COPPA Rule Changes Should Give Parents More Control Over Children's Data, FTC Says

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Cecelia M. AssamAlexei Alexis , and Katie W. Johnson  

Final amendments to the Children's Online Privacy Protection Rule, released Dec. 19 by the Federal Trade Commission, add geolocation information, photos, videos, and persistent identifiers, such as internet protocol addresses, to the definition of “personal information,” among other changes.

The amendments will strengthen children's privacy online and keep the rule in tune with changing technology, the commission said in a statement announcing the rule.

The FTC's rule, which implements the Children's Online Privacy Protection Act, 15 U.S.C. §§ 6501-6506, should give parents “greater control over the personal information that websites and online services may collect from children under 13,” the commission said.

At a Dec. 19 press conference hosted by Sen. John D. Rockefeller IV (D-W.Va.), FTC Chairman Jon Leibowitz explained that a regulatory overhaul was needed because the internet has changed dramatically since Congress passed COPPA more than a decade ago.

“Since then, we've seen the rise of smartphones, tablets, social networks, and more than a million apps,” Leibowitz observed. “And while all of these advances have enriched our lives, enhanced educational opportunities, and grown our economy, they also exacerbate the privacy risks to children.”

Leibowitz noted that the FTC recently released a report that found many mobile apps geared toward children collect personal information without making any disclosures to children or parents (11 PVLR 1790, 12/17/12).

Rockefeller, who chairs the Senate Commerce, Science, and Transportation Committee, and other legislators commended the FTC for going as far as it could under existing law to protect children's privacy. “The new COPPA rule captures the new online reality,” Rockefeller said. Children's privacy is a top priority, he added, and Congress has more work to do in this area.

The FTC chairman has “made it clear that this is the death knell of OBA [online behavioral advertising] directed to children,” John P. Feldman, a partner in the Washington office of Reed Smith LLP, told BNA Dec. 19.

Enforcement Already on Rise.

“The FTC and state attorneys general vigorously enforce the [COPPA] Rule,” Melissa J. Krasnow, a partner at Dorsey & Whitney LLP, in Minneapolis, cautioned in a Dec. 19 statement to BNA. “Website and mobile application privacy policies as well as practices should be reviewed in light of these amendments.”

There have been several significant COPPA enforcement actions over the last year and a half.

In May, 2011, the FTC levied a $3 million COPPA Rule civil penalty, its largest financial penalty to date under the rule (10 PVLR 737, 5/16/11). Then in August 2011, the FTC reached its first settlement of an enforcement action involving mobile applications and alleged COPPA Rule violations (10 PVLR 1177, 8/22/11). The commission followed up with COPPA Rule settlements involving an alleged failure of a website to delete children's information (11 PVLR 611, 4/2/12), and a group of recording artist websites that it asserted knowingly registered children without parental consent (11 PVLR 1491, 10/8/12).

In addition, a Los Angeles mobile apps development firm recently settled COPPA Rule enforcement actions brought by the New Jersey AG (11 PVLR 1076, 7/2/12).

The FTC chairman has “made it clear that [the amended COPPA Rule] is the death knell of OBA [online behavioral advertising] directed to children.”  

John P. Feldman, Partner, Reed Smith LLP, Washington

According to the FTC, the amendments to the final rule will take effect July 1, 2013.

Mobile, Social Media Use Uptick Prompted Review.

The commission began reviewing the COPPA Rule in 2010 to ensure that it keeps pace with the ever-changing technology and the different ways children use and access the internet. The agency identified an uptick in children's use of mobile devices and social networking.

The FTC first sought comments on proposed amendments to the COPPA Rule in September 2011 (10 PVLR 1327, 9/19/11) and asked for input on additional proposed modifications in August (11 PVLR 1225, 8/6/12).

Under the COPPA Rule, operators of websites or online services with users under age 13 must give parents notice and get their verifiable consent before collecting, using, or disclosing personal information from children. This applies to websites or online services either directed to the under 13 age group or in situations where the websites or online services have actual knowledge that they are collecting personal information from children under 13. The rule requires these operators to keep the information collected from children secure. It also prohibits the websites or online services from requiring children to provide additional personal information to participate in activities beyond the information that is reasonably necessary for them to participate.


The Federal Trade Commission's Proposed Amendments to the Children's Online Privacy Protection Rule and General Audience Websites--Melissa J. Krasnow, Dorsey & Whitney LLP, Minneapolis

Amendments Seek to Modernize Rule.

Françoise Gilbert of the IT Law Group, in Palo Alto, Calif., told BNA Dec. 19 that the amended rule “brings child protection online to the 21st century.” She said the fundamentals of the rule remain the same, but noted that “the updated Rule contains references to modern technologies such as geolocation, plug-ins and mobile apps, and modern methods of financing websites, such as behavioral targeting. It also takes into account more than ten years of practice and attempts to address some of the shortcomings and complexities of the prior rule.”

The FTC said its final amendments to the COPPA Rule reflect an intention to:

• “modify the list of 'personal information' that cannot be collected without parental notice and consent, clarifying that this category includes geolocation information, photographs, and videos”;

• “offer companies a streamlined, voluntary, and transparent approval process for new ways of getting parental consent”;

• “extend coverage in some of those cases so that the third parties doing the additional collection also must comply with COPPA”;

• “strengthen data security protections by requiring that covered website operators and online service providers take reasonable steps to release children's personal information only to companies that are capable of keeping it secure and confidential”;

• “require that covered website operators adopt reasonable procedures for data retention and deletion”; and

• “strengthen the FTC's oversight of self-regulatory safe harbor programs.”

In addition, the FTC said the amended rule would now “cover persistent identifiers that can recognize users over time and across different websites or online services--such as IP addresses and mobile device IDs.”

