New technologies enable marketers to collect and analyze more — and more specific— data than ever before. Marketers can track consumers across the internet and mobile applications, and can deliver advertising based on consumers’ interests inferred from the collected data. In theory, consumer tracking enables marketers to present advertising to consumers who are predisposed to a specific product or service, producing a higher purchase rate and transaction price, and a greater return on investment in marketing activities.
While these new technologies make advertising and marketing more targeted and efficient, they also present new challenges for marketers. Although a majority of consumers understand the “pay with data” model through which websites, mobile applications and other digital services are made available at no cost, they do not want advertisers to track them or to aggregate the tracking data into so-called “big data” databases. Consequently, consumer digital privacy has been the subject of many recent news articles – from lawsuits filed by consumers against email service providers and social media platforms for undisclosed data mining to senatorial requests to data brokers for transparency.
In this four-part series, we will highlight of some recent developments in consumer data privacy law and suggested steps for marketers on how to address them.
Children’s Online Privacy Protection Act Amendments
The Children’s Online Privacy Protection Act (COPPA) is a federal statute enacted in 1998 that requires operators of commercial digital services to provide parental notification and obtain verifiable parental consent prior to collecting personal information from children under 13. To implement COPPA, the Federal Trade Commission (FTC) issued a set of regulations known as the Children’s Online Privacy Protection Rule (COPPA Rule). On December 19, 2012, the FTC released amendments to the COPPA Rule which became effective July 1, 2013.
The amended COPPA Rule enhances online privacy protection for children and makes digital services’ operators more accountable for data collection activities involving children under age 13. Notable for marketers is a new liability standard for third-party service providers. Specifically, effective July 1, 2013:
The operator of “children-directed” (i.e., intended for children under age 13) online or mobile websites and services is strictly liable for actions of independent third parties – including social media plug-ins – on/through its website and mobile services if the third party is acting as its agent or service provider or if the operator benefits by allowing the third party information collection; and
A software plug-in, ad network or similar party that collects information on or through a third-party’s online or mobile website or service now is liable under COPPA if that party has actual knowledge it is collecting personal information on a children-directed platform.
The amended COPPA Rule makes several other key changes to the original COPPA Rule, including:
An expanded definition of personal information to include geo-location information, a child’s photo or audio or video file, screen or user names, and persistent identifiers, such as information held in a cookie, an IP address, a mobile device ID number, that can be used to identify an individual consumer over time and across different websites or online services;
Further clarification about the test for determining whether an online service is children-directed (which remains a highly fact-specific inquiry that depends on the totality of the circumstances);
The addition of an age-screening safe harbor for online services that fit the directed-to-children criteria but do not target children as their primary audience;
Streamlined disclosure requirements for parental notification and privacy statement regarding information practices with respect to children; and
Expanded acceptable methods for obtaining verified parental consent.
Action Step for Marketers
To ensure compliance with the amended COPPA Rule, all marketers need to evaluate their data collection activities with respect to children on their own digital services and third-party digital services to ensure that disclosures about data collection from children are accurate and up-to-date. Even though operators of digital services directed to children are strictly liable for their third-party service providers or if they have actual knowledge of data collection from children, marketers should consider checking their services agreements to make sure that service providers’ compliance with the amended COPPA Rule (and data privacy and security laws in general) is covered by existing provisions.
For more information, please see our article in the Boston Bar Journal, “Protecting Children Online: New Compliance Obligations for Digital Marketing to Children.”