Revamping Kids Privacy: FTC Finalizes COPPA Rule Changes

On December 19, 2012, the Federal Trade Commission ("FTC" or "Commission") issued final rule amendments concluding its review of the Children's Online Privacy Protection Act ("COPPA") Rule ("final COPPA Rule"). The FTC's review of the COPPA Rule began with a request for public comment in April, 2010,[1] followed by a public roundtable.[2] The FTC subsequently released initial proposed revisions to the COPPA Rule on September 15, 2011 through a Notice of Proposed Rulemaking ("2011 NOPR"),[3] and additional revisions on August 6, 2012 through a Supplemental Notice of Proposed Rulemaking ("2012 Supplemental Notice").[4] Operators will be required to comply with the final COPPA Rule beginning July 1, 2013.

The Commission made some significant changes to the COPPA Rule, including revisions to the definitions of personal information, operator, and website directed to children. The FTC also made important substantive changes to the COPPA Rule in response to industry comments and concerns about the compliance burden. These include: (i) maintaining the "e-mail plus" mechanism as a method of parental consent; (ii) replacing the "100% deletion standard" under the definition of collects or collection with a "reasonable measures" standard to allow filtered chat; (iii) defining screen or user names in the definition of "personal information" only when it functions as "online contact information"; and (iv) retaining the rule's requirements that the notice include only the contact information for one operator. While some of these changes reduce the potential impact on operators, compliance will nevertheless pose significant burdens on websites directed to kids.

The eight (8) most important changes to the COPPA Rule are provided below:

1. Personal Information: The final COPPA Rule expands the definition of personal information in several important ways. The definition now includes persistent identifiers linked to a device, "geolocation information sufficient to identify a street name and name of a city or town," a "photograph, video or audio file containing a child's image or voice," and a screen or user name when it functions as online contact information.

• The FTC modified the description of persistent identifier to cover "a persistent identifier that can be used to recognize a user over time and [not "or"] across different websites or online services." This includes a customer number held in a cookie, an Internet Protocol (IP) address; a processor or device serial number, or a unique device identifier (UDID). This revision will, of course, have a significant ripple effect throughout the digital world, where personal information has always been thought to identify a specific person, rather than a device that may be accessed by multiple users. The FTC believes, however, that any added burden will be alleviated by allowing the collection of persistent identifiers as support for internal operations of the website or online service.
• Geolocation information is also considered "personal information" when it is sufficient to identify a street name and name of a city or town.
• In addition, screen or user names are personal information, but only when they function in the same manner as "online contact information." The Commission acknowledged that this definition of a screen or user name permits operators to use anonymous screen and user names in place of individually identifiable information, including use for content personalization, filtered chat, public display on a website or online service, or operator-to-user communication via the screen or user name.
• The Commission declined to include date of birth, gender, or zip code alone in the list of items that constitute personal information.

2. Operator: FTC modified the definition of an operator to establish that information is collected or maintained on behalf of an operator when "(a) it is collected or maintained by an agent or service provider; or (b) the operator benefits by allowing another person to collect personal information directly from users of such website or online service." This is a slight revision from what was proposed in the 2012 Supplemental Notice, but the intent remains the same: operators of child-directed sites and services that allow other online service to collect personal information through their sites will be strictly liable. Revisions in this area are focused on advertising networks and downloadable plug-ins that collect personal information from users through another's site or service. The Commission notes that the "benefits" of such collection include not only direct compensation and increased revenue, but also enhanced functionality or content, or greater publicity gained through social media. The revision to the definition of operator greatly expands the number of entities covered by the COPPA Rule, although the FTC clarified that the definition was never intended to cover mobile platforms, such as Google Play or the App Store.

3. Website or Online Service Directed to Children: In the 2012 Supplemental Notice, the Commission proposed to hold responsible as a co-operator any site or online service that "knows or has reason to know" it is collecting personal information from a child. Based on numerous comments criticizing this as contrary to COPPA's actual knowledge standard, the Commission revised the definition to hold such entity liable only where it has actual knowledge that it is collecting personal information directly from users of a child-directed site or service. In determining whether a website or online service, or a portion thereof, is directed to kids, the Commission will evaluate the site or service using a variety of factors, including subject matter, visual content, use of animated character, age of models, etc. The Commission retains its long-standing position that child-directed sites or services whose primary target audience is children must continue to presume that all users are children and provide COPPA protections accordingly. The FTC is allowing age-screening on sites or services that target children only as a secondary audience or to a lesser degree. A website that does not target children as its primary audience, but may have one or more of the factors described above, will not be deemed directed to children if it: (a) does not collect personal information from any visitor prior to collecting age information; and (b) prevents the collection, use or disclosure of personal information from visitors who identify themselves as under the age of 13, unless it obtains verifiable parental consent. The final COPPA Rule also retains a clause establishing that a website is not deemed directed to children solely because it links or refers to a website directed to children.

4. Support for Internal Operations: The Commission refined its definition of support for internal operations throughout the rulemaking. The final COPPA Rule modifies the definition to add frequency of capping of advertising and legal or regulatory compliance to the list of permissible uses. Although many commenters were concerned that the definition, as proposed, would not cover the full suite of activities that should be included, the Commission stated that it believes functions such as intellectual property protections, payment and delivery functions, spam protections, optimization, statistical reporting, or de-bugging are specifically covered by the definitional language permitting activities that "maintain or analyze" the functions of the website or service, or protect the "security or integrity" of the site or service. In fact, the Commission believes that most of the activities commenters cite to as important to permitting the smooth and optimal operation of websites and online services will be exempt from COPPA coverage. This, however, does not include online behavioral advertising ("OBA"). The final COPPA Rule creates a new voluntary process to allow operators to submit requests for approval of additional activities that may be included within the definition of support for internal operations. In addition, persistent identifiers are exempt from the definition personal information where the sole purpose is to provide support for the operator's internal operations.

