The amendments to the rule implementing COPPA have been met with varying degrees of celebration, skepticism, disappointment and confusion. The amendments change all aspects of the rule, though some to a greater degree than others. While a full understanding of the impact of the amendments will likely have to wait until we see how they are enforced, a review of the amendments is, nonetheless, helpful in preparing for the July 1, 2013 effective date of the amended rule.
Adopted in December by the Federal Trade Commission (FTC), to keep up with changing technology, the amendments were designed to "strike the right balance between protecting innovation that will provide rich and engaging content for children, and ensuring that parents are informed and involved in their children’s online activities," according to FTC Chairman Jon Leibowitz, who has since announced his intention to resign effective mid-February. (Read the text of the Federal Register notice.)
COPPA was enacted in 1998 for the purpose of protecting the online privacy of children, and mandated the creation of rules for that purpose (the "COPPA Rule" or "Rule"). The most significant provisions in the COPPA Rule required operators of websites or online services to give notice to parents and get their verifiable consent before collecting, using or disclosing personal information from children when either (a) the website or online service is directed to children who are younger than 13 years of age, or (b) when operators of websites or online services have actual knowledge that they are collecting personal information from children younger than 13. The COPPA Rule also prohibits conditioning children’s participation in online activities on the collection of more personal information than is reasonably necessary for them to participate, and contains a “safe harbor” provision that allows industry groups or others to seek FTC approval of self-regulatory guidelines.
What has been and remains the case is that if an operator collects information that reveals a user’s age (birth dates, for instance), the COPPA Rule applies if the operator collects information from anyone who has indicated their age to be 12 or younger. Of course, such sites can also avoid COPPA (if they are not otherwise deemed to be directed to kids) by bouncing anyone who has indicated themselves to be 12 or younger.
The amended COPPA Rule has expanded the definition of operators under the Rule to include "sites or services that target children only as a secondary audience or to a lesser degree," which some commentators view as meaning the Rule now more clearly applies to ad networks or application plug-ins which provide services to websites dealing with kids.
The FTC has stated that its intention is not to expand the reach of sites covered under COPPA, but rather to "create a new compliance option for a subset of websites and online services already considered directed to children under the Rule’s totality of circumstances standard." There remains some potential for confusion because of the new definition, which discusses sites "directed to children" but that do not target children as their "primary audience." Historically, the FTC has brought COPPA enforcement actions against operators who have actual knowledge that they are collecting information from children or against operators of sites clearly aimed at children. The new language adds an element of ambiguity with respect to which operators should consider themselves covered by the COPPA Rule.
Before the amendments to the COPPA Rule, "Personal Information" included:
- a first and last name
- a physical address
- an email or instant messaging address
- a telephone number
- a Social Security number
- a persistent identifier or a combination of information that allows contacting or information concerning a child or his parents that the operator collects online and combines with a persistent identifier
Now, "Personal Information" also includes:
- photos, videos or audio files that contain the child’s image or voice
- geolocation information
- persistent identifiers used to "recognize a user over time and across different websites or online services"
An important caveat has been added to the Rule with respect to the persistent identifiers. Such identifiers are considered personal information only to the extent they are not used to support the internal operations of the site or service. The FTC’s intention is that sites using tracking tools to follow children across websites for behavioral advertising purposes will fall under the COPPA Rule because of that activity; sites using the same tools to track users, including children, for the purpose of effectively providing their own services — including offering advertising content based on the user’s activity within the site — will not.
The practical difference between whether tracking activity will or will not fall under COPPA is the difference between what has become known as "contextual advertising" as compared with "behavioral advertising." Contextual advertising, deemed not the collection of personal information under COPPA, provides ad content to users based on the site visited (e.g., if you are on a car enthusiast site, you will be presented with advertisements for sports cars). Behavioral advertising, deemed to qualify as the collection of personal information under COPPA, provides ad content based on the tracking of a user’s Internet browsing activity (e.g., if you run a search for mortgage interest rates, you might be presented with ads for mortgage or home refinancing offers when you visit unrelated sites the next day). The FTC makes clear in its comments in the Federal Register that it is specifically addressing behavioral advertising with the amendments.
Parental Notice and Consent
The amendments to the Rule require a notice aimed at making it easier for parents to get the most important details about the information being collected. The notice must include:
- what information has already been collected
- the purpose of the notice
- actions the parents must take
- description of how the information will be used
- a hyperlink to the website privacy notice
Further, in addition to the already approved methods of obtaining consent, operators can now use:
- "scan and send" forms
- video conferencing consent
- government-issued identification
- alternative payment systems as long as they meet certain criteria
To encourage the development of new consent methods, the FTC has established a voluntary 120-day notice and comment process so parties can seek approval of a particular consent method. Operators participating in a FTC-approved safe-harbor program may use any consent method approved by the program.