FTC Proposes Additional Revisions to Children's Online Privacy Protection Rule

by Wilson Sonsini Goodrich & Rosati
Contact

On August 1, 2012, the Federal Trade Commission (FTC) issued a supplemental notice of proposed rulemaking (Supplemental NPR)1 in which it proposed additional modifications to the Children's Online Privacy Protection Rule (COPPA Rule), which implements the Children's Online Privacy Protection Act (COPPA).

COPPA generally requires that all operators of commercial websites or online services that are directed to or knowingly collect personal information from children under 13 years of age disclose their information-collection practices and obtain verifiable parental consent before collecting personal information from children. The proposed modifications augment the FTC's notice of proposed rulemaking issued on September 15, 2011,2 and address certain comments received by the FTC to date regarding the original NPR, as well as the FTC's experience in administering and enforcing the COPPA Rule. As explained below, the proposed modifications would further expand the scope of entities that the FTC deems to be covered by COPPA, but they also would ease consent requirements somewhat with respect to covered websites and online services that appeal to mixed-age audiences.

Companies that may be affected by the proposed amendments have until September 10, 2012, to submit comments to the FTC.

Proposed Amendments

The FTC's proposed amendments would modify four key definitions in the COPPA Rule: "operator," "website or online service directed to children," "support for internal operations," and "personal information."

Modifications to "Operator" and "Website or Online Service Directed to Children" to Address Third-Party Collection of Personal Information

In the Supplemental NPR, the FTC noted that public comments and its law enforcement experience highlighted the need for the FTC to allocate and clarify responsibilities under COPPA when independent entities or third parties such as advertising networks, social media services, or other providers of downloadable software kits (referred to in the Supplemental NPR as "plug-ins") collect information from users through child-directed websites and online services. A child-directed site or online service would determine the child-directed nature of the content, but third-party advertising networks and providers of plug-ins collect information that would be considered personal information under the COPPA Rule.

The FTC noted changes in technology that have made it easy and commonplace for child-directed sites and services to integrate social networking and other personal-information-collection features into the content offered to their users without maintaining ownership, control, or access to the personal information that is collected. Given these advancements in technology, the FTC proposes changes to the definitions of "operator" and "website or online service directed to children" that would hold both (i) the child-directed website or online service and (ii) the information-collecting website or online service responsible as covered "co-operators" under the COPPA Rule.

First, the modified COPPA Rule would redefine the term "operator." COPPA applies to child-directed websites and online services that directly collect or maintain information about users, "or on whose behalf such information is collected or maintained."3 The modified COPPA Rule would make clear that operators of websites that do not themselves collect personal information that triggers the notice and consent requirements of COPPA still would be subject to those requirements if third parties such as advertising networks or downloadable plug-ins collect such information. In the FTC's view, such third parties are collecting the information "on behalf of" the child-directed website or online service. Specifically, the FTC proposes revising its definition of "operator" to add a proviso stating: 

Personal information is collected or maintained on behalf of an operator where it is collected in the interest of, as a representative of, or for the benefit of, the operator.4

The FTC reasoned that a child-directed site or service is in the position to provide the required notice and obtain the required parental consent, and can control which plug-ins, software downloads, or advertising networks it integrates into its site or service.

Second, the modified COPPA Rule would make clear that any third-party operator that collects personal information through child-directed websites and services also is subject to COPPA's requirements if it knows or has reason to know that it is collecting such information through a child-directed website or online service. The FTC would effectuate this by including in the definition of "website or online service directed to children" any operator that "knows or has reason to know" it is collecting personal information through any website or online service otherwise covered by COPPA.5 In proposing this modification, the FTC expressed a desire to cover advertising networks, plug-ins, and other third-party websites and online services that collect personal information through child-directed properties.

The FTC clarified that in using the phrase "reason to know" as part of this proposed modification, it is not imposing a duty on third-party operators to monitor or investigate whether their services are incorporated into child-directed properties; these entities, however, would not be free to ignore credible information brought to their attention indicating that such is the case. Critically, while the examples given by the FTC center around advertising networks and plug-ins, the operator of any third-party website or online service that collects personal information through another website or online service would be subject to this "knows or has reason to know" standard.

