On September 15, the Federal Trade Commission released the changes it is proposing to make to the Children’s Online Privacy Protection Rule (required by the Children’s Online Privacy Protection Act, or COPPA). The Rule has been in effect since 2000. To address technological developments in the last decade, the FTC is recommending a number of changes.
Two changes are likely to be of most concern to businesses that may have children on their websites.
“Personal information” now includes “persistent identifiers.” The FTC proposes to expand the definition of "personal information" to include “persistent identifiers”—cookies, IP address, and other tracking mechanisms used for some purpose other than the “support for the internal operations of the website”—even if they are never matched with a name, email address, or other personal information about a child. The FTC’s proposed language would permit operators, without parental consent, to use persistent identifiers for purposes like “user authentication, improving site navigation, maintaining user preferences, serving contextual advertisements, and protecting against fraud or theft.” However, prior parental consent would be required before the operator uses persistent identifiers for purposes like “amassing data on a child’s online activities or behaviorally targeting advertising to the child.” In addition, the proposed rules define as “personal information” any data that “links the activities of a child across different websites or online services. ”
This change is significant because under the existing rules, "persistent identifiers" are “personal information” only when associated with individually identifiable information. Therefore, if no personal information is collected from the user, the rule is not triggered as there is no individually identifiable information for the persistent identifier to be associated with. This enables an operator to control its collection of such information from children by not asking for the information at all, screening underage users, or obtaining parental consent at the point of collection. Under the FTC's proposed new rule, however, persistent identifiers would now be deemed to be collecting personal information data at the point the visitor enters the site, as they operate in the background without any affirmative action by the user. Therefore, operators would be collecting personal information from children the moment a child accesses the site without an opportunity to prevent collection or obtain parental consent. This is exactly what concerns the FTC, but how sites can comply with COPPA without abandoning such identifiers for all users remains to be seen.
No more consent via email. The FTC also proposes to prohibit the most popular method of parental consent, known as “email plus.” Currently, companies that use personal information of minors only for internal purposes can obtain parental consent through email coupled with a second step such as a second confirmatory email. However, the FTC is concerned that children can easily give their own address or set up a fake email address to obtain consent, and that the availability of email plus has hindered development of new parental consent methods. The FTC has expanded the list of permissible forms of consent to include electronic scans of signed consent forms, video-conferencing and checking a form of government-issued identification, such as driver's license or last four digits of a social security number, against databases of such information (provided that the identification is promptly deleted by the operator after such verification is complete). Still, all of the approved forms of consent require significantly more time, effort, and human intervention than “email plus” and thus will raise COPPA compliance burdens.
Other important changes
In addition to the major changes above, the FTC proposes several less high profile changes that nevertheless may have widespread impact.
- Additional changes to the definition of “personal information.” The FTC proposes adding photos, videos, and audio files which contain a child’s voice or image to the definition of personal information. Previously only photos were included, and only if they were combined with other information such that the combination permitted physical or online contact. Geolocation data and screen names (when used for more than just functionality within a single service) would also be considered personal information under the proposed amendments. In addition, the proposal also spells out that all identifiers that permit direct contact with a user (such as chat identifiers and VOIP screen names) are considered online contact information covered by the Rule.
- Changes to the definition of “collection.” The FTC proposes to change the definition of “collection” to permit children to participate in online communities without parental consent provided the operator takes “reasonable measures” to delete “all or virtually all” personal information before it becomes public. The Rule currently requires that all information be deleted, a high standard that operators claimed prevented the use of automated technologies and discouraged the operation of interactive options for children entirely. The changes also clarify that the Rule applies when personal information is “prompted or encouraged,” not just when it is required.
- Changes to the online notice. The FTC proposes to rewrite the section describing the required online notice to parents. The FTC claims that it has streamlined the requirements for the online notice by moving to a “simple” statement of: (1) what information the operator collects from children, including whether the website or online service enables a child to make personal information publicly available, (2) how the operator uses such information, and (3) the operator’s disclosure practices for such information. However, this does not appear to be significantly simpler than the previous requirement. Moreover, the current rule requires only that operators disclose “personal information” collected, whereas the proposed language appears to apply to any information. While this has the potential to be a significant change, it is not clear that it is intentional, as the explanation of the changes to this section makes no reference to it, and the proposed direct notice provisions still will require only that parents be told what “personal information” is collected. The FTC also proposes that contact information be provided for all operators of a website (rather than just one) .
- Security requirements. Operators must now take reasonable measures to ensure that service providers or other third parties receiving data have in place reasonable procedures to protect the confidentiality, security and integrity of personal information collected from children, and that operators must delete information when no longer needed. These requirements are similar to those the FTC has encouraged in other contexts.
- Alternative methods of consent. The FTC proposes a new process whereby companies can get formal approval to use an alternative method of consent not specifically listed in the rule.
Finally, the FTC proposes a number of other changes to the nuts and bolts of COPPA compliance.
- The direct notice to parents must include specific content in addition to containing a link to the online notice, where currently a link may be provided in lieu of most of the required content.
- Operators may no longer collect parents’ postal address to use in notifying the parent of collection of the child’s information for multiple contacts, as postal address is not used for any other notice and is now outmoded.
- A new exception to parental consent is added to permit the collection of parents’ online contact information to notify them about their child’s participation in a site that otherwise does not collect personal information from the child. The parent must be sent a notice of the site’s online privacy practices and the information cannot be used for any other purpose.
- As noted above, new approved verification methods have been added, including scanning, video conferencing, and collection of a government identifier (driver’s license or partial social security number), which is verified against a database and then deleted.
- The FTC also proposes to strengthen safe harbor programs by requiring more information initially from applicants regarding their ability to run an effective program, more rigorous oversight of members of approved programs, and annual audits.
Those interested in commenting on the proposed changes may file their comments online by November 28, 2011.
For further information or assistance with responding to a data breach incident, please contact the attorneys listed to the right.