FTC Proposes Revised Definitions for Its Previously Proposed COPPA Rule Changes

by Davis Wright Tremaine LLP

[authors: David Silverman, Ronald G. London]

The Federal Trade Commission (FTC) has issued a Supplemental Notice of Proposed Rulemaking seeking to augment, clarify, and in some cases expand rule changes it proposed in September 2011 for the update of its regulations implementing the Children’s Online Privacy Protection Act (COPPA) that we discussed here. These supplemental changes are part of an overall effort to have the COPPA rules reflect more recent technological developments and popular online practices, primarily, social networking sites, smartphone access to the Internet, and easy provision of location information. The proposed changes would expand the final rule so that it:

  • Includes persistent identifiers that can be used for behavioral advertising and other tracking across web sites, while permitting some “internal” operations such as contextual advertising and anti-fraud measures;
  • Covers data collection by plug-ins, software downloads, or advertising networks integrated into websites; and
  • Reaches websites that may not be directed to children, but are likely to draw children under 13.

The supplemental proposed changes also would scale back an earlier FTC proposal to restrict the collection of screen names that do not enable contact with the child, but at the same time, contain a recommendation that general interest websites age-screen all users. As COPPA is the primary statute affording FTC specific regulatory authority over the use of online personally identifiable information, these further proposed rule changes could have broader ramifications. Comments on these further proposed definitional changes must be filed by Sept. 10, 2012.

COPPA is intended to provide notice to parents and secure verifiable parental consent prior to the collection of personal information from children under the age of 13. Because it was first enacted in 1998, and the FTC first adopted implementing rules in 1999, the rules have been due for updating for some time. The FTC thus issued a notice of proposed rulemaking covering five different areas: 1) the rule’s definitions, including what children’s “personal information” is covered, and what it means to “collect” it; 2) parental notice; 3) new parental consent mechanisms; 4) confidentiality and security requirements; and 5) the “safe harbor” for how self-regulatory programs can be deemed “in compliance” with COPPA. The FTC also considered broadening the scope of COPPA to include teenagers, but ultimately decided to retain its applicability to only children under the age of 13. Now, after having reviewed 350 comments filed on last year’s proposal, the FTC proposed modifications to the COPPA rules’ operational definitions. The primary proposals are summarized below.

“Personal Information”
Among the most significant potential changes in this rulemaking is a proposal to expand the definition of “personal information,” the collection of which animates COPPA and its implementing rules, and the Supplemental Notice continues this process. First, in its September rulemaking notice, the FTC proposed to treat children’s screen or user names as “personal information” requiring parental notice and consent, when used for more than one website or online service. Commenters noting that screen or user names are often used to avoid collection of personal information, while permitting children to transition seamlessly between devices or platforms, persuaded the FTC to reconsider. The Supplemental Notice thus proposes to modify the definition of “personal information” to include screen or user names, but only when they function “in the same manner as online contact information,” for example, as an email address that permits direct contact with the child.

Separately, the Supplemental Notice proposes to clarify the definition of “persistent identifiers” that are considered “personal information.” In September, the FTC proposed to include “persistent identifiers” such as IP addresses, unique device identifiers and customer numbers held in cookies, if used in any way other than “support for the internal operations” of a website or online service. This was a significant expansion of the definition, and thus of what the COPPA rules would cover.

Reacting to comments that this change would target information that identifies devices and not necessarily individuals, and that the phrase “support for internal operations” is vague, the Supplemental Notice proposes that, to be considered personal information, a “persistent identifier” must be something that “can be used to recognize a user over time, or across different websites or online services.” It also offers a definition for the “internal operations” exception so that it includes—but is limited to—steps necessary to permit user authentication, improve site navigation, maintain user preferences, serve contextual ads, and protect against fraud or theft. While these supplemental proposals mitigate somewhat the potential changes to the “personal information” definition, the overall proposed change, if adopted, would still be a considerable expansion of the rules.

The COPPA definition for “operators” of websites or online services directed to children determines who must give notice and obtain parental consent when children’s personal information is collected. Currently, it focuses on anyone “who operates a website . . . or an online service and who collects or maintains personal information from or about the users of visitors to such website or online service.” The Supplemental Notice reflects that many website operators may not themselves collect personal information, but rather integrate social networking or other plug-ins into their sites, which plug-ins do collect personal information.

Based on this, and on the notion that operators of child-directed websites benefit from such plug-ins via increased content, functionality, and/or ad revenue, the FTC proposes to modify the definition to include operators of websites where personal information is collected or maintained on behalf of an operator, and “in the interest of, as a representative for, or for the benefit of” the operator. If adopted, this definitional change will mean operators of child-directed sites or services that choose to integrate services of others that collect personal information from visitors would  be subject to the parental notice and consent requirements applicable to a covered “operator” under the COPPA Rule.

“Website or Online Service Directed to Children”
The Supplemental Notice offers two modifications to changes in the definition of “website or online service directed to children” as proposed last year. First, in a departure from the original proposal that contemplated a form of strict liability for COPPA’s notice and consent requirements, the modified definition would reach the operators of ad networks or other downloadable plug-ins only if they “know or have reason to know” that they are collecting personal information through a site directed to children. This reflects the FTC’s acknowledgement of comments pointing out that many ad networks and social network plug-ins are incorporated into websites without their knowledge. The FTC notes, however, that “such sites and services will not be free to ignore credible information brought to their attention indicating” that the collection of children’s personally identifiable information is occurring.

In addition, as to websites and online services directed to children and their families, the FTC proposes to further modify the definition of “website or online service directed to children” to mean sites that knowingly target or attract children under age 13 as their “primary” audience, or sites that attract “a disproportionately large percentage of children under age 13.” Under this approach, the latter (“mixed use” sites) will not be deemed as being directed to children if they do not collect personal information from any user prior to obtaining parental consent from “visitors who identify themselves as under age 13.” This would avoid unduly burdening website operators by requiring them to treat all users as children for notice and consent purposes for sites directed to adults and children alike.

The net effect of these further revisions would be that sites and services at the far end of the “child-directed” continuum—i.e., those that knowingly target, or have content likely to draw, children under 13 as their primary audience—must still treat all users as children, and provide notice and obtain consent before collecting personal information. Conversely, sites and services with child-oriented content that target mixed audiences, where children under 13 are likely to be an over-represented group, will not be “directed to children” if, prior to collecting any personal information, they age-screen all users. At that point, for users who identify themselves as under 13, the site or service will have actual notice and must obtain appropriate parental consent before collecting personal information from them, and comply with all other aspects of the Rule. In proposing this change, the FTC acknowledged that children sometimes misrepresent their ages to access websites they wish to visit, but implicit in that acknowledgement is that there is no practical way to overcome this while still having a workable COPPA rule.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Wright Tremaine LLP | Attorney Advertising

Written by:

Davis Wright Tremaine LLP

Davis Wright Tremaine LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.