Last week, the FTC announced release of a significant proposal for changes to rules implementing the Children’s Online Privacy Protection Act (COPPA). COPPA, passed in 2000, provides parents control over what personal information websites may collect from children under 13 years old, largely through rules issued by the FTC. These rules spell out what web site operators must include in privacy policies, when and how to seek verifiable consent from parents, and what operators have to do to protect children’s privacy and safety online.
The Proposal follows the FTC’s review of the existing rules over the past decade, including formal consideration of changes in 2005 that resulted in a decision to retain the rules intact. Since then, FTC staff have received a number of requests in related proceedings urging it to revisit the rules. After opening up the issue again last year, the Commission received 70 comments, and heard more during a public roundtable. In issuing the Proposal last week, staff now intend to act “on an accelerated schedule,” pointing to, among other things, the “explosion in children’s use of mobile devices, [and] proliferation of online social networking and interactive gaming” which suggest new vulnerability of children to the collection of their personal information without parental consent. Reflecting concerns about this increased vulnerability, new rules would impose restrictions on the use of geo-location information or behaviorally targeting children with advertising, as well as many changes briefly summarized below.
Arguably the biggest proposed change is to the definition of “personal information,” which would include:
- Screen or usernames, even when not containing an email address, if used for anything other than a website’s internal technical operations;
- “Persistent identifiers” (cookies, IP addresses, device identifiers, et. al) even if not combined with any other personal information, if used for anything other than “internal operations” like authentication, site navigation, user preferences, contextual advertisements, or anti-fraud efforts;
- “Identifiers” that link children’s activity across different sites or services − anything used “amassing data on a child’s online activities or behaviorally targeting advertising to the child” require parental consent;
- Photographs, videos, or audio files containing a child’s image or voice − even when not combined with any other personal information; and
- Geo-location data equivalent to a physical street address or better.
The definition of “collection” would also be broadened to include “prompting, or encouraging” children to submit personal information − not just requesting that they do so. So too the scope of collection via passive tracking of children’s website use − broadened beyond only cookies or codes “linked to an individual” – too now cookies, IP addresses, or any other technical means. At the same time, to enable website and online service operators to effectively delete a child’s personal information collected inadvertently, the Proposal would relax the current “100% deletion standard” in favor of “reasonable measures” to encourage the development and use of automated filtering systems that detect and delete children’s personal information prior to posting.
Significantly, the Proposal eliminates “email plus,” a widely used method to verify parental consent through e-mail confirmations, in cases where children’s personal information will be used internally only. Operators would have two new opportunities to come up with their own solutions − on their own, or through participation in “safe harbor” programs. Specifically, operators could develop and detail a method “reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent,” and send it to the FTC, which would publish the method in the Federal Register and review comments, approving or denying proposed methods after 180 days. Additionally, if existing “safe harbor” programs were to sanction any new method and certify it complies with COPPA’s consent requirements, participating members could use that method. Other changes to the rules governing parental consent delineate a few new such methods (electronically returning scanned-in forms; video conferencing sessions; and verification of parentally-supplied government-issued identification with post verification deletion of the data).
The Proposal would also:
- Add a completely new section to the current rules to formalize data retention and deletion requirements;
- Streamline and standardize both “online” and “direct” notice (reducing what must be contained in “online” notice, whilst also attempting to evolve “direct” notice into tailored “just-in-time” messages to parents; and
- Change definitions so that “personal information” could be used to support anti-fraud or information security activities without consent, and broaden “online contact information” to include any identifier permitting direct contact online.
Finally, several areas raised in public forums or comments would not be changed by the proposed rules. Despite requests from some commenters (although the majority of privacy advocates did not urge a change to COPPA’s current age threshold, but rather expressed an intent to seek protections for teens through other means), the FTC would not request Congress amend COPPA to extend protections to adolescents; require operators have constructive or implied instead of actual knowledge they are collecting from children; or to broaden COPPA’s language to mobile devices. Staff note COPPA’s current protections for children under 13 are “appropriate”; the actual knowledge standard appears to be working; and COPPA is already flexible enough to cover just about anything connected to the Internet. The Proposal has already generated considerable press coverage, and reactions to it appear strongly divisive. Web site operators that target children or collect information from them would be well-advised to read through the Proposal, and begin readying their comments before the November 28th deadline for public comments, or run the chance that Tea might not be the only thing in hot water.