COPPA Rule Supplemental Comments Extended to Sept. 24th

In an earlier post, I discussed the significance of proposed changes to the Children’s Online Privacy Protection Rule (COPPA Rule) recommended by the FTC. The FTC has extended the comment period regarding the revisions to the COPPA Rule until September 24, 2012.

The COPPA Rule is designed to protect children under 13 from unwanted privacy intrusion by providing parents control over what information websites and online services may collect from these children.

The revised rule expands the websites covered by the COPPA Rule, makes clear that targeted or behavioral advertising geared at protected minors is covered and expanded the definition of personal information to include persistent identifiers.

Some comments have already been filed. They can be read online.

According to the FTC, the extension was “in response to requests from several organizations.” The FTC now anticipates that “public comments on the Supplemental Notice of Proposed Rulemaking will now be accepted until September 24, 2012.”

Significant revisions to Children’s Online Privacy Protection Rule triggers supplement review

In 1998 Congress responded to the growing demand for protection from invasions of privacy and the potential for marketers or predators to target young children by passing the Children’s Online Privacy Protection Act (COPPA). The Children’s Online Privacy Protection Rule (16 CFR part 312) provides the rules governing the implantation of the law.

As described in the Federal Register, the COPPA Rule include three key features:

Among other things, the Rule requires that operators provide notice to parents and obtain verifiable parental consent prior to collecting, using, or disclosing personal information from children under 13 years of age. The Rule also requires operators to keep secure the information they collect from children and prohibits them from conditioning children’s participation in activities on the collection of more personal information than is reasonably necessary to participate in such activities. The Rule contains a ‘‘safe harbor’’ provision enabling industry groups or others to submit to the Commission for approval self-regulatory guidelines that would implement the Rule’s protections.

In April 2010 the FTC began a process to update the Rules. A notice was sent out in September 2011, generating 350 comments regarding the proposed changes. After receiving the comments and reviewing its own proposal, the FTC substantially changed the proposed update to the Rule. As a result, the FTC has issues a Supplemental Notice of Proposed Rulemaking under which comments will be accepted until September 10, 2012.

Instructions for submitting comments are found in the Notice. Comments can be submitted electronically by clicking here.

The FTC explains the changes as follows:

The proposed modifications to the definitions of “operator” and “website or online service directed to children” would allocate and clarify the responsibilities under COPPA when third parties such as advertising networks or downloadable software kits (“plug-ins”) collect personal information from users through child-directed websites or services. The Commission proposes to state within the definition of “operator” that personal information is “collected or maintained on behalf of” an operator where it is collected in the interest of, as a representative of, or for the benefit of, the operator. This change would make clear that an operator of a child-directed site or service that chooses to integrate the services of others that collect personal information from its visitors should itself be considered a covered “operator” under the Rule.

The Commission also proposes to modify the definition of “website or online service directed to children” to:

  1. Clarify that a plug-in or ad network is covered by the Rule when it knows or has reason to know that it is collecting personal information through a child-directed website or online service;
  2. Address the reality that some websites that contain child-oriented content are appealing to both young children and others, including parents. Under the current Rule, these sites must treat all visitors as under 13 years of age. The proposed definition would allow these mixed audience websites to age-screen all visitors in order to provide COPPA’s protections only to users under age 13; and,
  3. Clarify that those child-directed sites or services that knowingly target children under 13 as their primary audience or whose overall content is likely to attract children under age 13 as their primary audience must still treat all users as children.

Finally, the Commission proposes to modify the Rule’s definition of “personal information” to make clear that a persistent identifier will be considered personal information where it can be used to recognize a user over time, or across different sites or services, where it is used for purposes other than support for internal operations. In connection with this change, the Commission proposes to modify the definition of “support for internal operations” in order to explicitly state that activities such as: site maintenance and analysis, performing network communications, use of persistent identifiers for authenticating users, maintaining user preferences, serving contextual advertisements, and protecting against fraud and theft will not be considered collection of “personal information” as long as the information collected is not used or disclosed to contact a specific individual, including through the use of behaviorally-targeted advertising, or for any other purpose.

Taken together, these changes attempt to deal with the increasing use of cross-platform sign-ins and authentication. They do not, however, deal directly with social media or other websites that have no provisions for compliance with the Rule but instead encourage users under the age of 13 to mis-identify themselves to the benefit of the website operator.

As the Washtington Post noted, “vague language … could allow companies supplying online ads — or even Facebook and Twitter which sometimes appear as little icons on Web sites — to avoid the parental consent process.”

Still, the update addresses at least some of the important changes to the structure of internet communications and the importance of mobile apps as a platform for communications.

