FTC Issues COPPA Supplemental Notice Amending Previously Proposed Rule

• clarification by the FTC that the COPPA Rule applies not only to websites, but also to other technologies that can be considered “online services,” such as mobile apps, network-connected games, and some text messages;

• a more expansive definition of “personal information” to include IP addresses, customer numbers held in cookies, device identifiers, the linking of information across websites, and geolocation information — all of which may impact companies’ behavioral advertising activities;

• streamlining and clarifying the notices that operators must provide to parents about their information collection practices;

• changing the existing parental consent mechanism by removing the popular “email plus” verification method and adding several new methods;

• enhancing security provisions and requiring operators to ensure that third-party service providers to whom an operator discloses a child’s personal information have reasonable privacy and security procedures in place; and

• changing the existing COPPA Safe Harbor program to require “safe harbor programs” to exercise more oversight.

A blog post describing these proposed changes in more depth can be found here.

In today’s supplemental notice, the FTC proposes further changes to various defined terms taking into account comments received in the proceeding to date and the FTC’s experience in enforcing the COPPA Rule. The FTC proposes changes to the following defined terms, as described in more detail below:
 

• "operator" – to extend the application of the COPPA rule to website plug-ins and ad networks and websites/online services that use them

• “personal information” – (i) to include the addition of a definition for “support for internal operations” that clarifies a proposed exception for an operator’s use of persistent identifiers; and (ii) to permit use of screen names that do not rise to the level of an identifier that permits direct contact with a person online

• “website or online service directed to children” – to clarify the COPPA Rule’s applicability to websites that may be appealing to children, but that also have a broader audience

Proposed Definition of “Operator” Applies to Plug-ins and Ad Network

The most significant new proposal is the FTC’s expansion of the definition of “operator.”  The proposed additions to the definition of “operator” apply to websites or online services that are directed to children and which use plug-ins (e.g., Facebook’s “Like” button) or advertising networks.  In addition, changes to the definition would render plug-ins or advertising networks directly subject to the rule in some circumstances.

As to websites and applications, the proposed rule states that “[p]ersonal information is collected or maintained on behalf of an operator where it is collected in the interest of, as a representative of, or for the benefit of, the operator.”  For the rule to apply, these services must be collecting personal information (as defined under the COPPA Rule, which includes persistent identifiers used for tracking purposes).  The FTC indicates that most of these types of services would be deemed for the benefit of the websites in which they are integrated as they provide the website or online service with content, functionality, and/or advertising revenue.  If a website or online service directed to children chooses to integrate these third-party services, it will be considered an operator and will be subject to the COPPA Rule.  In sum, this would mean that a website or online service directed at children which does not itself collect personal information, but otherwise integrates a social networking plug-in into its website, would potentially be subject to all of the COPPA Rule’s provisions.

As to the providers of social networking plug-ins and network advertising companies themselves, they would also fit into the definition of operators and could be required to comply with the COPPA Rules.  However the FTC’s proposal would require operators to have knowledge that they are collecting personal information from children under the age of 13.  Therefore, if a network advertising company did not know or have reason to know that it was collecting personal information from children on a website or online service that is likely to attract children, it would not be subject to the COPPA Rule.  As the FTC states:

"[The FTC] is not imposing a duty on entities such as ad-networks or plug-ins to monitor or investigate whether their services are incorporated into child-directed properties; however such sites and services will not be free to ignore credible information brought to their attention indicating that such is the case."

The agency contemplates that websites and online service providers will cooperate with third-party plug-in providers and advertising networks to make sure that all parties that are considered “operators” meet their obligations to notify parents and obtain parental consent under COPPA.  However, the FTC does not offer any guidance as to how this cooperation could work or whether relying on a website’s or online service provider’s COPPA compliance efforts will be sufficient for a plug-in or ad-network to meet its COPPA compliance obligations.

Despite the FTC’s statement that it is not imposing a duty on third-party service providers, this proposed expansion of the COPPA Rule may serve to chill social networking plug-ins and the use of behavioral advertising on websites and online services directed to children.  Many providers of these services may be unwilling to take on potential liability or tailor their services as would be required to comply with the COPPA Rule.

