Kids Privacy: FTC Seeks Public Comment on Additional COPPA Rule Changes
On August 1, 2012, the Federal Trade Commission ("FTC" or "Commission") issued a Supplemental Notice of Proposed Rulemaking ("Supplemental Notice") seeking additional comments on revisions to the Children's Online Privacy Protection Act ("COPPA") Rule. The FTC released initial proposed revisions to the COPPA Rule on September 15, 2011 through a Notice of Proposed Rulemaking ("NOPR"). The Supplemental Notice changes some, but not all, aspects of the earlier proposal.
Specifically, the FTC seeks public comment on revisions to the definition of "operator," and further modifications to the definitions of "personal information," "support for internal operations," and "website or online service directed to children." These revisions in some cases expand, and in others narrow, obligations of the September, 2011 NOPR, but other key revisions proposed last September were not addressed. The Commission received over 350 comments on the NOPR. The revisions proposed in the Supplemental Notice are sure to draw a similar number of comments.
What's Changed?
Key revisions to the September, 2011 NOPR outlined in the Supplemental Notice are as follows:
Operator. The FTC proposes to modify the definition of "operator" to establish that information is collected or maintained on behalf of an operator when it is collected "in the interest of, or as a representative of, or for the benefit of, the operator." Revisions in this area are focused on advertising networks or downloadable plug-ins that collect personal information from users through another's site or service. The Commission's rationale for the changes reflected in the Supplemental Notice is that an operator of a child-directed site or service that chooses to integrate other services into the site that collects personal information from visitors should be considered a "covered operator." These entities are said to be in the best position to know that the site or service is directed to children and can control which plug-ins, software downloads, or advertising networks it integrates into the site. Since the FTC has consistently interpreted the "on behalf of" language to exclude instances where the website merely acts as a conduit through which the personal information flows to another, this revision would greatly expand the number of entities covered by the COPPA Rule.
Website or Online Service Directed to Children. The Commission has now proposed to define a children's website or service as one that a) knowingly targets children under 13, b) is likely to attract children under 13 as its primary audience, c) is likely to attract an audience that includes a disproportionately large percentage of children under 13, or d) "knows or has reason to know" that it is collecting personal information through a host website or online service that is directed to, or likely to attract, children, unless, in effect, it uses age-screening to prevent the collection, use or disclosure of personal information of children under 13. The Commission states it does not intend to impose a duty on entities, such as ad networks or plug-ins, to monitor or investigate whether their services are incorporated into child-directed sites or services, but notes that such sites and services are not free to ignore credible evidence that has been brought to their attention. The Children's Advertising Review Unit (CARU), the self-regulatory body for children's advertising, does establish an age-screening obligation on websites where "there is a reasonable expectation that a significant number of children will be visiting." The FTC's proposed revision provides a mechanism for sites that attract children, but may be directed to families, to implement approaches that avoid treating every visitor as a child. This could prove to be a major benefit for some sites. However, age-screening can generate complaints and assuring it works effectively across multiple browsers can be challenging.
Support for Internal Operations. Recognizing that the NOPR's proposed definition for support for internal operations was too narrow, the FTC proposes to revise this definition to include those activities which are necessary to maintain or analyze the functioning of the website or online service; perform network communications; authenticate users of, or personalize the content on, the website or online service; serve contextual advertising on the website or online service; and protect the security or integrity of the user, website, or online service; or fulfill a request of a child as otherwise permitted. To be considered support for internal operations, however, none of the information collected may be used or disclosed to contact a specific individual, including through the use of behaviorally-targeted advertising. These changes are extremely helpful and responsive to comments expressing concern about the limited nature of the exclusion, but need to be analyzed to see if they cover all relevant activities that companies today consider to fall under the ambit of supporting their operations.
Screen or User Name. The FTC initially proposed to define a screen or user name as personal information when used for functions other than or in addition to support for the operations of a website or online service. The Supplemental Notice proposes to revise this definition to cover only those situations where a screen or user name functions in the same manner as "online contact information." In such cases, a screen or user name would function much like an e-mail address, an instant messaging identifier, or any other similar identifier that permits direct contact with the child when online. This should prove helpful to companies operating multiple sites where visitors can log in using a common screen or user name.