September 10th is coming fast. Public comments will be critical in effectively shaping the update to the Rule.

NKU Chase Law + Informatics Institute

2013 Informatics Symposium announced – focusing on informatics in labor and employment issues.

NKU Chase Law + Informatics Institute2013 Law + Informatics Symposium on Labor and Employment Issues The annual NKU Chase Law + Informatics Symposium will be held this academic year on February, 15, 2013 focusing on issues in labor and employment related to informatics, including such topics as candidate screening practices, employee privacy, data security and appropriate policies, gamification in training, and social media use. The program will include a day-long seminar and reception. Presentations delivered at the conference will be published by the Northern Kentucky Law Review. More information is provided below in the conference call for papers. A PDF of the Call for Papers is available.

Call for Papers The Northern Kentucky Law Review and Salmon P. Chase College of Lawseek submissions for the Law + Informatics Symposium on February 15, 2013. The focus of the conference is to provide an interdisciplinary review of issues involving privacy, data aggregation, security, communications, social media management and related topics affecting the legal and business practices involving labor and employment law. The symposium is an opportunity for academics, practitioners, consultants, and students to exchange ideas and explore emerging issues in informatics law as it applies to working conditions and employment practices. Interdisciplinary presentations are encouraged. Authors and presenters are invited to submit proposals on topics such as the following:


  • Application of the Americans with Disabilities Act
  • Federal/state employment regulations regarding privacy
  • HIPAA, FERPA, COPPA, GLBA & other sector-specific privacy issues
  • EU & global privacy laws & policies
  • Bioinformatics in the workplace
  • Data mining of employee information
  • Social media and political change

Collective Bargaining

  • Use of informatics tools for collective bargaining
  • Collective bargaining positions on internet usage, data aggregation and social media
  • Online dispute resolution
  • Ownership of databases & data
  • Contracting & enforcement of agreements over sharing of data
  • Assessment of significant commercial expansions of informatics practices affecting public expectations & norms
Social Media

  • Employee discipline for internet and social media use
  • NLRB responses to social media
  • Use of social media in employee screening
  • Implications for privacy and discrimination lawsuits

  Training and Security

  • Gamification in training
  • Computer security
  • Data protection & obligations regarding data breaches
  • Data reliability, including people’s rights to review & correct collected data
  • Retraining and employee obsolecense

  Other Issues

  • Discrimination and access to public and semi-public information
  • Employee ownership of intellectual property and data information
  • Post-termination obligations of employers and employees
  • Employee contracting and end user license agreements
  • Global issues for similarly situated employees in multiple jurisdictions

Submissions & Important Dates: 

  • Please submit materials to
  • Submission Deadline for Abstracts: October 1, 2012
  • Submission Deadline for Articles: February 1, 2013
  • Symposium Date: February 15, 2013

Law Review Published Article:  The Northern Kentucky Law Review will review, edit and publish submissions in the 2013 Spring Symposium issue.  Articles, as well as case studies and abstracts of research in progress, will be considered for the symposium program for presentation purposes.  Only complete articles, however, will be published in the law review.  Abstracts for these papers will be due no later than the October 1, 2012 deadline and will be accepted on a rolling basis until that time.

Presentations (without publication) based on Abstracts:  The Northern Kentucky Law Review will review and select presentations for the symposium.  If you are interested in presenting without submitting a publishable article, an abstract of the presentation must be submitted by the October 1, 2012 deadline and will be accepted on a rolling basis until that time.

About the Law and Informatics Institute:  The Law + Informatics Institute at Chase College of Law provides a critical interdisciplinary approach to the study, research, scholarship, and practical application of informatics, focusing on the regulation and utilization of information – including its creation, acquisition, aggregation, security, manipulation and exploitation – in the fields of intellectual property law, privacy law, evidence (regulating government and the police), business law, and international law. Through courses, symposia, publications and workshops, the Law + Informatics Institute encourages thoughtful public discourse on the regulation and use of information systems, business innovation, and the development of best business practices regarding the exploitation and effectiveness of the information and data systems in business, health care, media, and entertainment, and the public sector.

For More Information Please Contact:

  • ProfessorJon Garon, Symposium Faculty Sponsor: or 859.572.5815
  • Lindsey Jaeger, Director of Centers and Institutes Administration: or 859.572.7853
  • Brad Andress, Symposium Editor: or 812.343.6822

Ethics in Informatics – Assessing ABA’s Ethics 20/20 Commission

May 4, 2012 the NKU Chase Law & Informatics Institute presents an ethics program focusing on the proposed changes to the ABA Model Rules of Professional Responsibility and similar changes to SEC Guidance for disclosure of cybersecurity risk. Dean Dennis Honabach and Professor Jon Garon will lead the conversation.

