parents “greater control over the personal information that websites and online services may collect from children under 13,” the commission said.
At a Dec. 19 press conference hosted by Sen. John D. Rockefeller IV (D-W.Va.), FTC Chairman Jon Leibowitz explained that a regulatory overhaul was needed because the internet has changed dramatically since Congress passed COPPA more than a decade ago.
“Since then, we've seen the rise of smartphones, tablets, social networks, and more than a million apps,” Leibowitz observed. “And while all of these advances have enriched our lives, enhanced educational opportunities, and grown our economy, they also exacerbate the privacy risks to children.”
Leibowitz noted that the FTC recently released a report that found many mobile apps geared toward children collect personal information without making any disclosures to children or parents (11 PVLR 1790, 12/17/12).
Rockefeller, who chairs the Senate Commerce, Science, and Transportation Committee, and other legislators commended the FTC for going as far as it could under existing law to protect children's privacy. “The new COPPA rule captures the new online reality,” Rockefeller said. Children's privacy is a top priority, he added, and Congress has more work to do in this area.
The FTC chairman has “made it clear that this is the death knell of OBA [online behavioral advertising] directed to children,” John P. Feldman, a partner in the Washington office of Reed Smith LLP, told BNA Dec. 19.
There have been several significant COPPA enforcement actions over the last year and a half.
In May, 2011, the FTC levied a $3 million COPPA Rule civil penalty, its largest financial penalty to date under the rule (10 PVLR 737, 5/16/11). Then in August 2011, the FTC reached its first settlement of an enforcement action involving mobile applications and alleged COPPA Rule violations (10 PVLR 1177, 8/22/11). The commission followed up with COPPA Rule settlements involving an alleged failure of a website to delete children's information (11 PVLR 611, 4/2/12), and a group of recording artist websites that it asserted knowingly registered children without parental consent (11 PVLR 1491, 10/8/12).
In addition, a Los Angeles mobile apps development firm recently settled COPPA Rule enforcement actions brought by the New Jersey AG (11 PVLR 1076, 7/2/12).
The FTC chairman has “made it clear that [the amended COPPA Rule] is the death knell of OBA [online behavioral advertising] directed to children”
John P. Feldman, Partner, Reed Smith LLP, Washington
According to the FTC, the amendments to the final rule will take effect July 1, 2013.
The FTC first sought comments on proposed amendments to the COPPA Rule in September 2011 (10 PVLR 1327, 9/19/11) and asked for input on additional proposed modifications in August (11 PVLR 1225, 8/6/12).
Under the COPPA Rule, operators of websites or online services with users under age 13 must give parents notice and get their verifiable consent before collecting, using, or disclosing personal information from children. This applies to websites or online services either directed to the under 13 age group or in situations where the websites or online services have actual knowledge that they are collecting personal information from children under 13. The rule requires these operators to keep the information collected from children secure. It also prohibits the websites or online services from requiring children to provide additional personal information to participate in activities beyond the information that is reasonably necessary for them to participate.
The Federal Trade Commission's Proposed Amendments to the Children's Online Privacy Protection Rule and General Audience Websites--Melissa J. Krasnow, Dorsey & Whitney LLP, Minneapolis
Françoise Gilbert of the IT Law Group, in Palo Alto, Calif., told BNA Dec. 19 that the amended rule “brings child protection online to the 21st century.” She said the fundamentals of the rule remain the same, but noted that “the updated Rule contains references to modern technologies such as geolocation, plug-ins and mobile apps, and modern methods of financing websites, such as behavioral targeting. It also takes into account more than ten years of practice and attempts to address some of the shortcomings and complexities of the prior rule.”
The FTC said its final amendments to the COPPA Rule reflect an intention to:
In addition, the FTC said the amended rule would now “cover persistent identifiers that can recognize users over time and across different websites or online services–such as IP addresses and mobile device IDs.”
But the revised COPPA Rule will “cripple kids’ sites” and “invites court challenge,” technology policy think tank TechFreedom asserted in a Dec. 19 statement. TechFreedom President Berin Szoka said in the statement that “by deeming persistent identifiers as personal information per se, the FTC’s new rule runs contrary to established U.S. privacy law: federal courts have unanimously decided that IP addresses do not allow the contacting of a specific individual.”
