The Children’s Online Privacy Protection Act grows up
FTC makes changes in light of a new world of web technologies
September 23, 2012 at 08:00 PM
6 minute read
Under the Federal Trade Commission's (FTC) requirements implementing the Children's Online Privacy Protection Act (COPPA), websites and services directed at children must obtain verifiable parental consent to the collection of personal information from children.
The rules took effect in 2000, and upon conclusion of a review it launched in April 2005, the FTC decided not to change them.
But what it means to be “online” has changed drastically since the late 1990s when the FTC drafted COPPA definitions. Facebook didn't yet exist, for example—now it's hard to find a website that doesn't offer an easy link to share something on Facebook, Twitter or other social-networking sites. PDAs and flip-phones have given way to a new generation of easy-to-use touchscreen smartphones and the attendant mobile applications.
“[In the late 1990s], you could not engage in the same sort of networking or enjoy the same sort of interactive functionality, and you certainly couldn't be uploading and sharing as much content and information as you can today,” says Adam Thierer, senior research fellow in the technology policy program at the Mercatus Center at George Mason University.
So in 2010, the commission launched an accelerated review of the rule, put out a call for public comment and in September 2011 published several proposed changes to the rule. The Aug. 6 supplemental notice of proposed rulemaking is the FTC's response to the more than 350 comments the commission received on last year's notice of proposed rulemaking. It took comments on the new proposal until Sept. 10.
“The new realities on the ground dictated that we had to rethink how COPPA applied, and here the FTC essentially undertook an effort to tweak the law to keep it in tune with those new realities … by redefining some rather important terms,” Thierer says.
Plugging In
For instance, the FTC now proposes some changes to clarify how COPPA applies to third-party features that may collect information, such as social-media plug-ins and advertising networks.
“For the original rule, nobody ever thought you'd go to a website and start saying whether you like it or not and send that information to Facebook,” says Barry Cutler, of counsel at Baker Hostetler and former director of the FTC's Bureau of Consumer Protection. “If you're going to get adequate compliance and protect children, you have to expand the definition to people who are getting the information, not just the people who are operating the website.”
The FTC proposes that if a site or service directed to a child integrates into its content social-networking plug-ins or other features that collect personal information, the site or service itself is considered to collect personal information—and thus is subject to COPPA requirements—because the information is collected “on its behalf,” and it benefits from the related content, functionality and/or advertising revenue. The site or services itself are in the best position to know whether it is child-directed and what sort of third-party services it integrates, the FTC notes.
Further, the FTC proposes that a website or online service considered to be “directed to children” encompasses any operator that “knows or has reason to know” it is collecting personal information through a website or online service directed to children.
The supplemental Notice of Proposed Rule Making (NPRM) specifies that in using a “reason to know” standard, the FTC is not imposing a duty on third parties such as ad networks or plug-ins to proactively investigate whether their services are incorporated into websites and services directed at children. However, the FTC says, third parties “will not be free to ignore credible information brought to their attention indicating that such is the case.”
In the ecosystem of mobile apps, these new definitions create a huge conundrum and could lead app stores to steer clear of curating children-directed apps, says Morgan Reed, executive director of the Association for Competitive Technology (ACT), an advocacy group that represents more than 3,000 small and mid-size app developers and IT firms.
“This puts application stores or platforms at risk of being liable under COPPA for receiving and managing verifiable parental consent for every single application that they have 'reason to know' might be directed at children,” Reed says.
Target Audiences
The FTC has also updated its definition of websites that are “directed at children.”
The supplemental NPRM recognizes that websites and services directed at children “fall along a continuum, targeting or appealing to children in varying degrees” and proposes that COPPA rules encompass websites and services that target children under age 13 or are likely to attract children under age 13 as their primary audience. Such websites will still have to treat all users as children and obtain consent before collecting any personal information.
However, websites and services with a mixed audience that might appeal to an audience of which “a disproportionately large percentage” is under age 13 will not be considered child-directed if they first take the affirmative step of age-screening all users. Such mixed-audience sites would only have to obtain verifiable parental consent for users under age 13 for the collection, use or disclosure of personal information. The proposed standard makes things “a little less burdensome” for mixed-audience sites, Cutler says.
New Information
The NPRM also expands and clarifies how the FTC will define “personal information” for COPPA purposes. Previously, COPPA covered traditional information—name, address, email, telephone number and Social Security number, for instance. The FTC now proposes that personal information include screen names and user names that enable online contact and thus rise to the level of “online contact information.” The NPRM also clarifies the definition of a category of personal information called “persistent identifiers” as information that “can be used to recognize a user over time” and across websites and services, such as cookies, IP addresses, serial numbers or device numbers.
In response to industry concerns, the FTC proposes to allow the collection of persistent identifiers to support websites and services' “internal operations” without verifiable parental consent, which would apply to uses such as site analytics, user authentication, user preference maintenance, contextual advertising and fraud prevention. Such collection would be permitted as long as the information is not used to contact a specific individual, including behaviorally targeted advertising.
Reed says a classic example that the FTC took to heart in crafting the revisions was an ACT member who created an app to help autistic children communicate with an iPad. Under the proposal, it's clear that she can collect information and use analytics tools to improve predictive text functionality, for instance.
“The FTC is recognizing those innovative, imaginative uses for these devices and trying to get that squeezed into that bigger-picture view they've had for a while,” Reed says.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Senators Grill Visa, Mastercard Execs on Alleged Anticompetitive Practices, Fees
Trump's SEC Likely to Halt 'Off-Channel' Texting Probe That's Led to Billions in Fines
Trump Likely to Keep Up Antitrust Enforcement, but Dial Back the Antagonism
5 minute read
FTC Sues Cash-Advance Fintech Dave, Says It Deceives the 'Financially Vulnerable'
Trending Stories
- 1Gibson Dunn Sued By Crypto Client After Lateral Hire Causes Conflict of Interest
- 2Trump's Solicitor General Expected to 'Flip' Prelogar's Positions at Supreme Court
- 3Pharmacy Lawyers See Promise in NY Regulator's Curbs on PBM Industry
- 4Outgoing USPTO Director Kathi Vidal: ‘We All Want the Country to Be in a Better Place’
- 5Supreme Court Will Review Constitutionality Of FCC's Universal Service Fund
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