In 2009, The American Bar Association created the Ethics 20/20 Commission (“Commission”) to “perform a thorough review of the ABA Model Rules of Professional Conduct [(“MRPC”)] and the U.S. system of lawyer regulation in the context of advances in technology and global legal practice developments.”[1] The Commission held hearings and developed draft statements regarding a number of topics, including the effect of technology on a lawyer’s duty of confidentiality and client development.[2]  Having completed its review on several key proposals, they will be brought to the ABA for approval in August 2012:

The ABA Commission on Ethics 20/20 is pleased to release for comment by April 2, 2012, along with a Cover Memo from Co-Chairs Jamie S. Gorelick and Michael Traynor, final revised drafts of Commission Proposals scheduled to go to the ABA House of Delegates in August 2012.  These six revised draft proposals cover the subjects of Technology (Confidentiality), Technology (Client Development), Outsourcing, and Uniformity/Mobility (including Model Rule 5.5 and Practice Pending Admission), Admission by Motion, and Model Rule 1.6 (Duty of Confidentiality).

In addition to the materials provided by the ABA, we have created a Summary Analysis as well as a CLE Powerpoint presentation.

To summarize the program:

The practice of law has largely gone digital in the past decade. Remote access to one’s office, reliance on smart phones to share data, email and social media to communicate with clients, and other emerging technologies to conduct overseas cloud-based outsourcing or operate virtual law offices have transformed the mechanics of practicing law.

The American Bar Association’s Commission on Ethics 20/20 is examining technology’s impact on the legal profession. In proposals recommended for adoption this year, the Commission proposes adoption of a new Rule 1.6(c) which would require that a “lawyer shall make reasonable efforts to prevent the unintended disclosure of, or unauthorized access to, information relating to the representation of a client.” While this duty has existed under the prior rules, the modifications make clear that this affirmative duty extends to data privacy, security and reliability.

These proposals also address issues of screening electronic information accessible to a law firm assure that confidential information known by a personally disqualified lawyer remains protected from inappropriate access by other attorneys; an affirmative duty to “keep abreast of changes in the law and its practice, including the benefits and risks associated with technology;” and many others.

Not to be outdone, the Corporate Finance Division of the Securities and Exchange Commission has taken steps of its own to require greater awareness, disclosure and reporting of issues relating to technological knowledge held by a company – including its lawyers. The guidance identifies that “a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. In addition, material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading.” Lawyers drafting these disclosures – and lawyers dealing with the risk assessment for their clients – as well as regarding their own practices – have an increasingly external standard of care and responsibility to meet the cyber-risks inherent in the modern digital practice of law.

While it is likely that many of the revised Rules of Professional will be adopted, the changes primarily codify the existing duty to maintain a lawyer’s ongoing duty to remain competent. These materials are intended to assist with that effort by providing an update to the ethical rules and the technologies at the heart of these changes.

The Commission has distributed its recommendations and solicited final comments through April 2, 2012. Final hearings were held April 13-14, 2012 and the Commission will be releasing the final versions of these proposals for approval at the August 2012 ABA Annual Meeting.

Maryanne Zeleznik speaks with Jon Garon on Cincinnati Edition

Over the weekend, I spent a few minutes with the Cincinnati local public radio station WVXU. The interview aired Sunday, Dec. 4, 2011 at 7:10. If you are interested, please give a listen.

Law and Informatics
Maryanne Zeleznik speaks with Jon Garon, a law professor at NKU’s Chase law School, about Law & Informatics and how information can be shared and protected in the digital age.
By: Maryanne Zeleznik
For more information: Law and Informatics
 Listen to the MP3 (9:46)

Proposed Revisions to COPPA add Photos and other Protections, Comments Sought

On September 15, 2011 the FTC issued proposed revisions to the Children’s Online Privacy Protection Rule (“COPPA”), which establishes the requirements to protect the personal data of children younger than 13 on web sites. The rules specify that parents must consent to the collection of a child’s personal information.

The FTC provides the following summary:

The primary goal of COPPA and the Rule is to place parents in control over what information is collected from their young children online. The Rule was designed to protect children under age 13 while accounting for the dynamic nature of the Internet. The Rule applies to operators of commercial websites and online services directed to children under 13 that collect, use, or disclose personal information from children, and operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13.
Operators covered by the Rule must:

  1. Post a clear and comprehensive privacy policy on their website describing their information practices for children’s personal information;
  2. Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information from children;
  3. Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties;
  4. Provide parents access to their child’s personal information to review and/or have the information deleted;
  5. Give parents the opportunity to prevent further use or online collection of a child’s personal information;
  6. Maintain the confidentiality, security, and integrity of information they collect from children.

