Views on COPPA Enforcement Actions and TrendsFrom Allison Fitzpatrick, Partner, Davis & Gilbert LLP

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

As more and more electronic products, including children's toys, become connected to the Internet, concerns over protecting children's personal information have grown.

Bloomberg BNA Privacy & Data Security News Senior Legal Editor Jimmy H. Koo posed a series of questions to Allison Fitzpatrick, a partner at Davis & Gilbert LLP, about the trends in the Federal Trade Commission's enforcement of the Children’s Online Privacy Protection Act.

Bloomberg BNA:

What helped you as a lawyer to bridge advertising and privacy laws in your practice?

Allison Fitzpatrick:

While advertising and privacy are distinct areas of law, they share a common principle that advertising and privacy practices should neither be unfair nor deceptive. To that point, regulatory bodies such as the Federal Trade Commission (FTC) may invoke Section 5 of the Federal Trade Commission Act to prohibit both unfair and deceptive practices in advertising and in privacy.

However, when it comes to children’s privacy, the FTC has another weapon in its arsenal in the form of the Children’s Online Privacy Protection Act (COPPA) Rule, which prohibits operators of online services from collecting personal information from children under 13 years of age without the express approval of their parents.

Through the FTC’s COPPA Rule, the FTC acknowledges that children are particularly vulnerable to overreaching marketers and therefore need special protections. This principle permeates all aspects of children’s advertising and is the basis for the creation of the Children’s Advertising Review Unit (CARU), the self-regulatory program that promotes responsible advertising to children. While advertising and privacy are distinct areas of the law, they share many of the same principles, particularly when it comes to children.

The FTC acknowledges that children are particularly vulnerable to overreaching marketers and therefore need special protections.

Bloomberg BNA:

What lessons can companies learn from LAI Systems LLC and Retro Dreamer settlements of FTC’s allegations that they violated COPPA by allowing third-party advertisers to collect persistent identifiers ?

Fitzpatrick:

The FTC’s recent settlements with LAI Systems and Retro Dreamer are instructive because they are the first actions involving allegations that application developers violated COPPA by allowing advertisers to collect persistent identifiers to serve behaviorally-targeted ads to children. With these actions, the FTC appears to be putting operators on notice that the FTC will be scrutinizing child-directed apps and web sites more closely to ensure that they aren't tracking children’s online behavior. More specifically, these actions serve as a reminder:

  • (i) that persistent identifiers are defined as “personal information” under COPPA and that the collection of persistent identities could result in a COPPA action even when the operator of the child-directed service isn't the party collecting the personal information;
  • (ii) that the FTC will impose civil penalties on operators who violate COPPA, as exemplified by the $300,000 penalty imposed on Retro Dreamer and the $60,000 civil penalty imposed on LAI Systems; and
  • (iii) that operators of online services directed to children should routinely assess their privacy practices to ensure that their practices are in compliance with the COPPA and that their apps and web sites aren't tracking children without parental consent.
  •  

    Bloomberg BNA:

    You mention that these actions are the first against child-directed apps under new COPPA provisions. Is this a sign that the FTC is expanding its scrutiny of children’s privacy and advertisement directed at children?

    Fitzpatrick:

    In 2013, the FTC updated COPPA ( known as “new COPPA”) to expand the definition of “personal information” to cover (i) geolocation data that can identify a child’s city and street; (ii) a child’s image and voice; (iii) screen and user names; and (iv) persistent identifiers, which are pieces of data that can be used to recognize a child across different websites and online services.

    The FTC will likely scrutinize services that target children more closely and ultimately bring more actions.

    However, the FTC waited over a year for its first action involving new COPPA when it brought an action against Yelp Inc. for collecting geolocation information and photos of children (as well as other personal information) without parental consent in violation of new COPPA. Notably, Yelp wasn't a child-directed app but a general audience app that failed to implement a functional age-screen mechanism, resulting in Yelp accepting registrations from users who had inputted birth dates that indicated that they were under 13 years of age. Until these recent actions against LAI Systems and Retro Dreamer, the FTC had yet to bring an action based on violations of new COPPA involving the collection of persistent identifiers and had yet to bring an action under new COPPA against a child-directed app.

    Accordingly, the LAI Systems and Retro Dreamer actions should signal to the industry that the FTC is “expanding” its scrutiny of apps and web sites that collect personal information in the form of persistent identifiers to behaviorally target children in violation of new COPPA. With these recent actions, the FTC has established a framework for bringing enforcement actions under new COPPA for online services that target children and will likely scrutinize these services more closely and ultimately bring more actions against child-directed services that engage in this conduct.

    Bloomberg BNA:

    Would you agree that the Yelp case means the FTC is expanding beyond that concept of a website being directed at children as the most important factor in deciding to go after potential COPPA violations?

    Fitzpatrick:

    The 2014 Yelp action reminded the industry that online services don't need to be directed to children to violate COPPA, as general audience apps like Yelp that have actual knowledge they are collecting personal information from children could be subject to a COPPA action. The actions against LAI Systems and Retro Dreamer are noteworthy because they are reminders that online services that are directed to children will be held strictly liable for the collection of personal information by third party advertising networks through their services.

    In light of the FTC's focus on whether defendants were warned by an advertising network of their COPPA obligations, it would be prudent for online services to review their files to determine if they received similar notifications.

    Between the two, actual knowledge is a far more difficult standard to prove so online services that are directed to children should be more diligent to ensure that their privacy practices are in compliance with COPPA. Again, the FTC alleged that the advertising networks on the LAI Systems and Retro Dreamer child-directed apps collected the personal information from children and held the operators of the apps—not the advertising networks—strictly liable for the COPPA violations.

    One interesting aspect of the Retro Dreamer complaint is the FTC’s allegation that the defendants were aware of the existence of their COPPA obligations because at least one advertising network over the course of 2013 and 2014 specifically warned the defendants about their obligations under COPPA and also told the defendants that a few of their apps appeared to be targeted to children under the age of 13.

    In light of this allegation, it would be prudent for online services to review their files to determine if they received similar notifications from advertising networks to help avoid their own COPPA actions.

    Bloomberg BNA:

    Recently, SanrioTown.com and children’s toy maker VTech were hacked, exposing the details of millions user accounts—many belonging to young children. Are there, if any, differences between how companies protect children’s data and adults’ data from data breaches, and if not, do you think there should be?

    Fitzpatrick:

    The main difference between children’s data and adults’ data is the greater legal protection for consumers regarding companies’ collection and use of children’s data under COPPA. Although all companies are required to implement appropriate security measures for data collected, the COPPA Rule mandates more stringent controls and additional action when dealing with children’s data.

    COPPA requires operators of online services to obtain parental consent before even collecting personal information from children under 13, and “personal information” is more broadly defined than one would consider for an adult, including photos and geolocation information. COPPA then calls for operators to take steps to protect the confidentiality, security and integrity of the personal information collected. Additionally, COPPA allows for retention of children’s personal information for only as long as reasonably necessary for the purpose it was collected, then requires deletion of such information.

    Companies should certainly be aware of these additional obligations when collecting children’s personal information and provide the greater protection necessary for this sensitive information. Particularly as data breaches become more common, and as evidenced by Congressional statements in response to the VTech hack, breaches involving children’s data will likely receive greater scrutiny from regulators and lawmakers seeking to protect this vulnerable group.