But the revised COPPA Rule will “cripple kids' sites” and “invites court challenge,” technology policy think tank TechFreedom asserted in a Dec. 19 statement. TechFreedom President Berin Szoka said in the statement that “by deeming persistent identifiers as personal information per se, the FTC's new rule runs contrary to established U.S. privacy law: federal courts have unanimously decided that IP addresses do not allow the contacting of a specific individual.”

The FTC also noted that the amendments “close a loophole that allowed kid-directed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent.”

Social media giants Facebook Inc. and Twitter Inc. both opposed the expansion of the COPPA Rule to web plug-ins, arguing that they cannot reasonably be expected to know if the millions of websites using their plug-ins are directed at children because they do not control which sites incorporate their plug-ins (11 PVLR 1492, 10/8/12).

Modified Definitions Expand Coverage.

The FTC explained that the final rule includes several modified definitions:

• “The definition of an operator has been updated to make clear that the rule covers a child-directed site or service that integrates outside services, such as plug-ins or advertising networks, that collect personal information from its visitors. This definition does not extend liability to platforms, such as Google Play or the App Store, when such platforms merely offer the public access to child-directed apps.”

• “The definition of a website or online service directed to children is expanded to include plug-ins or ad networks that have actual knowledge that they are collecting personal information through a child-directed website or online service. In addition, in contrast to sites and services whose primary target audience is children, and who must presume all users are children, sites and services that target children only as a secondary audience or to a lesser degree may differentiate among users, and will be required to provide notice and obtain parental consent only for those users who identify themselves as being younger than 13.”

• “The definition of personal information now also includes geolocation information, as well as photos, videos, and audio files that contain a child's image or voice.”

• “The definition of personal information requiring parental notice and consent before collection now includes 'persistent identifiers' … . However, no parental notice and consent is required when an operator collects a persistent identifier for the sole purpose of supporting the website or online service's internal operations--such as contextual advertising, frequency capping, legal compliance, site analysis, and network communications. Without parental consent, such information may never be used or disclosed to contact a specific individual, including through behavioral advertising, to amass a profile on a specific individual or for any other purpose. The final amended Rule also adds a process allowing industry to seek formal approval to add permitted activities to the definition of support for internal operations.”

• “The definition of collection of personal information has been changed so that operators may allow children to participate in interactive communities without parental consent, so long as the operators take reasonable measures to delete all or virtually all children's personal information before it is made public.”

Parental Notice, Consent Changes.

The agency also modified provisions regarding parental notice and consent mechanisms.

The amendments to the final rule revise the parental notice sections in an effort to ensure that operators' privacy policies and their direct notices--required before collecting children's personal information--are concise and timely.

The amendments offer a few new methods for operators to obtain verifiable parental consent, including:

• electronic scans of signed parental consent forms;

• video-conferencing;

• use of government-issued identification; and

• alternative payment systems--such as debit cards and electronic payment systems--provided they meet certain criteria.

Under the so-called “sliding-scale mechanism of parental consent,” also known “email plus,” the FTC explained, “operators that collect children's personal information for internal use only may obtain verifiable parental consent with an e-mail from the parent, as long as the operator confirms consent by sending a delayed e-mail confirmation to the parent, or calling or sending a letter to the parent.”

Based on comments about “email plus,” the agency acknowledged that it continues to be “a valued and cost-effective consent mechanism for certain operators.” As a result, the final rule accepts this method of consent as acceptable when operators collect personal information only for internal use.

In an effort to identify and encourage the development of new consent methods, the FTC established a voluntary 120-day notice and comment process for parties seeking approval of a specific method of consent. Operators participating in a commission-approved safe-harbor program may use any consent method approved by the program.

Industry groups or others providing FTC-approved safe harbor programs must conduct annual audits of their members and report the aggregated results to the commission. This requirement will strengthen the FTC's oversight of these programs.

Markey Touts Teenager Bill of Rights Measure.

Rep. Edward Markey (D-Mass.), a senior member of the House Energy and Commerce Committee, used the Rockefeller press briefing to draw attention to the Do Not Track Kids Act (H.R. 1895) to update and expand COPPA, which he introduced with Rep. Joe Barton (R-Tex.) in 2011 (10 PVLR 772, 5/23/11). Markey said H.R. 1895 would establish a new “digital marketing bill of rights for teens” that would include mobile privacy protections.

H.R. 1895 has not moved since it was introduced. No committee hearings have been held on H.R. 1895 and none are currently scheduled, making any action on the measure before the 112th Congress adjourns unlikely.

Feldman told BNA that the final updated rule means “the death of UGC [user-generated content] contest[s] for kids,” and said that “costs will mount for kids['] sites because of the imposition of strict liability.” The “return to the 'actual knowledge' standard is welcome and a relief,” he added.

He cautioned that “there are still questions related to the FTC's approach in determining 'knowledge.' ”

Feldman told BNA that companies should be focusing their attention on the final rule's internal operations exceptions for persistent identifiers. He recommended that companies have “a checklist of which internal operations you are furthering” and noted that the FTC will likely construe those exceptions narrowly.

Commissioner Maureen Ohlhausen voted against adoption of the COPPA Rule final amendments and issued a dissenting statement indicating her belief that “a core provision of the amendments exceeds the scope of the authority granted us by Congress in COPPA, the statute that underlies and authorizes the Rule.”

The final amended rule will be published in an upcoming issue of the Federal Register.

By Cecelia M. Assam, Alexei Alexis, and Katie W. Johnson  

The 167-page final rule is available at

Commissioner Ohlhausen's dissenting statement is available at

Chairman Leibowitz's statement is available at

H.R. 1895, as introduced, is available at

Request Bloomberg Law: Privacy & Data Security