[authors: David Silverman, Ronald G. London]
The Federal Trade Commission (FTC) has issued a Supplemental Notice of Proposed Rulemaking seeking to augment, clarify, and in some cases expand rule changes it proposed in September 2011 for the update of its regulations implementing the Children’s Online Privacy Protection Act (COPPA) that we discussed here. These supplemental changes are part of an overall effort to have the COPPA rules reflect more recent technological developments and popular online practices, primarily, social networking sites, smartphone access to the Internet, and easy provision of location information. The proposed changes would expand the final rule so that it:
Includes persistent identifiers that can be used for behavioral advertising and other tracking across web sites, while permitting some “internal” operations such as contextual advertising and anti-fraud measures;
Covers data collection by plug-ins, software downloads, or advertising networks integrated into websites; and
Reaches websites that may not be directed to children, but are likely to draw children under 13.
The supplemental proposed changes also would scale back an earlier FTC proposal to restrict the collection of screen names that do not enable contact with the child, but at the same time, contain a recommendation that general interest websites age-screen all users. As COPPA is the primary statute affording FTC specific regulatory authority over the use of online personally identifiable information, these further proposed rule changes could have broader ramifications. Comments on these further proposed definitional changes must be filed by Sept. 10, 2012.
COPPA is intended to provide notice to parents and secure verifiable parental consent prior to the collection of personal information from children under the age of 13. Because it was first enacted in 1998, and the FTC first adopted implementing rules in 1999, the rules have been due for updating for some time. The FTC thus issued a notice of proposed rulemaking covering five different areas: 1) the rule’s definitions, including what children’s “personal information” is covered, and what it means to “collect” it; 2) parental notice; 3) new parental consent mechanisms; 4) confidentiality and security requirements; and 5) the “safe harbor” for how self-regulatory programs can be deemed “in compliance” with COPPA. The FTC also considered broadening the scope of COPPA to include teenagers, but ultimately decided to retain its applicability to only children under the age of 13. Now, after having reviewed 350 comments filed on last year’s proposal, the FTC proposed modifications to the COPPA rules’ operational definitions. The primary proposals are summarized below.
Among the most significant potential changes in this rulemaking is a proposal to expand the definition of “personal information,” the collection of which animates COPPA and its implementing rules, and the Supplemental Notice continues this process. First, in its September rulemaking notice, the FTC proposed to treat children’s screen or user names as “personal information” requiring parental notice and consent, when used for more than one website or online service. Commenters noting that screen or user names are often used to avoid collection of personal information, while permitting children to transition seamlessly between devices or platforms, persuaded the FTC to reconsider. The Supplemental Notice thus proposes to modify the definition of “personal information” to include screen or user names, but only when they function “in the same manner as online contact information,” for example, as an email address that permits direct contact with the child.
Separately, the Supplemental Notice proposes to clarify the definition of “persistent identifiers” that are considered “personal information.” In September, the FTC proposed to include “persistent identifiers” such as IP addresses, unique device identifiers and customer numbers held in cookies, if used in any way other than “support for the internal operations” of a website or online service. This was a significant expansion of the definition, and thus of what the COPPA rules would cover.
Reacting to comments that this change would target information that identifies devices and not necessarily individuals, and that the phrase “support for internal operations” is vague, the Supplemental Notice proposes that, to be considered personal information, a “persistent identifier” must be something that “can be used to recognize a user over time, or across different websites or online services.” It also offers a definition for the “internal operations” exception so that it includes—but is limited to—steps necessary to permit user authentication, improve site navigation, maintain user preferences, serve contextual ads, and protect against fraud or theft. While these supplemental proposals mitigate somewhat the potential changes to the “personal information” definition, the overall proposed change, if adopted, would still be a considerable expansion of the rules.
The COPPA definition for “operators” of websites or online services directed to children determines who must give notice and obtain parental consent when children’s personal information is collected. Currently, it focuses on anyone “who operates a website . . . or an online service and who collects or maintains personal information from or about the users of visitors to such website or online service.” The Supplemental Notice reflects that many website operators may not themselves collect personal information, but rather integrate social networking or other plug-ins into their sites, which plug-ins do collect personal information.
Based on this, and on the notion that operators of child-directed websites benefit from such plug-ins via increased content, functionality, and/or ad revenue, the FTC proposes to modify the definition to include operators of websites where personal information is collected or maintained on behalf of an operator, and “in the interest of, as a representative for, or for the benefit of” the operator. If adopted, this definitional change will mean operators of child-directed sites or services that choose to integrate services of others that collect personal information from visitors would be subject to the parental notice and consent requirements applicable to a covered “operator” under the COPPA Rule.
“Website or Online Service Directed to Children”
The Supplemental Notice offers two modifications to changes in the definition of “website or online service directed to children” as proposed last year. First, in a departure from the original proposal that contemplated a form of strict liability for COPPA’s notice and consent requirements, the modified definition would reach the operators of ad networks or other downloadable plug-ins only if they “know or have reason to know” that they are collecting personal information through a site directed to children. This reflects the FTC’s acknowledgement of comments pointing out that many ad networks and social network plug-ins are incorporated into websites without their knowledge. The FTC notes, however, that “such sites and services will not be free to ignore credible information brought to their attention indicating” that the collection of children’s personally identifiable information is occurring.
In addition, as to websites and online services directed to children and their families, the FTC proposes to further modify the definition of “website or online service directed to children” to mean sites that knowingly target or attract children under age 13 as their “primary” audience, or sites that attract “a disproportionately large percentage of children under age 13.” Under this approach, the latter (“mixed use” sites) will not be deemed as being directed to children if they do not collect personal information from any user prior to obtaining parental consent from “visitors who identify themselves as under age 13.” This would avoid unduly burdening website operators by requiring them to treat all users as children for notice and consent purposes for sites directed to adults and children alike.
The net effect of these further revisions would be that sites and services at the far end of the “child-directed” continuum—i.e., those that knowingly target, or have content likely to draw, children under 13 as their primary audience—must still treat all users as children, and provide notice and obtain consent before collecting personal information. Conversely, sites and services with child-oriented content that target mixed audiences, where children under 13 are likely to be an over-represented group, will not be “directed to children” if, prior to collecting any personal information, they age-screen all users. At that point, for users who identify themselves as under 13, the site or service will have actual notice and must obtain appropriate parental consent before collecting personal information from them, and comply with all other aspects of the Rule. In proposing this change, the FTC acknowledged that children sometimes misrepresent their ages to access websites they wish to visit, but implicit in that acknowledgement is that there is no practical way to overcome this while still having a workable COPPA rule.