5. Verifiable Parental Consent: Based on significant comments received by the FTC, the Commission – albeit "reluctantly" – retained "e-mail plus" as an acceptable parental consent method for operators collecting personal information only for internal use.[5] This is a major industry victory, as the elimination of e-mail plus could not be explained based on potential privacy risks to children, and the burden of adopting alternative methods, particularly given the expanded universe of "operators," was significant. The final COPPA Rule also expands the list of acceptable methods for obtaining verifiable parental consent to include: electronic scans of signed consent forms; video-conferencing; government-issued identification, such as a driver's license, or partial Social Security Number; and credit card, debit card, or other online payment system in connection with a monetary transaction, provided that the primary account holder is given notice of the transaction. The Commission declined to include electronic or digital signatures and common consent mechanisms, such as parental controls in gaming consoles and other devices, in the non-exhaustive list of acceptable consent mechanisms. However, the final COPPA Rule provides for a voluntary, streamlined process for Commission approval of additional parental consent mechanisms.

6. Notice: The final COPPA Rule streamlines and clarifies the direct notice requirements to ensure that key information is provided to parents, and also favors succinct "just-in-time" notice. This includes information already collected from the child, the purpose of the notice, the action that the parent must or may take, and what use (if any) the operator will make of the personal information collected. The Commission had earlier proposed that notices include contact information for all operators collecting information. The final COPPA Rule, however, retains the existing "single operator designee" requirement, so that notices to parents are only required to list the contact information of one operator responsible for responding to parent inquiries, although all operators must be named. This will significantly reduce burdens of operators when drafting and updating privacy notices. In addition, the FTC backed off of its proposal that links to operator notices of children's information practices must appear at the point of purchase or download, but is requiring such links on an app's home or landing screen. The Commission nevertheless suggests placing such links at the point of purchase or download as a "best practice."

7. Confidentiality, Security, and Data Retention: Given the heightened concern about the confidentiality and security of data, the final COPPA Rule increases requirements for operators to maintain confidential and secure children's personal information and adds a new provision addressing data retention and deletion. Importantly, the Commission eliminated a proposed requirement that operators "ensure" that any service provider or third party have in place reasonable security measures, requiring instead that operators inquire about entities' data security capabilities and receive assurances about how they will treat the personal information. The final COPPA Rule requires operators to take reasonable steps to release children's personal information only to service providers or third parties who are capable of maintaining the confidentiality, security, and integrity of such personal information, and who provide assurances, through contracts or otherwise, that they will maintain the information in such manner. The new data retention and deletion provision requires operators to retain children's personal information for only so long as is reasonably necessary to fulfill the purpose for which the information was collected.

8. Safe Harbor: The final COPPA Rule makes several changes to the current self-regulatory safe harbor program. These revisions require safe harbor programs to conduct annual, comprehensive reviews of each of their members' information practices, and require applicants to explain in detail their business model and their technological capabilities and mechanisms for initial and continuing assessment of subject operators' fitness for membership in the safe harbor program. In addition, the 2011 NOPR proposed to require that safe harbor programs submit periodic reports of independent audits and any disciplinary action taken against member operators. Several commenters expressed concern that this would force safe harbor programs to disclose member operator names in such situations, thereby preventing the programs' abilities to recruit and retain members, which is counter to notions of self-regulation. In light of these concerns, the Commission revised this requirement to permit safe harbor programs to submit a report to the FTC containing an aggregated summary of the data. The FTC is requiring the periodic reports be submitted annually, rather than one every eighteen months.

Commissioner Maureen Ohlhausen also issued a dissenting statement discussing her position against adoption of the amendments, saying that the revised definition of an operator in the final COPPA Rule exceeds the scope of authority granted by Congress. Specifically, the revised definition extends COPPA obligations to entities that do not collect personal information from children or have access to or control of such information collected by a third-party. This does not comport with the plain meaning of the statutory definition of an operator in COPPA, which covers only entities "on whose behalf such information is collected and maintained." Simply because a child-directed site or online service receives a benefit from using a plug-in should not be equivalent to the collection of personal information by the third-party plug-in on behalf of the child-directed site or online service.

The final COPPA Rule comes on the heels of the FTC's second staff report on mobile apps, "Mobile Apps for Kids: Disclosures Still Not Making the Grade" ("Report"). The Report calls on the mobile app industry to develop and implement "best practices" to better protect children's privacy, but it goes beyond simply advocating for privacy protections by urging mobile app developers to disclose in-app advertising practices and the ability to perform in-app purchases. The Commission did cite to its Report in the final COPPA Rule in discussing the increased burdens and costs to operators of mobile apps.

There is much to digest in the final COPPA Rule. We expect that the Commission will undertake educational activities in the next few months to explain the rule to interested stakeholders, but it will be important for all digital media participants to review the parameters of the rule to assess implications.

Revised definitions may have implications beyond the world of websites and online services directed to children. Updated privacy policies and new procedures for compliance will be required. Many new players with little experience in this area will now be covered by the rule.

For more information on privacy and data security issues, please contact: Sheila Millar (+1 202.434.4143, millar@khlaw.com), Tracy Marshall (+1 202.434.4234, marshall@khlaw.com)