Article by Justine Gottshall and Shannon Harell
Federal Trade Commission (“FTC”) released a Federal Register notice (“Notice”) seeking public comments on additional proposed revisions to the Children’s Online Privacy Protection Act Rule (“COPPA Rule”).
As we blogged in September 2011, the FTC initially issued proposed revisions to the COPPA Rule and requested comments on September 15, 2011 (“2011 Notice”).
The FTC issued the new Notice based on the comments it received in response to the 2011 Notice and stated that, with the new Notice, it “intend[s] to clarify the scope of the [COPPA] Rule and strengthen its protections for children’s personal information.”
To accomplish this, the Notice proposes to revise the definition of “operator” and proposes further modifications to the proposed definitions of “personal information,” “support for internal operations” and “website or online service directed to children.”
Note that the Notice does not indicate the FTC’s final position on many of the proposed revisions put forth in the 2011 Notice, but written comments should be limited to the new modifications the FTC sets forth in the Notice and respond to the questions set forth in the last section of the Notice. Written comments must be received on or before September 10, 2012.
Overview of Proposed Revisions
In in-depth analysis of each proposed revision follows, but as a summary, the changes put forth by the FTC in most cases add welcome clarity for operators of websites and online services (“websites”). The proposed modifications to the definitions of "operator" and "website or online service directed to children" address commenters’ concerns related to the use of third party advertising networks and downloadable software kits, or plug ins, that collect personal information through child-directed websites.
When it was originally drafted, the COPPA Rule did not anticipate such technologies, but with revisions to the definition of “operator” the FTC hopes to make clear that the operator of a child directed site that integrates such services would still be considered an operator under the COPPA Rule. According to commenters, this was unclear under revisions proposed in the 2011 Notice.
In other words, under the definition in the new Notice, “both the child-directed site or service and the information-collecting site or service are responsible as covered co-operators.”
Likewise, the proposed modification of the definition of "website or online service directed to children" is intended to: (i) clarify that third parties offering such technologies (i.e. ad networks and plug ins) will be covered by the COPPA Rule whenever they know or have reason to know that their service is collecting information through a child-directed website ; (ii) address commenters’ concerns that some so-called children’s websites contain content that appeals to wider audiences; and (iii) “clarify that those child-directed sites or services that knowingly target children younger than age 13 as their primary audience or whose overall content is likely to attract children younger than age 13 as their primary audience must still treat all users as children.”
The FTC also proposed revisions to the definitions of “personal information” in two ways. First, the FTC proposed a revision to the inclusion of screen names in the definition of personal information as it was originally drafted in the 2011 Notice. The new revision would make clear that screen names are included in the definition of personal information to the extent that the screen name functions in the same manner as online contact information.
Second, the FTC proposed a revision to make clear that a “persistent identifier” will only be considered personal information “where it can be used to recognize a user over time, or across different sites or services, where it is used for purposes other than support for internal operations.” In connection with this revision, the FTC also proposed a revision to the definition of "support for internal operations” to explicitly list the types of activities that would qualify as “support for internal operations.”
Revision of “Operator”
Proposed Revision: Personal information is collected or maintained on behalf of an operator where it is collected in the interest of, as a representative of, or for the benefit of, the operator. Advocacy groups were concerned that providers could escape liability under the COPPA Rule, even as it would be revised under the 2011 Notice, because they do not have access to or own the information collected on their behalf through technologies like advertising networks and plug-ins.
Given the widespread integration of such features, including in connection with social networking sites, the FTC heeded the concerns of these commenters and suggested the revision set forth above. The proposed revision provides that a provider of a child-directed website that integrates such information collecting technologies into its website should be considered an “operator” under the COPPA Rule because such information is collected on its behalf.
The FTC explained: “Although the child-directed site or service does not own, control, or have access to the information collected, the personal information is collected on its behalf. The child-directed site or service benefits from its use of integrated services that collect personal information because the services provide the site with content, functionality, and/or advertising revenue [and it is in] the best position to know that its site or service is directed to children and can control which plug-ins, software downloads, or advertising networks it integrates into its site.”
Potential Impact: If this updated definition becomes part of the final COPPA Rule, websites will need to ensure that any third party that collects information through a site obtains prior parental permission or otherwise complies with COPPA. Websites will be equally responsible for the activities of third parties that have access to children through their websites.