Clarification of Definition of “Website or Online Service Directed to Children”

The FTC proposes changes to the definition of “website or online service directed to children” to clarify that a website or online service that knows (or should know) that it collects personal information from children under the age of 13 is “directed to children” and that websites and online services that are designed for both children and a broader audience do not need to treat all of their users as if they were children under the age of 13. The FTC acknowledges that websites and online services directed to children under the age of 13 fall along a continuum – some websites and online services are clearly geared toward young children, while others attract a broad range of interest from both children and adults. The proposed change would create categories where certain websites and online services would be able to distinguish between users who are under the age of 13 and other users as follows:

• Websites and online services that knowingly target children under the age of 13 or are likely to attract children under the age 13 as their primary audience will continue to have to adhere to the COPPA requirements, including receiving verifiable parental consent, for all website users.

• Websites and services that are likely to attract a disproportionally large percentage of children under the age of 13 (such as a website that appeals to both children and their families) would not be considered directed at children if the website:

  • age-screens all users prior to collecting any personal information; and

  • does not collect any personal information from users who identify themselves as being under the age of 13 prior to obtaining verifiable parental consent for those users.

The latter change would allow certain websites and online services to apply COPPA protections to some of their users while allowing users who are 13 years old or older to use the websites or online services without these added protections.

This change should provide more flexibility to websites that are geared to broader audiences. While in practice many websites already adopted this approach of age screening and only applying COPPA protections to users under the age of 13, this clarification shows that FTC has considered and approved of this approach.

Clarification that Certain “Persistent Identifiers” Are Not Personal Information

The FTC had proposed in 2011 to add “persistent identifiers” to the definition of “personal information” under the COPPA Rule. The agency provides a non-exhaustive list of persistent identifiers, including customer numbers held in cookies, IP address, processor or device serial number, and unique device identifiers. In response to numerous comments about the breadth of the definition, the currently proposed change attempts to clarify FTC’s position on when a persistent identifier would be considered personal information.

Under the proposed definition of “personal information,” a persistent identifier is considered personal information if it is “used for functions other than or in addition to support for the internal operations of the website or online service.” The FTC proposes to add a definition for “support for internal operations” to the COPPA Rule. If a persistent identifier is used for one of the following “support for internal operations” purposes, then it will not be considered personal information under COPPA:   (i) maintaining and analyzing the functioning of a website of online service; (ii) performing network communications; (iii) authenticating users of, or personalizing the content on, a website or online service; (iv) serving contextual ads on the website or online service; (v) protecting the security or integrity of user, website, or online service; and (vi) fulfilling a request of a child as permitted by COPPA.  However, the information collected for these activities cannot be used or disclosed to contact a specific individual or for any other purpose – which the FTC indicates would include the use of this persistent identifier for behaviorally-targeted advertising. The FTC hopes that this clarification will better equip websites and online service providers to understand when the collection of persistent identifiers will trigger COPPA obligations and when the collection will be considered as being support for internal operations.

Screen Name

In its 2011 proposed rule, the FTC added “screen or user names” to the definition of personal information under the COPPA Rule. Some commenters to the proposed rule were concerned that this proposal would inhibit functionality for some websites and online services directed at children – especially where websites and online services purposefully use a screen name or user name to avoid the collection of personal information from a child. The FTC now states that the proposed changes were not intended to preclude the use of screen names within a website or online service or the use of a screen name for an online service that runs on multiple platforms (e.g., to allow a child to seamlessly transition between devices or platforms using a single screen or user name). The FTC proposes to change the description of “personal information” so that screen or user names would only be considered personal information when the screen or user name rises to the level of online contact information, meaning the screen or user name functions like an email address, IM identifier, or similar identifier that permits direct contact with a person online.

Public comments on the Supplemental Notice of Proposed Rulemeaking will be accepted until September 10, 2012.

Authored by Eric Bukstein.