The FTC also noted that the amendments “close a loophole that allowed kid-directed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent.”
Social media giants Facebook Inc. and Twitter Inc. both opposed the expansion of the COPPA Rule to web plug-ins, arguing that they cannot reasonably be expected to know if the millions of websites using their plug-ins are directed at children because they do not control which sites incorporate their plug-ins (11 PVLR 1492, 10/8/12).
The FTC explained that the final rule includes several modified definitions:
The agency also modified provisions regarding parental notice and consent mechanisms.
The amendments to the final rule revise the parental notice sections in an effort to ensure that operators’ privacy policies and their direct notices–required before collecting children’s personal information–are concise and timely.
The amendments offer a few new methods for operators to obtain verifiable parental consent, including:
Under the so-called “sliding-scale mechanism of parental consent,” also known “email plus,” the FTC explained, “operators that collect children’s personal information for internal use only may obtain verifiable parental consent with an e-mail from the parent, as long as the operator confirms consent by sending a delayed e-mail confirmation to the parent, or calling or sending a letter to the parent.”
Based on comments about “email plus,” the agency acknowledged that it continues to be “a valued and cost-effective consent mechanism for certain operators.” As a result, the final rule accepts this method of consent as acceptable when operators collect personal information only for internal use.
In an effort to identify and encourage the development of new consent methods, the FTC established a voluntary 120-day notice and comment process for parties seeking approval of a specific method of consent. Operators participating in a commission-approved safe-harbor program may use any consent method approved by the program.
Industry groups or others providing FTC-approved safe harbor programs must conduct annual audits of their members and report the aggregated results to the commission. This requirement will strengthen the FTC’s oversight of these programs.
Rep. Edward Markey (D-Mass.), a senior member of the House Energy and Commerce Committee, used the Rockefeller press briefing to draw attention to the Do Not Track Kids Act (H.R. 1895) to update and expand COPPA, which he introduced with Rep. Joe Barton (R-Tex.) in 2011 (10 PVLR 772, 5/23/11). Markey said H.R. 1895 would establish a new “digital marketing bill of rights for teens” that would include mobile privacy protections.
H.R. 1895 has not moved since it was introduced. No committee hearings have been held on H.R. 1895 and none are currently scheduled, making any action on the measure before the 112th Congress adjourns unlikely.
Feldman told BNA that the final updated rule means “the death of UGC [user-generated content] contest[s] for kids,” and said that “costs will mount for kids['] sites because of the imposition of strict liability.” The “return to the ‘actual knowledge’ standard is welcome and a relief,” he added.
He cautioned that “there are still questions related to the FTC’s approach in determining ‘knowledge.’ ”
Feldman told BNA that companies should be focusing their attention on the final rule’s internal operations exceptions for persistent identifiers. He recommended that companies have “a checklist of which internal operations you are furthering” and noted that the FTC will likely construe those exceptions narrowly.
Commissioner Maureen Ohlhausen voted against adoption of the COPPA Rule final amendments and issued a dissenting statement indicating her belief that “a core provision of the amendments exceeds the scope of the authority granted us by Congress in COPPA, the statute that underlies and authorizes the Rule.”
The final amended rule will be published in an upcoming issue of the Federal Register.
By Cecelia M. Assam, Alexei Alexis, and Katie W. Johnson
The 167-page final rule is available at http://www.ftc.gov/os/2012/12/121219copparulefrn.pdf.
Commissioner Ohlhausen’s dissenting statement is available at http://www.ftc.gov/os/2012/12/121219copparulestatement.pdf.
Chairman Leibowitz’s statement is available at http://www.ftc.gov/speeches/leibowitz/121219coppastmt.pdf.
H.R. 1895, as introduced, is available at http://www.gpo.gov/fdsys/pkg/BILLS-112hr1895ih/pdf/BILLS-112hr1895ih.pdf.
To view additional stories from Bloomberg Law® request a demo now