Significant revisions to Children’s Online Privacy Protection Rule triggers supplement review

In 1998 Congress responded to the growing demand for protection from invasions of privacy and the potential for marketers or predators to target young children by passing the Children’s Online Privacy Protection Act (COPPA). The Children’s Online Privacy Protection Rule (16 CFR part 312) provides the rules governing the implantation of the law.

As described in the Federal Register, the COPPA Rule include three key features:

Among other things, the Rule requires that operators provide notice to parents and obtain verifiable parental consent prior to collecting, using, or disclosing personal information from children under 13 years of age. The Rule also requires operators to keep secure the information they collect from children and prohibits them from conditioning children’s participation in activities on the collection of more personal information than is reasonably necessary to participate in such activities. The Rule contains a ‘‘safe harbor’’ provision enabling industry groups or others to submit to the Commission for approval self-regulatory guidelines that would implement the Rule’s protections.

In April 2010 the FTC began a process to update the Rules. A notice was sent out in September 2011, generating 350 comments regarding the proposed changes. After receiving the comments and reviewing its own proposal, the FTC substantially changed the proposed update to the Rule. As a result, the FTC has issues a Supplemental Notice of Proposed Rulemaking under which comments will be accepted until September 10, 2012.

Instructions for submitting comments are found in the Notice. Comments can be submitted electronically by clicking here.

The FTC explains the changes as follows:

The proposed modifications to the definitions of “operator” and “website or online service directed to children” would allocate and clarify the responsibilities under COPPA when third parties such as advertising networks or downloadable software kits (“plug-ins”) collect personal information from users through child-directed websites or services. The Commission proposes to state within the definition of “operator” that personal information is “collected or maintained on behalf of” an operator where it is collected in the interest of, as a representative of, or for the benefit of, the operator. This change would make clear that an operator of a child-directed site or service that chooses to integrate the services of others that collect personal information from its visitors should itself be considered a covered “operator” under the Rule.

The Commission also proposes to modify the definition of “website or online service directed to children” to:

  1. Clarify that a plug-in or ad network is covered by the Rule when it knows or has reason to know that it is collecting personal information through a child-directed website or online service;
  2. Address the reality that some websites that contain child-oriented content are appealing to both young children and others, including parents. Under the current Rule, these sites must treat all visitors as under 13 years of age. The proposed definition would allow these mixed audience websites to age-screen all visitors in order to provide COPPA’s protections only to users under age 13; and,
  3. Clarify that those child-directed sites or services that knowingly target children under 13 as their primary audience or whose overall content is likely to attract children under age 13 as their primary audience must still treat all users as children.

Finally, the Commission proposes to modify the Rule’s definition of “personal information” to make clear that a persistent identifier will be considered personal information where it can be used to recognize a user over time, or across different sites or services, where it is used for purposes other than support for internal operations. In connection with this change, the Commission proposes to modify the definition of “support for internal operations” in order to explicitly state that activities such as: site maintenance and analysis, performing network communications, use of persistent identifiers for authenticating users, maintaining user preferences, serving contextual advertisements, and protecting against fraud and theft will not be considered collection of “personal information” as long as the information collected is not used or disclosed to contact a specific individual, including through the use of behaviorally-targeted advertising, or for any other purpose.

Taken together, these changes attempt to deal with the increasing use of cross-platform sign-ins and authentication. They do not, however, deal directly with social media or other websites that have no provisions for compliance with the Rule but instead encourage users under the age of 13 to mis-identify themselves to the benefit of the website operator.

As the Washtington Post noted, “vague language … could allow companies supplying online ads — or even Facebook and Twitter which sometimes appear as little icons on Web sites — to avoid the parental consent process.”

Still, the update addresses at least some of the important changes to the structure of internet communications and the importance of mobile apps as a platform for communications.

September 10th is coming fast. Public comments will be critical in effectively shaping the update to the Rule.

Advertisements