The FTC stated its belief that the proposed modification to "website or online service directed to children," along with its proposed modifications to the definition of "operator," would hold a child-directed property to be a "co-operator" equally responsible under the COPPA Rule for personal information collected by a plug-in, advertising network, or other third-party website or online service, which would help ensure that operators in both positions cooperate to fulfill their obligations under COPPA to notify parents and obtain parental consent.6

Modifications to "Website or Online Service Directed to Children" to Address Websites and Online Services Directed to Children and Families

The FTC also proposes to modify the COPPA Rule's definition of "website or online service directed to children" to treat websites differently depending on the extent to which they are directed to children. Currently, all websites and online services directed to children are subject to COPPA's requirements, even if only a portion of the site or service is so directed, and even if the site or service attracts a substantial number of persons over the age of 13 as users. Under the proposed revisions, websites and online services that knowingly target or have content likely to draw children under 13 as their primary audience still must treat all users as children (that is, provide notice to parents and obtain consent before collecting personal information from any user).7 Websites and online services with child-oriented content appealing to a mixed audience, where children under 13 are likely to be an over-represented group, would not be deemed directed to children if they use an age screen prior to collecting personal information from any users. When users identify themselves as under 13 in the age screen, the site or service would be deemed to have actual knowledge that such users are under 13. As a result, it would need to obtain appropriate parental consent before collecting any personal information from them, and also would need to comply with all other aspects of the COPPA Rule.8 Parental consent would not be required from users who identify themselves as 13 years of age or older.

Definition of "Personal Information"

The FTC also seeks to clarify two aspects of the definition of "personal information," the collection of which subjects the operator to COPPA's requirements: screen or user names and persistent identifiers.

I. Screen or User Names

In the original NPR, the FTC had proposed to define as personal information "a screen or user name where such screen or user name is used for functions other than or in addition to support for the internal operations of the website or online service." This was intended to address scenarios in which a screen or user name could be used by a child as a single credential to access multiple online properties, thereby permitting him or her to be directly contacted online regardless of whether the screen or user name contained an email address.

Citing comments promoting the benefits of using screen names as alternatives to email addresses and other personal information, including the benefits of using single sign-in identifiers across sites and services, the FTC now proposes to modify the definition of "personal information" to include screen names or user names only where they function in the same manner as "online contact information" (i.e., where they permit direct contact with a person online).9

II. Persistent Identifiers and Support for Internal Operations

In the original NPR, the FTC proposed changes to the definition of "personal information" to include, among other things, persistent identifiers "used for functions other than or in addition to support for the internal operations of the website or online service." The FTC also proposed to include in the definition of personal information "identifiers that link the activities of a child across different websites or online services."10

In response to various concerns of commenters, the FTC proposes modifications to the definition of "personal information" to (i) address concerns about the confusion caused by having two different portions of the "personal information" definition dealing with persistent identifiers and (ii) provide more specificity to the types of activities that would be considered "support for internal operations."

First, with respect to persistent identifiers, the FTC proposes that they be included as "personal information" where they "can be used to recognize a user over time, or across different websites or online services."11 These would include, but would not be limited to, customer numbers held in cookies, IP addresses, processor or device serial numbers, and unique device identifiers. Critically, unlike the FTC's original modified definition, persistent identifiers would have to be able to recognize a user over time or across different websites or online services in order to be considered "personal information."

Second, the FTC proposes adding a definition for the "support for internal operations" exclusion to include "those activities necessary to: (a) maintain or analyze the functioning of the website or online service; (b) perform network communications; (c) authenticate users of, or personalize the content on, the website or online service; (d) serve contextual advertising on the website or online service; (e) protect the security or integrity of the user, website, or online service; or (f) fulfill a request of a child as permitted by [limited circumstances under the COPPA Rule]; so long as the information collected for the activities listed in (a)-(f) is not used or disclosed to contact a specific individual or for any other purpose."12 The FTC emphasized that to fall within the "support for internal operations" exclusion, the information may not be used or disclosed to contact a specific individual, including through the use of behaviorally targeted advertising, or for any other purpose not elucidated in the proposed "support for internal operations" definition.13

Implications of Proposed Amendments

The FTC's proposed amendments reflect its continued expansion of the scope of the COPPA Rule, while at the same time recognizing some of the compliance challenges faced by covered operators, as well as the need for more clarity regarding the FTC's expectations under the original proposed modifications to the COPPA Rule.