In addition, the Rule prohibits operators from conditioning a child’s participation in an online activity on the child’s providing more information than is reasonably necessary to participate in that activity.

Even a brief review of the COPPA FAQ shows how varied the use of personal information is for websites. Responding to emails falls within an exception to COPPA – but only if the email is not kept by the website, for example.

At the same time, a Sept. 13, 2011 EU report finds that while “Member States and industry are increasingly making efforts to implement EU Recommendations dating from 1998 and 2006 … the measures taken have been insufficient overall.” Facebook, in particular, has come under criticism for its lack of protection for minors 13 or older and for its limited efforts to exclude minors 13 or under. Facebook has no mechanism to comply with COPPA and instead officially does not offer its services to the Tween and pre-teen set, requiring those minors merely to submit a different year of birth to utilize the site.

The proposal retain the under 13 cut-off for COPPA but expand the personal information covered to include audio files, photographs and video that contain images or sound of the minor as well as geolocation information. Some privacy advocates wanted the rules to include zipcode information, gender and date of birth data, but the proposals did not extend that far.

Filling the gap between COPPA and a system that looks away when the child provides the wrong date of birth may be the most important next step.

The FTC is seeking comments on the proposed revisions, which are due on or before November 28, 2011.

New School Year Requires Privacy Refresher

As we wave goodbye to the school bus or drop off our college-aged mini-adults on campus, we parents immediately start to wonder what is happening with our students. In the past few years, a host of data issues have parents and school officials struggling to navigate the information superhighway.

The law begins with the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99). This federal law protects the privacy of student education records. It has reach to almost every educational institution since the law applies to all schools that receive funds under any applicable program of the U.S. Department of Education.

FERPA was made infamous when confusion regarding the law slowed the intervention for medical treatment of a Virginia Tech student who later went on a shooting rampage. As Inside Higher Ed explained at the time, a presidential report stated that ““it was almost universally observed that these fears and misunderstandings likely limit the transfer of information in more significant ways than is required by law.” Since the regulations provide schools the ability to disclose information “to protect the health or safety of the student or other individuals” schools had the ability to disclose information. It took the Virginia Tech attack to make administrations realize the that they need to use the exceptions to the law more fully. Since then, schools have developed emergency responses.

FERPA also provides an excellent model for data privacy. provides a useful summary:

FERPA gives parents certain rights with respect to their children’s education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are “eligible students.”

Parents or eligible students have the right to inspect and review the student’s education records maintained by the school. Schools are not required to provide copies of records unless, for reasons such as great distance, it is impossible for parents or eligible students to review the records. Schools may charge a fee for copies.

An additional note to those parents who have children under 18-years-old attending college part-time. Some universities continue to be blind to the age specifications of the law and treat the high school students as adults. Parents need to file a FERPA consent form signed by the student in some cases. They should also alert the university to the problem because it may suggest other FERPA misunderstandings.

A trend that has grown in recent years is the ability for students to violate each other’s privacy. Sometimes labeled cyberbullying, students often learn private information about each other, and less often (but still too frequently) they publicize this information to embarrass, harass or tease their classmates.  Last year, a secreted computer video camera in a dorm room led to the outing of a gay Rutger’s student and live streaming of his sexual encounters resulted in his suicide a few days later. Tyler Clementi’s death gave witness to the pain such invasions of privacy can cause, but less extreme acts and less extreme reactions occur far too frequently.

An even more bizarre invasion of privacy occurred a Pennsylvania school spied on students using software delivered to the homes. Allegedly to control misconduct by students, the school secretly installed remote webcam software to monitor student’s activity in their homes. This is one of those incidents that many of us would have dismissed as inconceivable hypothetical concerns – until a governmental body was actually arrogant and thoughtless enough to misuse the technology. Lesson learned.

Students, parents and schools all need to remember the purpose of privacy is to protect people. When it is used to ignore students at risk, the purpose of privacy has been distorted. When it is used to spy on people – whether fellow students or the school’s students – then it is a violation of a person’s individual dignity.

Privacy is a human right and essential to human dignity, self-worth, and a functioning society. While it may have no economic value, it has a profound value to society. FERPA and other laws protect these rights, but they can only manage broad uses and mis-use.

As we go back to school, we need to make the values of privacy one of the lessons to be taught and followed this academic year.