Revision of Website or Online Service Directed to Children
Proposed Revision: Website or online service directed to children means a commercial website or online service, or portion thereof, that: a) knowingly targets children under age 13 as its primary audience; or, b) based on the overall content of the website or online service, is likely to attract children under age 13 as its primary audience; or, c) based on the overall content of the website or online service, is likely to attract an audience that includes a disproportionately large percentage of children under age 13 as compared to the percentage of such children in the general population; provided however that such website or online service shall not be deemed to be directed to children if it: (i) does not collect personal information from any visitor prior to collecting age information; and (ii) prevents the collection, use, or disclosure of personal information from visitors who identify themselves as under age 13 without first obtaining verifiable parental consent; d) knows or has reason to know that it is collecting personal information through any website or online service covered under paragraphs (a)-(c). The purpose of the revisions of this definition is two-fold:
First, with respect to Sections (a) – (c), the FTC aimed to address concerns that websites exist on a continuum. Some sites are directly entirely toward children whereas some appeal to a wider audience, e.g. the children’s parents. Under the current COPPA Rule, websites that appeal to children must treat all visitors as under 13 years of age.
The proposed revision aims to allow such “mixed audience websites” the ability to screen all visitors in order to provide COPPA's protections only to users under age 13.
Not only does this revision reflect the concern of commenters such as the Walt Disney Corporation, but it reflects the FTC’s enforcement strategy for COPPA violations it has prosecuted. In past prosecutions, the FTC “has charged sites or services with being directed to children only where [it] believed that children under age 13 were the primary audience.”
On the other hand, if the website had wider appeal or merely attracted users under the age of 13, the FTC would allege that the operator had “actual knowledge” of collecting information from users under 13. With the new revisions, only those websites that “knowingly target” or “have content likely to draw” children under 13 as their “primary audience” must still treat all users as under the age of 13 and comply with the COPPA Rule’s notice and consent provisions.
Mixed audience sites will not be deemed “directed to children” if they age screen all users prior to collecting information. Then, the operator will be deemed to have “actual knowledge” for those children who self-identify as younger than age 13 and, at that point, the operator must comply with the requirements of the COPPA Rule for those users only.
In addition, with respect to the revision of Section (d), the FTC intended to address concerns that entities that do not knowingly target children, such as analytics services and advertising networks, should not be obliged to comply with the COPPA Rule’s notice and consent provisions. As currently drafted, there is strict liability under the COPPA Rule. Based on its belief that a strict liability standard is not “workable” for the types of entities just described, the FTC modified Section (d) to include “know or has reason to know” to limit the liability of such entities.
Potential Impact: This is likely to be welcome news for many website operators, as many websites and online services include elements that may attract children but also clearly appeal to a wider audience (teenagers and parents). However, it is essential that websites who will rely on this new definition, if it becomes final, take steps to ensure that they are age-screening appropriately and effectively for each and every collection of information on their sites.
Revisions to “Personal Information”
The new proposed revision to the definition of “personal information” contains three distinct updates: revisions to the meanings of screen name, persistent identifier and support for internal operations.
Proposed Revision 1: Personal information means individually identifiable information about an individual collected online, including... A screen or user name where it functions in the same manner as online contact information, as defined in this Section; Several commenters noted that the proposed inclusion of screen names in the definition of personal information in the 2011 Notice would prevent operators from completing necessary functions on their websites.
For example, several commenters noted that their websites use screen names in place of children’s real names to limit the collection of personal information from children—the inclusion of screen names as set forth in the 2011 Notice would prevent this. Proposed Revision 1 was offered by the FTC in response to this concern.
Potential Impact: If this updated definition becomes part of the final COPPA Rule, websites will continue to be able to use screen name to identify users who post a comment to a message board or similar public forum on a website, so long as the screen name does not function as a method to contact the user (e.g., there is no direct messaging feature).
Proposed Revision 2: Personal information means individually identifiable information about an individual collected online, including: ...(g) A persistent identifier that can be used to recognize a user over time, or across different websites or online services, where such persistent identifier is used for functions other than or in addition to support for the internal operations of the website or online service. Such persistent identifier includes, but is not limited to, a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier.
Proposed Revision 3: Support for the internal operations of the website or online service means those activities necessary to: (a) maintain or analyze the functioning of the website or online service; (b) perform network communications; (c) authenticate users of, or personalize the content on, the website or online service; (d) serve contextual advertising on the website or online service; (e) protect the security or integrity of the user, website, or online service; or (f) fulfill a request of a child as permitted by §§ 312.5(c)(3) and (4); so long as the information collected for the activities listed in (a)-(f) is not used or disclosed to contact a specific individual or for any other purpose.
Proposed Revisions 2 and 3 are intended to address the concerns about the confusion caused by having two different sub-definitions dealing with persistent identifiers and provide more specificity to the types of activities that will be considered support for internal operations, respectively.
Potential Impact: These proposed updates significantly lessen the potential impact on websites, which automatically (and without option) collect IP address and other unique identifiers. Most websites will fall under the exceptions laid out for “internal use” and will not need prior parental consent in order to allow children access to the website.
However, it also appears that website analytics will be acceptable so long as the third party agrees it is only collecting the site usage information on behalf of the web site and will not use it for any other purpose or to create a profile based on an IP address or other unique identifier.
Cross-posted from InfoLawGroup