The amendments requiring operators of websites and online services directed to children to know whether advertising networks, the operators of integrated social media services or other plug-ins, or other integrated third-party services collect personal information would impose new burdens on the operators of those child-directed sites and services. Similarly, the operators of websites and online services that collect personal information through third-party websites and online services would need to assess what they know about the websites and online services into which they are integrated in order to determine whether they may have notice and consent requirements.

Otherwise, the changes generally appear helpful to operators of websites and other online services. The amendments to permit websites and online services with child-directed content to age-screen may allow those website and service operators to engage in greater collection and use of personal information from their users who are 13 years of age or older. The clarifications regarding "screen and user names" address concerns that many website and online service operators had after seeing those data elements identified as "personal information" in the original NPR. Similarly, the modifications to the definition of "support for internal operations" add some much-needed clarification.

Operators of commercial websites and online services, particularly child-directed websites or online services that contain integrated third-party services that may collect personal information, as well as websites or online services that collect personal information through integration with third-party services or that collect persistent identifiers in connection with behavioral advertising, may wish to review their existing practices and consider submitting comments.

More generally, all companies that interact with children on the Internet should be aware of COPPA, the COPPA Rule, and the FTC's enforcement in this area. Since its enactment in 2000, the COPPA Rule has been aggressively enforced by the FTC. Numerous companies have paid multimillion-dollar settlements or penalties due to non-compliance. The FTC's proposed revisions to the COPPA Rule in the original NPR, and now in the Supplemental NPR, reflect the commission's continued focus on consumer privacy, particularly with respect to children.

Our attorneys routinely counsel clients on the subtleties of COPPA and other rapidly changing domestic and international privacy issues. If you have questions in these areas or are interested in submitting comments to the FTC regarding its proposed modifications to the COPPA Rule, please contact Lydia Parnes at lparnes@wsgr.com or (202) 973-8801; Tonia Klausner at tklausner@wsgr.com or (212) 497-7706; Matthew Staples at mstaples@wsgr.com or (206) 883-2583; or any of the many members of our privacy and data security practice.


1 The Supplemental NPR is available at http://www.ftc.gov/os/2012/08/120801copparule.pdf.

2 The original NPR is available at http://www.ftc.gov/os/2011/09/110915coppa.pdf. Our WSGR Alert covering the original NPR is available at http://www.wsgr.com/WSGR/Display.aspx?SectionName=publications/pdfsearch/wsgralert-childrens-online-privacy-protection.htm.

3 See 15 U.S.C. 6501(2).

4 Supplemental NPR, 77 FR at 46644.

5 Supplemental NPR, 77 FR at 46645.

6 Id.

7 The proposed revised definition of "website or online service directed to children" in the Supplemental NPR is a commercial website or online service, or portion thereof, that:

(a) knowingly targets children under age 13 as its primary audience; or
(b) based on the overall content of the website or online service, is likely to attract children under age 13 as its primary audience; or
(c) based on the overall content of the website or online service, is likely to attract an audience that includes a disproportionately large percentage of children under age 13 as compared to the percentage of such children in the general population; provided however that such website or online service shall not be deemed to be directed to children if it: (i) does not collect personal information from any visitor prior to collecting age information; and (ii) prevents the collection, use, or disclosure of personal information from visitors who identify themselves as under age 13 without first obtaining verifiable parental consent.

Supplemental NPR, 77 FR at 46646.

8 Id.

9 Supplemental NPR, 77 FR at 46647. In the original NPR, the FTC had proposed amending "online contact information" to include "an email address or any other substantially similar identifier that permits direct contact with a person online, including but not limited to, an instant messaging user identifier, a voice over Internet protocol (VOIP) identifier, or a video chat user identifier." NPR, 76 FR at 59810.

10 NPR, 76 FR at 59812.

11 Supplemental NPR, 77 FR at 46647.

12 Supplemental NPR, 77 FR at 46648.

13 Id.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Wilson Sonsini Goodrich & Rosati | Attorney Advertising

Written by:

Wilson Sonsini Goodrich & Rosati
Contact
more
less

Wilson Sonsini Goodrich & Rosati on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.