Persistent Identifier. The Commission is proposing to narrow the scope of persistent identifiers defined as personal information. Persistent identifiers would be considered personal information only when they can be "used to recognized a user over time, or across different websites or online services," and when "used for functions other than or in addition to support for the operations of a website or online service." The FTC says these changes are intended to permit the collection of persistent identifiers for site maintenance and analysis, to perform network communications, and for other purposes, consistent with the "support for the operations of the website." Persistent identifiers are still otherwise per se personal information even when they are not linked to another item of personally identifiable information. Again, it will be important for affected companies to analyze whether the combination of changes indeed offers adequate flexibility. Businesses must also consider implications for the advertising ecosystem, especially compliance with self-regulatory principles on online behavioral advertising.
What Hasn't Changed?
The Supplemental Notice does not solicit further comment on some controversial changes proposed in the September, 2011 NOPR, such as: (a) defining photographs or video and audio files with the image or voice of children as personal information; (b) defining geolocation information as personal information; (c) eliminating "e-mail plus" as a means of obtaining verifiable parental consent; and (d) requiring operators to "ensure" that their service providers and other third parties have in place reasonable procedures to protect personal information. Elimination of a popular means of parental consent, e-mail plus, continues to be major source of concern for child-oriented websites. Treating photographs and the like as personal information, even when not linked to another identifier, may create practical difficulties and restrict the ability to offer certain types of content. The fact that the FTC is not soliciting comments on these points suggests that the Commission may well move forward with these changes. At the same time, the FTC solicited comments on whether gender, birthdate, zip code, or zip +4 should be considered personal information in the original NOPR. The FTC has not proposed to add these elements as items of "personal information" in the Supplemental Notice.
Potential Impact
A number of the FTC's proposed changes are encouraging and respond to deep concerns about the operational impact of the initial proposal. Some provisions appear likely to remain unchanged from the September, 2011 NOPR, despite strong criticism. Others create additional questions and have broad implications for online stores, ad networks, and a variety of technology and business partners. The combination of changes will need to be considered, and will still likely have significant commercial implications on sites and services directed to children, as well as sites and services that may target teens, families or adults.
The Commission seeks input on the regulatory burden of the revised rule. It will be important to provide additional insights on regulatory burdens. Costs may go well beyond the actual costs associated with updating privacy notices. For example, some third-parties or service providers may be wary of the use of their technology on child-directed websites and seek to avoid any COPPA obligations by contractually limiting use. Operators of child-directed sites or services could effectively have to verify COPPA compliance before linking to any social media websites or using plug-ins and downloads, or broadly institute age-screening. Allowing sites to institute an age-screen could prove beneficial, and may provide the vehicle to permit use of social media, plug-ins or downloads on mixed sites where an individual is age-screened as over 13. However, age-screening on sites that are not directed to children have often generated a high level of complaints from visitors.
The Commission is not adopting any final amendments to the COPPA Rule at this time and is continuing to consider comments submitted in response to its NOPR. The FTC seeks comment on several specific questions, and interested parties can submit comments on these and other issues raised by the Supplemental Notice. Comments are due by September 10, 2012. Given questions likely to arise regarding the proposal, it is expected that some stakeholders will seek an extension of time to respond, but the Commission is anxious to finalize the Rule and an extension is not guaranteed. Consequently interested parties are encouraged to carefully review the Supplemental Notice and share their views on the proposed legal, policy, operational and economic implications with the Commission. The Supplemental Notice of Proposed Rulemaking is available at: http://www.ftc.gov/os/2012/08/120801copparule.pdf.
For more information on privacy and data security issues, please contact:
Sheila Millar (+1 202.434.4143, millar@khlaw.com),
Tracy Marshall (+1 202.434.4234, marshall@khlaw.com)